Proper Channels

By Larry Seltzer  |  Posted 2005-04-28 Print this article Print

Should Yahoo or Melbourne IT not have allowed a registration including the name "paypal" in it? Nutty as it may be, depending on your point of view, the law appears to be unsettled. There are cases where the incorporation of anothers trademark is a matter of free speech, like But nobody with a brain in his or her head would argue that using someone elses trademark to fool its customers into using the site is a legitimate use.

There is a process, ICANNs Uniform Domain-Name Dispute-Resolution Policy, for resolving disputes involving domain names, especially with trademark implications. If you read the policy its clear that it was devised before phishing came about. This may explain why the site for may be down, but the domain is still registered to the (probably phony) person who created it.

This is why hosting and registration services need to have their own strict policies and be diligent about monitoring abuse reports. "Diligent" is the last word to describe Yahoo in this regard. Phishers seem to have figured out that Yahoo can be played. I have personally received e-mail hooks for three Paypal phishes in the last couple of months (see two of them here and here). All three Web sites stayed up for a while—as much as a week—even though I reported them to Yahoos abuse group.

About Yahoos abuse reporting facilities, like ICANNs policies they seem to date from a time before phishing. The first thing you notice is there is no Yahoo product or service in the list to which phishing might apply, so you click "Other." This brings you to the "Yahoo! Terms of Service > Member Conduct" page, which says, "Please use this form only to report Yahoo! members who may be abusing our services." Hmmm ... not exactly appropriate, but lets humor the page in the hopes that we can still get our point across. The second item you are asked for is "the Yahoo! ID of the person you wish to report." OK, I can see well have a problem here, since this is a required element.

The bottom line is that Yahoos abuse reporting page has no way to report a phishing site. After realizing this, I tried forwarding the e-mail that hooked for the phish to, only to have a report back (several days later) that I hadnt included mail headers and that Yahoo would therefore drop the matter. The point of my report, of course, was not the e-mail but the site to which it referred. I dont have hard data on it—yet—but I suspect that Yahoos real lead in phishing isnt the number of sites but their longevity, the amount of time they stay up before Yahoo gets around to taking them down.

Yahoo said it will soon be adding a link to report hosting/phishing issues at Unfortunately, ISPs and hosting services and registrars dont want to monitor abuse reports. Not only does it make them no money, it often ends up booting off a paying customer, albeit the kind of customer you dont really want. But the good ones do a better job of it, or employ third-party services like Netcraft and others that monitor for it. The really big and sloppy ones, like Yahoo, will only learn when the market tells them to.

Editors Note: This story was updated to include comments from Yahoo. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel