BLOG
Protecting users from look-alike accounts
Gmail recently started accepting mail (and calendar invitations) with non-Latin characters. A lot of fraudulent emails use non-Latin characters as a way to fool users. Google is on top of these security issues, however, and is now throwing away some mail with non-Latin characters.
the Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” specification—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.
The “Highly Restricted” specification says
- All characters in each identifier must be from a single script, or from the combinations:
- Latin + Han + Hiragana + Katakana;
- Latin + Han + Bopomofo; or
- Latin + Han + Hangul
- No characters in the identifier can be outside of the Identifier Profile
Not a huge surprise, since this is essentially what web browser vendors did when they added the ability to recognize non-Latin characters in domain names and URLs. The concern was the same: phishing sites that used lookalike characters to more effectively imitate the real website’s URL.
Also, it’s worth noting that this is about Unicode in email addresses, not in email content, which Gmail has supported for ages.