Google tackles future threat of 'homoglyph' spam with tighter filters

Google tackles future threat of 'homoglyph' spam with tighter filters

Summary: New standards opening email to non-Latin characters could signal the advent of new types of spam.

SHARE:
TOPICS: Security, Google
5

Google has updated its spam filters to weed out messages that mix characters from different language scripts — emails that could be used in spam or phishing attacks.

Google's latest effort to prevent spammers from tricking Gmail users into open unwanted email will tackle complications that arise from email supporting scripts from different language groups.

As anyone with an accented character in their name would know, that character can't be used in a Gmail email address. Also, that address must be in Latin characters, which limits the choices for more than half the world's population.

Google last week announced the first steps in changing the status quo, prepping Gmail (and soon Calendar) to recognise addresses that contain accented or non-Latin characters.

So, if another email provider has allowed a user to set up an account using Cyrillic or Han characters, Gmail will recognise it. (Google itself though doesn't let users set up a Gmail account using characters from those language groups, though it hopes to do so soon.)

The effort stems from a standard developed in 2012 by the Internet Engineering Task Force for international email, which supports email addresses that would look like "武@メール.グーグル", for example.

While the standard's adoption should make email less Latin-centric, it does have implications for security, as Mark Risher, from Google's spam and abuse team, notes.

"Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims. Can you imagine the risk of clicking "ShဝppingSite" vs. "ShoppingSite" or "MyBank" vs. "MyBɑnk"?"

To counter these 'duplicitous Unicode Homoglyphs', Google is using the Unicode Consortium's 'Highly Restrictive' security profile to reject addresses that use combinations that could be misleading.

"We're using an open standard which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused," Risher notes.

Read more on Gmail

Topics: Security, Google

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Funny

    Apparently having spam in the title attracts the forum spam bots.
    Buster Friendly
    • No problem!

      This spam is homoglyph-free. ;)
      SlimSam
  • Spam is easily preventable

    1. Get your own URL (such as "MyURL.com" -- costs
    nfordzdn
    • yeah, ZD, that's right ... block a legitimate post but allow spam-bots

      1. Get your own URL (such as "MyURL.com") and use it to give everyone a different email address to you, such as MyName_Amazon@MyURL.com, MyName_BestBuy@MyURL.com, etc.

      2. Use your email program's filters/rules to block any emails without "MyName_" in the address. A second level of security is to check if the email is coming from whoever you gave the address to (e.g.: MyName_Amazon@MyURL.com has to come from Amazon.com).

      If everyone did something like this, spammers would be out of business.
      nfordzdn
      • Great idea, but...

        The average user is far from capable of going through the steps necessary for accomplishing this. The majority of people online cannot even keep track of a separate password for each account. Assuming they can set up and manage a system that complex, and create and manage email filters on top of that, is a stretch. Most tablet or smart-phone, or Mac users, and most Windows users, are not going to be capable of that. Linux users, perhaps they could; they can usually follow directions at least...
        Kieron Seymour-Howell