Every day Yahoo! sees hundreds of millions of forged emails pretending to come from trusted institutions. These abusive emails range from annoying spam, to phishing attacks, to potential malware that can take over your computer. Whether it’s downright nasty or just unpleasant, that’s all email you don’t want. To combat this abuse, Yahoo! helped create the Domain-based Message Authentication, Reporting and Conformance (DMARC), a specification spearheaded by major technology providers and email senders to collectively fight spam and phishing.
We’re pleased to announce that we have successfully completed the work required to support DMARC and will be rolling it out globally this week.
DMARC builds upon DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), existing email validation standards that use cryptography to prove the identity of the sender domain by using the Domain Name System (DNS). With the addition of DMARC, emails have to prove that they are coming from a trusted sender. Non-verifiable emails will never reach a recipient’s inbox. As a result, DMARC eliminates an email user’s exposure to potentially fraudulent and harmful messages.
What does this mean for you?
For Yahoo! Mail users, it means less email in your inbox from a non-verifiable source. For example, if you receive an email claiming that it is from your bank, the applicable DMARC policies require the email to prove that is indeed from your bank in order to be delivered to your mailbox. If the incoming email cannot be verified, Yahoo! Mail will not deliver the email to your mailbox.
For senders, it means you can protect your recipients and the reputation of your domain. You can tell Yahoo! how to handle non-verifiable emails, either keep it out of the inbox, or deliver to bulk. Yahoo! can also provide you with a report on emails from your domain that could not be verified.
In the coming months, we’ll be working with ISPs, email senders, and other email providers to encourage the creation and deployment of DMARC policies. At Yahoo! Mail, we’re working to make your email safer and are actively collaborating with other industry players to crack down on spam and phishing traffic.
Sr. Product Manager
In Christopher Nolan’s mind-boggling blockbuster “Inception”, Leonardo DiCaprio’s character, Dom Cobb, spins a top (i.e., his personal totem) to determine whether he’s in the real world or the dream world. If the top doesn’t stop spinning, it means he’s in a dream.
Strangely enough, this concept of a totem got me thinking about email.
As shown in my previous post, spammers have gotten very good at crafting legitimate-looking messages that appear to be the real thing, but are as fake as the Rolexes they peddle. They’ll spoof just about anyone or any brand to lure you into opening and clicking on their emails. With that said, wouldn’t it be great if we had a totem that could tell us whether a message is authentic or forged? Thankfully, we do have such a totem, sort of. Two of them, in fact.
- DomainKeys Identified Mail (aka DKIM) makes use of digital signatures in an email to identify authentic messages. It’s like having a virtual, verifiable fingerprint in every email that identifies it as a valid message from a domain. You can read more about DKIM at dkim.org.
- Sender Policy Framework (aka SPF) is a method of identifying authorized sources of messages for a domain. As a rough analogy, it’s akin to knowing all the possible phone numbers from which your bank can call you, so if you get a call from someone with an unknown number claiming to be from your bank, you know it’s suspicious. More information about SPF is available at openspf.org.
We’ve been utilizing both DKIM authentication and SPF validation on all messages sent to our users. These two technologies give us the ability to verify if an email came from a valid source for a particular domain—that is if the email sender utilizes these technologies as well. Remember that forged Angelina Jolie Facebook invite I received in my spam folder in my previous post? Since Facebook uses DKIM and SPF on their email-sending domains (facebookmail.com and facebook.com), we can essentially prevent the delivery of such forged messages since they will fail these email authentication checks. Out of sight, out of mind.
As we continue to enhance our implementation of these anti-spoofing techniques, and through our collaboration with partners who specialize in these technologies, we are helping to broaden the adoption of email authentication across financial institutions, social networks, shopping sites, and others. Our ultimate goal is to reject messages that are spoofing legitimate brands and trusted domains so you don’t even get to see them in your mailbox.
This is just one initiative in 2011 that we in the anti-spam team are really excited about. We’re also working on other technological measures to bring trust and security to your email experience. Suffice to say, there won’t be any sleeping on the job as we rid your inboxes of spam. Take that, Dom Cobb!
Independent empirical studies done by the prestigious Fraunhofer Institute show that Yahoo! Mail is #1 in blocking malware and spam from reaching mailboxes.
We, at Yahoo! are proud about putting technology to work for our users. Under the hood, a complex system of spam filters is combing every mail coming into the system for spam signals and automatically detecting the spammers’ next steps. Every spam report counts and tells a little more about how to counteract unwanted email.
Spammers use every trick in the book to distribute millions of spam and scam emails every day – but with Yahoo! Mail, most of these messages are stopped even before they get to our users. In fact, unlike our competitors’ antispam systems, our filters flag or block greater than 99% of spam. With nearly 300 million Yahoo! Mail users worldwide, we are blocking over 120 billion spam messages every month. That’s an average of 400 blocked spam messages per Yahoo! Mail inbox per month.
And we are not the only ones who have noticed our spam-reduction efforts.
The Fraunhofer Institute, an independent research firm, found that Yahoo! Mail users saw the least amount of spam out of the five providers tested, with nearly 40% less spam than Hotmail and 55% less spam than Gmail – meaning Gmail users in the study saw more than twice as much spam as Yahoo! Mail users.
While it’s great to lead the industry with our efforts, it is just as important for us to work together to win the war against spam. As we push forward with our collaboration with anti-spam industry partners, and advance our technology efforts, we’ll continue to arm you with tools, tips and strategies to keep your inbox away from spam, phishing and online scams.
And, as always, keep reporting spam so we can make our engines work even harder to keep your inbox clean.
