We’ve gotten to the point, particularly with Google but also with the other webmail providers, where the bulk of egregious spam is blocked. What’s left is not some spammer sending 10MM messages, but a much more difficult problem. Spam that reaches the inbox is sent in much smaller quantities. It’s also heavily targeted. Spammers are trying to look like legitimate marketers but still sending mail without permission.
This targeted spam is something I’ve been thinking about a lot lately. Mostly because anti-spammers did a pretty good job making not-spamming look like it was beneficial to senders. Many deliverability recommendations boil down to stop spamming but phrased in a way that makes the advice more palatable. Much of the type of spam that’s getting caught in the new filters follows deliverability recommendations. The piece it misses is that it’s not being sent with the permission of the recipient.
.. Believe it or not, spam filters started out as protecting users from mail they didn’t ask for. As the internet as grown and email has become a channel for crime the focus of filters have changed. But, fundamentally, deep down, the original purpose of keeping mail boxes useful by stopping unsolicited mail is still there. The ML filters are giving Google, and others, tools to actually address that mail better.
More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a
gmail.comaddress which is “already registered”. Let’s say you find the victim
- Create a Netflix account with address
- Sign up for free trial with a throwaway card number.
- After Netflix applies the “active card check”, cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails
james.hfisherasking for a valid card.
- Hope Jim reads the email to
james.hfisher, assumes it’s for his Netflix account backed by
jameshfisher, then enters his card
- Change the email for the Netflix account to
email@example.com, kicking Jim’s access to this account.
- Use Netflix free forever with Jim’s card
.. Actually, the blame lies with Gmail, and specifically Gmail’s “dots don’t matter” feature. The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set.
.. Each Gmail user has one email address that they think of as theirs; all the others are mistakes.
.. Finally, Gmail users should be able to opt out of dots-don’t-matter. I wish for any mail sent to
firstname.lastname@example.org bounce instead of reaching my inbox. The dots-don’t-matter feature should be disabled by default for any new Google accounts, and eventually retired.
- Lots of api methods to work with gmail. Useful for chrome extensions
- Most of them dont take arguments, they work on what is currently visible on the screen
- I still need to add implementation for chrome extension, works by injecting js for now