Official Gmail Blog
News, tips and tricks from Google's Gmail team and friends.
Fighting phishing with eBay and PayPal
July 8, 2008
Posted by Brad Taylor, Software Engineer and Gmail Spam Czar
Phishing
messages are a form of spam that attempt to deceive recipients to gain access to their personal information. A classic one is a message that appears to come from PayPal and attempts to get someone's PayPal password in order to drain his or her account. These fraudulent messages often look very official and can fool people into responding with personal information.
Gmail does its best to put a red warning label on phishing messages, but it can be hard for us to know sometimes and we can't be 100% perfect. So, for the fraction of a time when Gmail misses it, you may end up squinting three times and turning the message sideways before suspecting that it's phishing. Wouldn't it be better if you never saw phishing messages at all, not even in your spam folder? Since 2004, we've been supporting email authentication standards including DomainKeys and DomainKeys Identified Mail (DKIM) to verify senders and help identify forged messages. This is a key tool we use to keep spam out of Gmail inboxes. But these systems can only be effective when high volume senders consistently use them to sign their mail -- if they're sending some mail without signatures, it's harder to tell whether it's phishing or not. Well, I'm happy to announce today that by working with eBay and PayPal, we're one step closer to stopping all phishing messages in their tracks.
Now any email that claims to come from "paypal.com" or "ebay.com" (and their international versions) is authenticated by Gmail and -- here comes the important part -- rejected if it fails to verify as actually coming from PayPal or eBay. That's right: you won't even see the phishing message in your spam folder. Gmail just won't accept it at all. Conversely, if you get an message in Gmail where the "From" says "@paypal.com" or "@ebay.com," then you'll know it actually came from PayPal or eBay. It's email the way it should be.
eBay and PayPal have worked hard to ensure that all their email is signed with DomainKeys and DKIM. Armed with this information, Gmail can easily reject as a fake anything that doesn't authenticate. We've been testing this for a few weeks now and it's working so well that few people really noticed.
We think it's great that PayPal and eBay have taken on the challenge of securing email, and we're pleased to have put our best efforts together to make this work. It's a bold move, but one that will really help fight phishing. Our hope is that this will set a good example for other organizations to follow (yes, it can be done!) and that over time more and more email will become trustworthy.
Labels
buzz
calendar
Gmail Blog
Google Apps Blog
Google Calendar
googlenew
Inbox
Inbox by Gmail
labs
mobile
Offline
reader
tasks
tip
Archive
2016
Sep
Aug
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Aug
Jul
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Jul
Jun
May
Apr
Mar
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2007
Dec
Nov
Oct
Sep
Aug
Jul
Feed
Google
on
Follow @gmail
Follow
Give us feedback in our
Product Forum
.
Get posts via email
Email:
Powered by
Google Groups
Useful Links
About Gmail
Gmail for Mobile
Gmail for Work
Follow