Gmail, machine learning, filters

We’ve gotten to the point, particularly with Google but also with the other webmail providers, where the bulk of egregious spam is blocked. What’s left is not some spammer sending 10MM messages, but a much more difficult problem. Spam that reaches the inbox is sent in much smaller quantities. It’s also heavily targeted. Spammers are trying to look like legitimate marketers but still sending mail without permission.

This targeted spam is something I’ve been thinking about a lot lately. Mostly because anti-spammers did a pretty good job making not-spamming look like it was beneficial to senders. Many deliverability recommendations boil down to stop spamming but phrased in a way that makes the advice more palatable. Much of the type of spam that’s getting caught in the new filters follows deliverability recommendations. The piece it misses is that it’s not being sent with the permission of the recipient.

.. Believe it or not, spam filters started out as protecting users from mail they didn’t ask for. As the internet as grown and email has become a channel for crime the focus of filters have changed. But, fundamentally, deep down, the original purpose of keeping mail boxes useful by stopping unsolicited mail is still there. The ML filters are giving Google, and others, tools to actually address that mail better.

The dots do matter: how to scam a Gmail user

More generally, the phishing scam here is:

  1. Hammer the Netflix signup form until you find a gmail.com address which is “already registered”. Let’s say you find the victim jameshfisher.
  2. Create a Netflix account with address james.hfisher.
  3. Sign up for free trial with a throwaway card number.
  4. After Netflix applies the “active card check”, cancel the card.
  5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
  6. Hope Jim reads the email to james.hfisher, assumes it’s for his Netflix account backed by jameshfisher, then enters his card **** 1234.
  7. Change the email for the Netflix account to eve@gmail.com, kicking Jim’s access to this account.
  8. Use Netflix free forever with Jim’s card **** 1234!

 

.. Actually, the blame lies with Gmail, and specifically Gmail’s “dots don’t matter” feature. The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set.

.. Each Gmail user has one email address that they think of as theirs; all the others are mistakes.

.. Finally, Gmail users should be able to opt out of dots-don’t-matter. I wish for any mail sent to james.hfisher@gmail.com to bounce instead of reaching my inbox. The dots-don’t-matter feature should be disabled by default for any new Google accounts, and eventually retired.