Connect with us

Hi, what are you looking for?


Email Security

Gmail Blocking Suspicious Addresses Containing Non-Latin Characters

Google has updated Gmail spam filters to block out emails coming from addresses using suspicious combinations of Latin and non-Latin characters, the company said on Tuesday.

Google has updated Gmail spam filters to block out emails coming from addresses using suspicious combinations of Latin and non-Latin characters, the company said on Tuesday.

Google announced last week that it has adopted an email standard that supports addresses with non-Latin and accented Latin characters. For example, a woman from China named 王芳 (Wang Fang) and a man from Spain named José Ramón might want to use email addresses in which their names are spelled with Chinese characters, respectively with accented Latin characters.

This is possible thanks to an email standard created in 2012 by a group called the Internet Engineering Task Force (IETF). By adopting the standard for Gmail, and soon for Calendar, Google allows its customers to send and receive emails from people who have non-Latin and accented Latin characters in their addresses.

For the time being, the company doesn’t allow customers to create addresses with such characters, but this first step toward more global email opens up new opportunities for scammers and spammers.

They can exploit the fact that many non-Latin characters look nearly identical to Latin characters. For instance, the Gujarati digit zero (૦) and the Greek small letter omicron (ο) are very similar to the letter o, allowing scammers to “hoodwink” unsuspecting users by mixing and matching characters, Mark Risher of the Gmail spam and abuse team explained in a blog post on Tuesday. One of the examples provided by Risher is “MyBank” vs. “MyBɑnk.”

In order to address this issue, Google has updated Gmail spam filters to reject emails coming from addresses that use combinations identified by the Unicode community as being suspicious and potentially misleading.

“We’re using an open standard—the Unicode Consortium’s ‘Highly Restricted’ specification—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused,” explained Risher.

Advertisement. Scroll to continue reading.

In the “Highly Restrictive” specification, all characters must be from a single script, or from a series of combinations between Latin and Japanese or Chinese characters. The combinations are:

-Latin + Han + Hiragana + Katakana;

-Latin + Han + Bopomofo; or

-Latin + Han + Hangul.

Google has updated its guidelines for bulk senders to clarify that the authenticating domain, envelope “From” domain, payload “From” domain, reply-to domain, and sender domain should not violate these rules.

In April, Kaspersky spotted a series of spam emails in which certain letters in the subject line and the body were replaced with Cyrillic and Greek characters, and International Phonetic Alphabet (IPA) symbols in an effort to evade spam filters.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.