Gmail to thwart phishing with a big red box

Google's popular free web-based email service is testing phishing protection designed to alert members to potential email fraud attacks.

When a Gmail user opens a suspected phishing message, the software displays a large red dialogue box stating: "Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information." The service also provides a hyperlink to information on Gmail's help pages about email fraud.

Phishing fraud schemes typically use email messages that seem to come from a trusted service provider such as a bank or an online retailer. The messages contain links to websites that also seem to belong to those businesses, but that attempt to fool people into handing over sensitive information such as passwords and credit card numbers.

Gmail will also remove all live hyperlinks from suspect HTML-based emails to protect people's systems from potentially fraudulent websites. The addresses of the sites can still be accessed by examining the original code of the email, a feature that Gmail provides.

Gmail has also provided a prominent "Report Spam" button to its users. Any messages reported as spam get sent to a separate folder and Google's anti-spam software is notified. The company's help pages say that "the more spam you mark, the better our system will get at weeding out those annoying messages."

In 2004, Google added a similar, but less obvious, button to its service, inviting users to "Report Phishing."

Google competitors Yahoo! and Microsoft could not be reached for comment on whether their web-based email services offer phishing protection.

Google has made several moves to cut down dubious email. In October last year, the company implemented DomainKeys on its email servers. DomainKeys is a technology backed by Yahoo! that tries to crosscheck email messages to verify their origin. Yahoo! itself only implemented the service on its own mail servers in November 2004.

The idea behind DomainKeys is to thwart email spoofing or spam messages that appear to be from legitimate addresses but actually originate elsewhere.

DomainKeys attaches encrypted digital tags to each email. Each email is then compared with a publicly available database of legitimate addresses. If the tag and database entry do not match when the email arrives, the email does not make it into the recipient's inbox.

Alternatives to DomainKeys do exist. Microsoft (which owns Hotmail) is supporting its own email authentication technology for web-based email: Sender ID, respectively. Yahoo! and Microsoft have filed their technology specifications with the Internet Engineering Task Force as proposed Internet standards. The IETF is the body that defines standard internet protocols such as TCP/IP.

Renai LeMay writes for ZDNet Australia