Google tackles future threat of 'homoglyph' spam with tighter filters

Summary:New standards opening email to non-Latin characters could signal the advent of new types of spam.

Google has updated its spam filters to weed out messages that mix characters from different language scripts — emails that could be used in spam or phishing attacks.

Google's latest effort to prevent spammers from tricking Gmail users into open unwanted email will tackle complications that arise from email supporting scripts from different language groups.

As anyone with an accented character in their name would know, that character can't be used in a Gmail email address. Also, that address must be in Latin characters, which limits the choices for more than half the world's population.

Google last week announced the first steps in changing the status quo, prepping Gmail (and soon Calendar) to recognise addresses that contain accented or non-Latin characters.

So, if another email provider has allowed a user to set up an account using Cyrillic or Han characters, Gmail will recognise it. (Google itself though doesn't let users set up a Gmail account using characters from those language groups, though it hopes to do so soon.)

The effort stems from a standard developed in 2012 by the Internet Engineering Task Force for international email, which supports email addresses that would look like "武@メール.グーグル", for example.

While the standard's adoption should make email less Latin-centric, it does have implications for security, as Mark Risher, from Google's spam and abuse team, notes.

"Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims. Can you imagine the risk of clicking "ShဝppingSite" vs. "ShoppingSite" or "MyBank" vs. "MyBɑnk"?"

To counter these 'duplicitous Unicode Homoglyphs', Google is using the Unicode Consortium's 'Highly Restrictive' security profile to reject addresses that use combinations that could be misleading.

"We're using an open standard which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused," Risher notes.

Read more on Gmail

Topics: Security, Google


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.