The auction company eBay Inc. and its PayPal Inc. say the anti-phishing technology they are using from Yahoo Inc. could reduce the number of fake e-mail messages delivered to customers.
Yahoo's DomainKeys technology enables companies to assign a unique identifier to any outgoing e-mails. Any messages that claim to be from eBay or PayPal but cannot be verified through this system will not be delivered to Yahoo's e-mail users.
Michael Barrett, PayPal's chief information security officer, said in an interview Thursday that the use of DomainKeys is a key element of an ongoing battle with phishers. "If you don't receive the e-mail, it's pretty hard for you to be victimized by the phishers."
About 15% to 20% of PayPal users have a Yahoo mail account, he said, but he could not disclose the specific number.
For the past six months eBay and PayPal have been setting up the technology. They have spent most of that time determining whether they were tagging all their mail with DomainKeys.
"We're a big, gnarly, complicated company," Mr. Barrett said. "If we can get it to work ? frankly, anybody can get it together and make it work."
Yahoo will start filtering all e-mail for eBay and PayPal within the next two weeks, he said. The companies already are filtering e-mail for some regions, and "significant numbers of e-mails [are] being dropped that were clearly criminal in nature."
Though phishing typically is viewed as a bank problem, eBay and PayPal have long been among the top targets.
The Anti-Phishing Working Group said their corporate names were the most impersonated in 2004, and security experts say that the companies are still a more popular target than any banking company.
Yahoo began offering DomainKeys in 2004, but eBay and PayPal are the first major phishing targets to agree to use it.
The standard anti-phishing approach has been for third parties to track down and shutter the fake Web sites phishers create to steal personal data. Companies that are often impersonated have been forced to deemphasize the use of e-mail in communications with customers and potential customers.
"It's hard to estimate the amount of inbound e-mail fraud that we'll be blocking ? but we expect it to be significant," Mark Risher, a group product manager for Yahoo Mail, wrote in an e-mail.
The technology itself is easy to implement, but the hard part can be determining if all of a company's e-mail is being tagged with DomainKeys so that no legitimate mail is filtered out by mistake, he wrote.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said DomainKeys is "a really good solution for getting rid of phishing and spam."
But the technology would be more effective if the other major free e-mail services, such as Google Inc.'s Gmail and Microsoft Corp.'s Hotmail, also agreed to use it, she said. "If everybody's using DomainKeys, then you'd never get a phishing e-mail."
Though phishing is not making as much noise as it did three years ago, the problem has nonetheless grown, Ms. Litan said. A consumer survey she conducted in August found that phishing volume has grown 118% so far this year from the same period in 2004. "It's up, and eBay and PayPal are always No. 1. Each company gets more attacks than all of the banks combined."
In part, that is simply a reflection of target size; the number of eBay and PayPal users eclipses the total number of online banking users in the United States, she said.
Another benefit of the arrangement, according to Ms. Litan, is that phishing e-mails coming from Yahoo will be easier to stop.
"Yahoo is struggling to take phishing sites down," she said. "This will stop all the phishing attacks being launched from Yahoo accounts against eBay and PayPal users."
