August 12, 2014

Protecting Gmail in a global world

Last week we announced support for non-Latin characters in Gmail—think δοκιμή and 测试 and みんな—as a first step towards more global email. We’re really excited about these new capabilities. We also want to ensure they aren’t abused by spammers or scammers trying to send misleading or harmful messages.

Scammers can exploit the fact that , , and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims.* Can you imagine the risk of clicking “ShppingSite” vs. “ShoppingSite” or “MyBank” vs. “MyBɑnk”?

To stay one step ahead of spammers, the Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the Unicode Consortiums “Highly Restricted” specification—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.

We’re rolling out the changes today, and hope that others across the industry will follow suit. Together, we can help ensure that international domains continue to flourish, allowing both users and businesses to have a tête-à-tête in the language of their choosing.

Posted by Mark Risher, Spam & Abuse Team

*For those playing at home, that's a Myanmar letter Wa (U+101D), a Gujarati digit zero (U+AE6) and a Greek small letter omicron (U+03BF), followed by the ASCII letter 'o'.

3 comments:

  1. I did several tests on google apps using complete idn.idn domain and found several findings that are bugs and doesn't work as expected.

    Where can i share/post these tests results to be resolved by GApps team?

    ReplyDelete
  2. Why did you go for Highly Restrictive over Moderately Restrictive? Firefox uses Moderately Restrictive when deciding whether to display IDN domain names - https://wiki.mozilla.org/IDN_Display_Algorithm - and Chrome seems interested in following that lead - https://code.google.com/p/chromium/issues/detail?id=336973 .

    We chose moderately restrictive because many communities use Latin letters as well as their own orthographies; there are loads of valid uses for such combinations.

    A discrepancy here means that someone could buy a domain name and use it fine for a website, but be unable to use it for email if they want to communicate with Gmail users. That would be a nasty surprise.

    Gerv

    ReplyDelete
  3. So essentially Gmail will reject an email copy of this very post?
    Good thing you didn't update Blogger/Blogspot with the same "feature" too, right?

    You're ejecting security discussions about Unicode.

    You're rejecting a lot of mathematical equations.

    And you're also rejecting numerous other perfectly valid uses like the HλLF-LIFE example shown in the Unicode Consortium's page you linked to.
    "cool looking" combinations are sometimes used just for that.

    ReplyDelete

You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.