Protecting users from look-alike accounts

Gmail recently started accepting mail (and calendar invitations) with non-Latin characters. A lot of fraudulent emails use non-Latin characters as a way to fool users. Google is on top of these security issues, however, and is now throwing away some mail with non-Latin characters.

the Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” specification—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.

The “Highly Restricted” specification says

  • All characters in each identifier must be from a single script, or from the combinations:
    • Latin + Han + Hiragana + Katakana;
    • Latin + Han + Bopomofo; or
    • Latin + Han + Hangul
  • No characters in the identifier can be outside of the Identifier Profile

Related Posts

Using Google to taunt coworkers

Happy Friday, all. This has been a rough week for so many people, I thought we needed a little humor.
From Tim Norton (@norton_tim) on Twitter.

Read More

Is gmail next?

I’m hearing hints that there are some malware or phishing links being sent out to gmail address books, “from” those gmail addresses. If that is what’s happening then it’s much the same thing as has been happening at Yahoo for a while, and AOL more recently, and that triggered their deployment of DMARC p=reject records.
It’s going to be interesting to see what happens over the next few days.
I’ve not seen any analysis of how the compromises happened at Yahoo and AOL – do they share a server-side (XSS?) security flaw, or is this a client-side compromise that affects many end users, and is just being targeted at freemail providers one at a time?
Does anyone have any technical details that go any deeper than #AOLHacked and #gmailhacked?

Read More

Affiliate mailers struggling

What are affiliate mailers?

Affiliate mailers collect email addresses and then rent access to those addresses out to 3rd parties. There are a wide range of vendors that fall into the affiliate category. Some vendors compile lists through co-registration, others compile lists themselves through website opt-ins and some affiliate vendors fulfill mailing requests by hiring affiliates. There are, of course, some senders in the affiliate space that don’t even pretend to send opt-in mail, they just buy, compile or harvest addresses and blast mail to those addresses.

Read More