We’ve gotten to the point, particularly with Google but also with the other webmail providers, where the bulk of egregious spam is blocked. What’s left is not some spammer sending 10MM messages, but a much more difficult problem. Spam that reaches the inbox is sent in much smaller quantities. It’s also heavily targeted. Spammers are trying to look like legitimate marketers but still sending mail without permission.
This targeted spam is something I’ve been thinking about a lot lately. Mostly because anti-spammers did a pretty good job making not-spamming look like it was beneficial to senders. Many deliverability recommendations boil down to stop spamming but phrased in a way that makes the advice more palatable. Much of the type of spam that’s getting caught in the new filters follows deliverability recommendations. The piece it misses is that it’s not being sent with the permission of the recipient.
.. Believe it or not, spam filters started out as protecting users from mail they didn’t ask for. As the internet as grown and email has become a channel for crime the focus of filters have changed. But, fundamentally, deep down, the original purpose of keeping mail boxes useful by stopping unsolicited mail is still there. The ML filters are giving Google, and others, tools to actually address that mail better.
The dots do matter: how to scam a Gmail user
More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a
<span style="color: #000000;">gmail.com</span>address which is “already registered”. Let’s say you find the victim<span style="color: #000000;">jameshfisher</span>.- Create a Netflix account with address
<span style="color: #000000;">james.hfisher</span>.- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails
<span style="color: #000000;">james.hfisher</span>asking for a valid card.- Hope Jim reads the email to
<span style="color: #000000;">james.hfisher</span>, assumes it’s for his Netflix account backed by<span style="color: #000000;">jameshfisher</span>, then enters his card<span style="color: #000000;">**** 1234</span>.- Change the email for the Netflix account to
<span style="color: #000000;">eve@gmail.com</span>, kicking Jim’s access to this account.- Use Netflix free forever with Jim’s card
<span style="color: #000000;">**** 1234</span>!
.. Actually, the blame lies with Gmail, and specifically Gmail’s “dots don’t matter” feature. The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set.
.. Each Gmail user has one email address that they think of as theirs; all the others are mistakes.
.. Finally, Gmail users should be able to opt out of dots-don’t-matter. I wish for any mail sent to
james.hfisher@gmail.comto bounce instead of reaching my inbox. The dots-don’t-matter feature should be disabled by default for any new Google accounts, and eventually retired.
Russia Warns U.S. After Downing of Syrian Warplane
Colonel Dillon said the American-led coalition was also prepared to continue using the hotline, which consists of phone calls between the United States’ Al Udeid Air Base in Qatar and a Russian base at Latakia, Syria. An unclassified Gmail account is used as a backup.
Gmail.js – JavaScript API for Gmail
- Lots of api methods to work with gmail. Useful for chrome extensions
- Most of them dont take arguments, they work on what is currently visible on the screen
- I still need to add implementation for chrome extension, works by injecting js for now