Gmail tries out antiphishing tools
Google's Web-based e-mail service is testing technology to help members spot fake messages linked to online fraud schemes.
When a Gmail user opens a suspected phishing message, the software displays a large red dialog box stating: "Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information." The service also provides a hyperlink to information on Gmail's help pages about e-mail fraud.
Phishing fraud schemes typically use e-mail messages that seem to come from a trusted service provider such as a bank or an online retailer. The messages contain links to Web sites that also seem to belong to those businesses, but that attempt to fool people into handing over sensitive information such as passwords and credit card numbers.
Gmail will also remove all live hyperlinks from suspect HTML-based e-mails to protect people's systems from potentially fraudulent Web sites. The addresses of the sites can still be accessed by examining the original code of the e-mail, a feature that Gmail provides.
Gmail has also provided a prominent "Report Spam" button to its users. Any messages reported as spam get sent to a separate folder and Google's antispam software is notified. The company's help pages say that "the more spam you mark, the better our system will get at weeding out those annoying messages."
In 2004, Google added a similar, but less obvious, button to its service, inviting users to "Report Phishing."
Google competitors Yahoo and Microsoft could not be reached for comment on whether their Web-based e-mail services offer phishing protection.
Google has made several moves to cut down dubious e-mail. In October last year, the company implemented DomainKeys on its e-mail servers. DomainKeys is a technology invented by Yahoo that tries to crosscheck e-mail messages to verify their origin. Yahoo itself only implemented the service on its own mail servers in November 2004.
The idea behind DomainKeys is to thwart e-mail spoofing or spam messages that appear to be from legitimate addresses but actually originate elsewhere.
DomainKeys attaches encrypted digital tags to each e-mail. Each e-mail is then compared with a publicly available database of legitimate addresses. If the tag and database entry do not match when the e-mail arrives, the e-mail does not make it into the recipient's in-box.
Alternatives to DomainKeys do exist. Microsoft (which owns Hotmail) is supporting its own e-mail authentication technology for Web-based e-mail: Sender ID. Yahoo and Microsoft have filed their technology specifications with the Internet Engineering Task Force as proposed Internet standards. The IETF is the body that defines standard Internet protocols such as TCP/IP.
Renai LeMay of ZDNet Australia reported from Sydney.