Google tackles future threat of 'homoglyph' spam with tighter filters

New standards opening email to non-Latin characters could signal the advent of new types of spam.

Google has updated its spam filters to weed out messages that mix characters from different language scripts — emails that could be used in spam or phishing attacks.

Google's latest effort to prevent spammers from tricking Gmail users into open unwanted email will tackle complications that arise from email supporting scripts from different language groups.

As anyone with an accented character in their name would know, that character can't be used in a Gmail email address. Also, that address must be in Latin characters, which limits the choices for more than half the world's population.

Read this

Six clicks: Gmail tips you might not know about

The flagship feature in Google Apps, Gmail remains one of the enterprise's favorite cloud-based email services. Here are six tips and tricks to increase your productivity.

Read More

Google last week announced the first steps in changing the status quo, prepping Gmail (and soon Calendar) to recognise addresses that contain accented or non-Latin characters.

So, if another email provider has allowed a user to set up an account using Cyrillic or Han characters, Gmail will recognise it. (Google itself though doesn't let users set up a Gmail account using characters from those language groups, though it hopes to do so soon.)

The effort stems from a standard developed in 2012 by the Internet Engineering Task Force for international email, which supports email addresses that would look like "武@メール.グーグル", for example.

While the standard's adoption should make email less Latin-centric, it does have implications for security, as Mark Risher, from Google's spam and abuse team, notes.

"Scammers can exploit the fact that ဝ, ૦, and ο look nearly identical to the letter o, and by mixing and matching them, they can hoodwink unsuspecting victims. Can you imagine the risk of clicking "ShဝppingSite" vs. "ShoppingSite" or "MyBank" vs. "MyBɑnk"?"

To counter these 'duplicitous Unicode Homoglyphs', Google is using the Unicode Consortium's 'Highly Restrictive' security profile to reject addresses that use combinations that could be misleading.

"We're using an open standard which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused," Risher notes.

Read more on Gmail