Should Yahoo or Melbourne IT not have allowed a registration including the name "paypal" in it? Nutty as it may be, depending on your point of view, the law appears to be unsettled. There are cases where the incorporation of anothers trademark is a matter of free speech, like MicrosoftSucks.com. But nobody with a brain in his or her head would argue that using someone elses trademark to fool its customers into using the site is a legitimate use. There is a process, ICANNs Uniform Domain-Name Dispute-Resolution Policy, for resolving disputes involving domain names, especially with trademark implications. If you read the policy its clear that it was devised before phishing came about. This may explain why the site for paypal-cgi.us may be down, but the domain is still registered to the (probably phony) person who created it.About Yahoos abuse reporting facilities, like ICANNs policies they seem to date from a time before phishing. The first thing you notice is there is no Yahoo product or service in the list to which phishing might apply, so you click "Other." This brings you to the "Yahoo! Terms of Service > Member Conduct" page, which says, "Please use this form only to report Yahoo! members who may be abusing our services." Hmmm ... not exactly appropriate, but lets humor the page in the hopes that we can still get our point across. The second item you are asked for is "the Yahoo! ID of the person you wish to report." OK, I can see well have a problem here, since this is a required element. The bottom line is that Yahoos abuse reporting page has no way to report a phishing site. After realizing this, I tried forwarding the e-mail that hooked for the phish to firstname.lastname@example.org, only to have a report back (several days later) that I hadnt included mail headers and that Yahoo would therefore drop the matter. The point of my report, of course, was not the e-mail but the site to which it referred. I dont have hard data on ityetbut I suspect that Yahoos real lead in phishing isnt the number of sites but their longevity, the amount of time they stay up before Yahoo gets around to taking them down. Yahoo said it will soon be adding a link to report hosting/phishing issues at http://help.yahoo.com/help/abuse. Unfortunately, ISPs and hosting services and registrars dont want to monitor abuse reports. Not only does it make them no money, it often ends up booting off a paying customer, albeit the kind of customer you dont really want. But the good ones do a better job of it, or employ third-party services like Netcraft and others that monitor for it. The really big and sloppy ones, like Yahoo, will only learn when the market tells them to. Editors Note: This story was updated to include comments from Yahoo. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer
This is why hosting and registration services need to have their own strict policies and be diligent about monitoring abuse reports. "Diligent" is the last word to describe Yahoo in this regard. Phishers seem to have figured out that Yahoo can be played. I have personally received e-mail hooks for three Paypal phishes in the last couple of months (see two of them here and here). All three Web sites stayed up for a whileas much as a weekeven though I reported them to Yahoos abuse group.