Phishing e-mails purporting to be from eBay and PayPal -- as well as from banks, investment firms, and other Web sites handling money -- flood into inboxes on an almost daily basis. Web-based e-mail accounts, such as those provided by Yahoo Mail, seem especially prone to the attacks. Now, the three companies have joined forces to support a new specification aimed at fighting phishing attacks.

According to e-mail analysis firm MessageLabs, one in every 173 e-mails sent over the Internet contains some kind of phishing attack. But starting on Thursday, Yahoo will use the Domain Keys Identified Mail (DKIM) standard -- a standard developed by Yahoo and supported by Google, AOL, IBM, Sendmail, and VeriSign -- to insert an encrypted private key in e-mail to help authenticate the sender.

"While the battle against phishing and identity theft scammers will continue to require a multifaceted approach, today's announcement demonstrates the power of Domain Keys and the security benefits to be gained by e-mail users worldwide," said Michael Barrett, PayPal's chief security officer. Echoing this sentiment, John Kremer, vice president of Yahoo Mail, said the move is "a big step forward for consumers in defense against the bad guys."

Crytographic Text String

Current spam and phishing protections simply create blacklists of server names known to be the sources of spam and phishing, said Andrew Storms, director of security operations for nCircle. But "nearly all spam and phishing e-mails falsify their true origin," he said.

So the e-mails get through and are either trapped in spam filters or get through to users' inboxes. The e-mails are so realistic, "only someone skilled at looking into shielded e-mail contents (the headers) would be able to decipher its true origin," he added.

DKIM's strategy is to verify that e-mail comes from its purported sender and, if not, to stop it from even reaching the recipient. "When a real e-mail departs the organization, its e-mail servers insert a cryptographic text string into the e-mail headers," Storms explained. "Arriving at its final destination, the recipient e-mail servers inspect the e-mail."

When DKIM information is present, a mathematical equation compares the cryptographic information in the e-mail with that information published by the sender. "When the data is considered valid, then local spam and phishing processes are instructed that this particular e-mail is more than likely valid," Storms said.

Mass Adoption Needed

While the Domain Keys method might sound like an ideal solution to the problem of phishing and spam, it is of limited usefulness unless a majority of e-mail providers back it. Although DKIM has been in development for two years, Storms said, the most stable specification dates only to May 2007.

"Yahoo's implementation of DKIM signifies its move to be ahead of the pack on this new technology," Storms concluded. "Unfortunately, until a large majority of other sites adopt and implement, the full impact won't be felt by the thousands who receive spam and phishing e-mail every day."