Brad Taylor, Google's Gmail Spam Czar, has just posted details on the ongoing cooperation with PayPal and Ebay, two of the most targeted brands in phishing emails, the effect of which is rejecting compared to flagging as spam each and every email pretending to be coming from paypal.com and ebay.com as well as from their international domain extensions. It's a win-win-win move for users, and the companies themselves which are now digitally signing all of their emails, making phishing emails spoofing their origin easier to detect :
"Since 2004, we've been supporting email authentication standards including DomainKeys and DomainKeys Identified Mail (DKIM) to verify senders and help identify forged messages. This is a key tool we use to keep spam out of Gmail inboxes. But these systems can only be effective when high volume senders consistently use them to sign their mail -- if they're sending some mail without signatures, it's harder to tell whether it's phishing or not. Well, I'm happy to announce today that by working with eBay and PayPal, we're one step closer to stopping all phishing messages in their tracks.
Now any email that claims to come from "paypal.com" or "ebay.com" (and their international versions) is authenticated by Gmail and -- here comes the important part -- rejected if it fails to verify as actually coming from PayPal or eBay. That's right: you won't even see the phishing message in your spam folder. Gmail just won't accept it at all. Conversely, if you get an message in Gmail where the "From" says "@paypal.com" or "@ebay.com," then you'll know it actually came from PayPal or eBay. It's email the way it should be."
As Google put it - it's been working so well that you wouldn't be able to notice it. Moreover, despite that Sender ID and DomainKeys Identified Mail are well known concepts for validating the sender, and consequently capable of blocking huge percentage of emails that pretend to have been sent from legitimate emails, just like DNSSEC which emphasizes on authenticating DNS data, it's all a matter of implementation on a large scale. Or the lack of.
According to the Authentication and Online Trust Alliance's (AOTA) "State of Email Authentication and the Internet Trust Ecosystem 2008" report, the adoption of trusted sender practices by major U.S ISPs and email providers is increasing :
"Over 700 million mailboxes are now protected by email authentication thanks to adoption by leading ISPs including AOL, Bell Canada, GoDaddy.com, Google (Gmail), Microsoft (Windows Live Hotmail), and Yahoo!. However, there is considerable room for improvement in the adoption rate amongst all ISPs. As a best practice, ISPs are encouraged to begin to delete or block email which fails authentication, rather than placing it in bulk or junk email folders where consumers remain at risk of disregarding warnings and opening the email."
Windows Live Hotmail also claim to block over 25 million deception emails daily using the Sender ID Framework :
"According to a study by Windows Live Hotmail, SIDF has contributed to an 8% reduction in spam, the detection of over 25 million additional deceptive emails per day, and upwards of an 85% improvement in deliverability for brands that authenticate and have a positive reputation."
Are DomainKeys and Sender ID the panacea of dealing with spam? Not necessarily, since spammers and phishers will always adapt to the situation given the incentives they have to do so, and ISPs on the other side, are showing no interest in taking care of their malware infected customers. At the end of the day, it's these malware infected customers whose bandwidth gets abused for sending out phishing and spam emails.
A safer Gmail doesn't mean less spam on the Internet if we are to consider the big picture - like we should. And as we've seen already, phishers and spammers are working on ways to start abusing the *authenticated* and digitally signed email service providers, by breaking their CAPTCHAs and pre-registering hundreds of thousands of bogus email accounts in order to improve their delivery rates.