Yahoo! Mail Blog
The latest scoop on Yahoo! Mail product updates, new releases, bug fixes,

If I were asked to conjure up a compelling visual representation of our incessant fight against spam, I probably would’ve come up with a highly inappropriate—and possibly offensive—infographic. (The anti-spam team deals with the nastiest of emails after all, from the vicious to the vile.) Thankfully, there were other creative and wholesome folks at Yahoo! who were up to the task.

If a picture is worth a thousand words, the visualization of Yahoo! Mail’s delivery and anti-spam network is worth several billion messages a day. It is quite mesmerizing. If you haven’t yet, do check it out at::

http:/visualize.yahoo.com

You can read more about the Yahoo! Mail Visualization Project here.

Read more »

Have you ever received an email from a friend that was just downright spammy and wonder what possessed him or her to send it? Worse, have you received emails from concerned relatives and friends asking why you sent them emails pitching prescription drugs? If you’re familiar with either situation, then you know what happens when someone’s email account has been compromised and taken over by spammers.

Whether it be via malicious software being silently installed on users’ computers, unknowingly logging in through a phishing page, or the use of common or easy-to-crack passwords, we are seeing an increase in legitimate user accounts that are being accessed and exploited by spammers. While we have measures in place to detect and mitigate the damage, it’s still a daunting and disconcerting dilemma being faced–and collaboratively worked on–by email providers across the industry.

If you have (or know of someone who has) been a victim of such an account compromise, here are the 2 most important actions to secure the account:

1) Change your password immediately. If you have a Yahoo! account, you can change your password at https://edit.yahoo.com/config/change_pw.

If you can no longer access your account, you can get a new password at https://edit.yahoo.com/forgotroot/. If you still can’t access your account after going through the “Forgot Your Password” process, you may contact our Customer Care team for assistance at:

http://help.yahoo.com/l/us/yahoo/security/general.html

Important: If you use the old password at other sites, we recommend you change it for those accounts as well. Furthermore, don’t revert to the old password at any time; that password can never be used safely again for any of your accounts.

2) Scan your computers for malicious software. If you have an anti-virus program installed, make sure to update it and then run a scan. Do this for both your personal and work computers. (You should be doing this periodically, by the way.)

If you don’t have an anti-virus program and are using a Windows computer, Microsoft provides a free, anti-virus program at:

http://www.microsoft.com/en-us/security_essentials/default.aspx

For more tips and recommendations to keep your online experience safe, be sure to visit the Yahoo! Security Center.

Read more »

Dig if you will this picture: You’re taking a leisurely walk around your neighborhood park on a sunny day, taking in the sun, the scenery, and the sanctity of the place you’ve come to call home. Suddenly, a masked intruder appears out of nowhere and tries to rob you. That would be a jolting and revolting experience, wouldn’t it?

To me, the online equivalent of such a criminal encounter is finding a phishing email in my mailbox. I deem my mailbox as the safe haven of my online experience. It’s where I communicate with family and friends, receive important messages from the companies I transact with, and, within Yahoo! Mail, where I chat with my Facebook buddies. That’s why we’re obsessed with keeping phishers out of your Yahoo! Mail.

On that note, I’m happy to announce the release of Yahoo! Mail Anti-Phishing Platform (YMAP), which further reinforces the trust and security of the Yahoo! Mail experience using existing email authentication technologies. It builds on the pilot anti-phishing program we ventured into with eBay/PayPal back in 2007, but this time we’re casting a wider net on the phishing problem.

So, what does this mean for you?

Put simply, we’re beefing up Yahoo! Mail’s SpamGuard by adding more security measures that make it much harder for phishers to get to your mailbox. We’ve teamed up with email authentication partners—namely, Authentication Metrics, eCert, Return Path, and Truedomain—to gain significant coverage to protect the prime targets of phishing attacks. Our partners work with top brands and email senders to audit, monitor, and protect email traffic using their domains. This collaboration enables us to apply policies to protect the authenticated emails using the domains of well-known online services–from popular social networks like Facebook to often-targeted institutions in the banking industry.

While this project is still in its early stages of deployment, we will be rolling it out aggressively during the coming months so that Yahoo! Mail users, along with the expanding list of companies participating in the program, are better protected from the perilous plague of phishing. It’s just another way we’re beating away bandits from your mailbox.

