Image of grog
eBay's lack of understanding of security concepts
Greg's rants
Greg's home page
Greg's diary
Greg's photos
Greg's links

eBay: Digital signatures encourage identity theft

On 23 July 2009 I found an amazing mail message. It had arrived a couple of days previously, but landed in my spam folder:

From  Mon Jul 20 10:15:27 2009
Return-Path: <>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
X-Spam-Level: ***
X-Spam-Status: No, score=3.1 required=3.0 tests=BAYES_80,DKIM_SIGNED,
        DKIM_VERIFIED,HTML_MESSAGE autolearn=no version=3.2.5

eBay sent this message to Greg Lehey (ebayname).
Your registered name is included to show this message originated from eBay.
Learn more at

There was a problem with your message

Dear ebayname,

Because of security concerns, eBay did not send your recent email message
to otherebayname.

We blocked this message because it was sent in an encrypted format. We
don't allow encrypted emails so we can better protect all of our members
from identity theft and unwanted email.

Please send your message again without encryption.

Thank you for your understanding, and thank you for helping to keep eBay
members safe.

This is absolutely unbelievable. The remainder of the headers make it clear that this is a genuine message from eBay, though the content itself isn't so sure: later on I find the text:

Another eBay member sent this email to through the eBay
platform. eBay takes no liability for the sending of this email or its

What I discern from this is:

So, eBay considers signing your messages to be a security risk—maybe. Maybe it was somebody else. But then, that's typical of eBay. Looking for somebody to contact, I found a link on

Find out who to contact when you need help.

But the link is not only incorrect, the redirection takes 10 seconds, demonstrating the breakage, and it takes me back to the main contact page.

eBay has been round for over 10 years. Have they still not learnt anything about security? To quote a discussion on IRC:

<callum> Wow - they are protecting members by forcing them to use plain text
<peter3G> Without digital signatures.
<callum> Yeah, I can see how that will stamp out identity theft.

Greg's home page Greg's diary Greg's photos Copyright

Valid XHTML 1.0!

$Id: ebay-insecurity.php,v 1.3 2009/07/23 23:36:45 grog Exp $