Publication Date: Friday, January 27, 2006
(January 27, 2006) Goodmail, a Mountain View startup, fights fake e-mails with cryptographic tokens
By Angela Hey
Are you receiving fake e-mails? Has an imposter "phished" you by pretending to be your bank and sending you a bogus e-mail that tricks you into disclosing financial data?
If so, you are not alone, according to the Anti-Phishing Working Group (APWG), which claims that almost 100 brands, mainly in financial services, were compromised by phishing campaigns in November, 2005.
Here in Mountain View, a 35-person startup, Goodmail Systems, is developing a certified e-mail service that promises to make it easy for consumers to recognize authentic messages.
Prevention is better than a cure, so rather than trying to stop bad e-mails after a spoof has occurred, Goodmail (not to be confused with Santa Clara wireless messaging vendor Good Technology) relies on the sender "stamping" his or her e-mail with cryptographic tokens. Goodmail screens senders to ensure they are reputable organizations with sound e-mail management practices and that they are not spammers or junk e-mail senders. The New York Times , the Red Cross and the credit reporting agency Experian have been approved as Goodmail senders.
The e-mail service provider validates the message and, if it has a genuine Goodmail security header, puts it in the user's inbox. AOL and Yahoo! users will start to see e-mail messages that use Goodmail's service in the next couple of months. Service providers have to be in the loop to ensure the integrity of the system.
E-mail users will be able to recognize a certified e-mail message by an icon. The recipient doesn't have to deal with encryption, passwords or keys to read the message, as the service provider does the work in handling Goodmail's trustworthy messages.
Goodmail's service is free to consumers. Senders pay. According to CEO and co-founder Richard Gingras, it costs an e-mail provider between $8 and $10 per year per mailbox to handle unwanted messages. Service providers benefit by sharing revenues with Goodmail.
Meanwhile, in the absence of senders certifying that a message is authentic, what can you do about fake e-mails? EBay, a favorite target of phishers, has a "My Messages" section. All genuine messages from eBay can be seen when you log in to your account, so only read eBay e-mails on the company Web site. You can also download a free toolbar for your browser from eBay's Web site (pages.ebay.com/ebay_toolbar) that tells you when you are on a genuine eBay or PayPal site.
If you get a security update message from Microsoft and you haven't subscribed to Microsoft's update service, then it's a fake. Microsoft doesn't send attachments with its security update messages, so if you see one that also means the message is a fake.
The APWG has a list of common phishes (www.antiphishing.org/phishing_archive.html) that help you determine whether or not a message is genuine. Another site worth visiting, if you feel you want to check out a phishing attack, is FraudWatch (www.fraudwatchinternational.com). Hoaxbusters (http://hoaxbusters.ciac.org) can tell you about other types of e-mail scams -- in particular, those rumors about sick children, or treasure in some foreign bank accounts.
Make sure that Web sites linked in e-mails are genuine. Don't suppose that because a link says "www.ebay.com" that it actually goes to the eBay site. For example, if you want to purchase on Amazon.com, then don't click on a Web site going to "amazon-department.com.".
Above all, be careful and don't let your guard down. Human carelessness can cause you to give away confidential passwords and financial data.
I'm looking forward to seeing those Goodmail icons on my AOL and Yahoo! messages.
Angela Hey lives on the Peninsula and helps ventures launch innovative technologies. Send comments to firstname.lastname@example.org.
E-mail a friend a link to this story.