The draft standard that the Internet Engineering Task Force adopted is more promising than most other anti-spam and antiphishing technologies because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants.

The way it works is straightforward: if PayPal sends an e-mail notice to customers about their accounts, the company's outgoing mail server will quietly insert a digital signature into the legitimate message. (Because the signature is embedded in the message headers, it's generally not visible to human readers.)

Let's say the recipient has a Yahoo Mail address. Yahoo's mail servers can automatically check PayPal's Internet domain name listing to verify that the digital signature is valid and the message truly originated at Signatures by authorized third parties are permitted as well, which is useful for outsourced e-mail.

If the signature doesn't check out, the message is probably spam--or a phishing attack designed to try to fool someone into divulging their details about their PayPal account. While the DomainKeys standard doesn't actually specify that messages with invalid signatures should be flagged as junk, Internet service providers are likely to do just that.

Get the full story at CNET