Read more »

In Christopher Nolan’s mind-boggling blockbuster “Inception”, Leonardo DiCaprio’s character, Dom Cobb, spins a top (i.e., his personal totem) to determine whether he’s in the real world or the dream world. If the top doesn’t stop spinning, it means he’s in a dream.

Strangely enough, this concept of a totem got me thinking about email.

As shown in my previous post, spammers have gotten very good at crafting legitimate-looking messages that appear to be the real thing, but are as fake as the Rolexes they peddle. They’ll spoof just about anyone or any brand to lure you into opening and clicking on their emails. With that said, wouldn’t it be great if we had a totem that could tell us whether a message is authentic or forged? Thankfully, we do have such a totem, sort of. Two of them, in fact.

• DomainKeys Identified Mail (aka DKIM) makes use of digital signatures in an email to identify authentic messages. It’s like having a virtual, verifiable fingerprint in every email that identifies it as a valid message from a domain. You can read more about DKIM at dkim.org.
• Sender Policy Framework (aka SPF) is a method of identifying authorized sources of messages for a domain. As a rough analogy, it’s akin to knowing all the possible phone numbers from which your bank can call you, so if you get a call from someone with an unknown number claiming to be from your bank, you know it’s suspicious. More information about SPF is available at openspf.org.

We’ve been utilizing both DKIM authentication and SPF validation on all messages sent to our users. These two technologies give us the ability to verify if an email came from a valid source for a particular domain—that is if the email sender utilizes these technologies as well. Remember that forged Angelina Jolie Facebook invite I received in my spam folder in my previous post? Since Facebook uses DKIM and SPF on their email-sending domains (facebookmail.com and facebook.com), we can essentially prevent the delivery of such forged messages since they will fail these email authentication checks. Out of sight, out of mind.

As we continue to enhance our implementation of these anti-spoofing techniques, and through our collaboration with partners who specialize in these technologies, we are helping to broaden the adoption of email authentication across financial institutions, social networks, shopping sites, and others. Our ultimate goal is to reject messages that are spoofing legitimate brands and trusted domains so you don’t even get to see them in your mailbox.

This is just one initiative in 2011 that we in the anti-spam team are really excited about. We’re also working on other technological measures to bring trust and security to your email experience. Suffice to say, there won’t be any sleeping on the job as we rid your inboxes of spam. Take that, Dom Cobb!

Read more »

Earlier this year I received a Facebook invite in my Yahoo! Mail account from none other than Angelina Jolie herself. I kid you not.

While it’s true that we live in the Digital Age where communicating with anyone is a mere tap of a finger away—whether it’s via email, IM, Facebook, Twitter, etc.—the chances that Ms. Jolie would randomly reach out to a regular Joe, such as myself, is still pretty darn improbable. So, the following questions raced through my mind:

1. What in Brad’s name would compel Angelina to friend me?
2. Did my mom put me up for adoption? (Can she even do that at my age?!?)
3. Why did the invite end up in my spam folder?

This last question is especially relevant for my role here at Yahoo! Mail, where I am part of the anti-spam team. Our mission is to ensure that wanted messages get to the inbox and insidious ones remain out of sight.

After suspending my disbelief for a second, I realized that the invite was a well-crafted forgery. It even spoofed Facebook’s mailing domain, facebookmail.com, to make it seem authentic (email was sent from an IP address in Poland). My trained eye saw through the deception, even though my strained ego wanted to believe it.

Spammers send such spoofed messages by the millions every day, and try to lure recipients into clicking nefarious links in the message by dangling compelling, socially-engineered bait. Perhaps the link leads to a phishing page designed to steal log-in credentials, or a site that sells prescription drugs for cheap. Worse, it may point to a file that silently installs malicious software that logs every key stroke and silently sends it off to some evil mastermind.

The point is, any link found in spam leads to no good. That’s why I didn’t click on any links in that invite; I just deleted the email. You should do the same when you receive a suspicious or unsolicited message—especially if you find it in your spam folder.

In an upcoming sequel to this post, I’ll provide more details on how our anti-spam team is leveraging anti-forgery technologies, such as DKIM and SPF, to step up the fight against such spoofed and phishing emails.

Stay tuned.

Read more »