Disposable Email Addresses in Yahoo! Mail (you might also know them as Addressguard) are a great way to help keep your Inbox free from spam. They are email addresses that you create and give out if you don’t want to give out your primary email address. Messages to your disposable email addresses are delivered to your Inbox or a folder you choose, and you can simply delete them if they start to receive spam.
If you’re like me and you use Disposable Email Addresses in the fight against spam, then I want to let you know about some upcoming changes to your Disposable Email Addresses. First of all, you probably know to look for the Disposable Email Addresses in the Spam section of Yahoo! Mail Options (click the ‘Options’ link in the top of your Inbox and then click ‘More Options’ or ‘Mail Options’). Soon, we are giving ‘Disposable Email Addresses’ its very own place on the Mail Options Screen. Let’s have a look:
(Please note: If you don’t see ‘Disposable Email Addresses’ as an option in the left-hand menu, you will need to sign up from the ‘Spam’ section of Mail Options.) Creating a Disposable Email Address is really very easy. Just click the ‘Add Address’ button at the top of the screen and an easy to follow wizard will walk you through creating your Disposable Email Addresses.
There are a few other changes as well. So let’s walk through each of them:
- Changes to ‘Spamguard’ settings: In the current version of Disposable Email Addresses – I’m going to abbreviate them to DEA’s now – you have the option of choosing whether you want to turn the ‘Spamguard’ setting on for each individual DEA. With the upcoming changes, all DEA’s will take the Spamguard setting that you have set up in the Spam section of your Yahoo! Mail Options. That means you have will have one global Spamguard setting for your entire Mailbox and you can control it from one central location. How’s that for easy?
- Changes to the delivery options: Now, when you set up a DEA, you have an option to move messages addressed to your DEA to your Inbox or any personal folder that you’ve created. With the new DEA’s you can still do that, but now you will have to use a filter. After you create your DEA, just click the link ‘Manage Filters for Disposable Addresses’. That link will take you to the ‘Filters’ section of Yahoo! Mail Options. Create a new filter, then just put your newly created DEA in the ‘recipient’ field and select the folder you want it delivered to. (Please note: as a consequence of this change you will have to set up new filters for your current Disposable Email Addresses.)
- Changes to the ‘Sending Mail’ option: Our current DEA creation lets you pick an option to send email from a DEA. With the new version of Disposable Email Addresses you will now have the option of sending mail from all of the DEA’s you create. When you compose a new mail, you can find all your DEA’s in the ‘From:’ pick-list.
These changes to your have already begun to roll-out to Yahoo! Mail Users. If you don’t see these changes in your Yahoo! Mail Options right now, they should be showing up soon. If you have any questions or concerns, please feel free to contact our Customer Care team.
I get questions from users now and again, whether or not we sent an email asking for account information. The answer is always NO! (Sorry for shouting) We will never send you an email asking for your account information. This is something that I’ve written about before but it never hurts to post about it again.
Here is an example of a phishing email that I received recently:
We definitely did not send this email. This one, and others like it, all pretty much follow the same formula:
- They are sent from a strange email address (but sometimes masked to look genuine)
- They usually use a scare tactic
- They want you to reply with your account information
- They have bad grammatical errors and use crazy fonts and lots of logos.
The most important thing to know is we will never ask you for your password! Here are some other tips to protect you from phishing threats: Never click on links in emails that ask you to provide account information, go directly to the website and login from there, don’t believe every warning you read in an email. And finally, there is no Yahoo Lottery.
To coin a phrase from my all-time favorite daytime cartoon series G.I. Joe – “Now you know, and knowing is half the battle.”
With more than 300 million Yahoo! Mail inboxes worldwide, we take our responsibility to keep you safe and your inbox free of spam, phishing and other online scams very seriously. Did you know that in 2008, Yahoo! blocked more than a billion spam messages each day? And it doesn’t stop there. So far this year, we have reduced the amount of spam that comes to Yahoo! Mail inboxes by an additional 30 percent!
So how do we do it? Our anti-spam efforts use a multi-faceted approach to protect your inbox including the use of enhanced technologies, industry collaboration, public policy efforts, and consumer awareness campaigns. Here’s a look at some of the latest advancements from the front lines of fighting spam:
Analytical analysis – Because spammers adjust their messages in subtle ways to evade detection, we’re using Hadoop, a supercomputer consisting of thousands of individual PCs, to look at hundreds of different elements in each message. For example, Hadoop doesn’t just look for the word “viagra” or “v1agra” or “v.i.a.g.r.a.” to show up in the subject line, it also looks for extremely subtle signals like how many words are in the message, what time of day the message was sent, how different this message is from the last one we saw from that same sender, and so on.
The hunt is on – We welcome opportunities within both private and public sectors to eliminate spam and educate its users about phishing. For example, in 2008 we saw an increase in messages telling our users that they had “won” the Yahoo! Lottery. Sadly, no such lottery has ever existed! Yahoo! has formed a public-private coalition with Microsoft, the African Development Bank, and Western Union to allow victims of lottery scams to upload police reports that are used to track down these criminals and develop better ways of protecting people online, and filed a lawsuit directly targeting these criminal con-men.
Self defense – The old adage is true: an ounce of prevention is worth a pound of cure. Through ongoing consumer education and awareness, we are able to provide you with tips and strategies to identify spam, phishing and other online scams. Speaking of, the holiday season and “Cyber Monday”—one of the busiest e-commerce days of the year—are right around the corner. According to the Identity Theft Resource Center, Internet fraud surges around this time because more of us are shopping online. Be careful of those deals that sound too good to be true, because they almost always are. For more advice, be sure to check out our top tips for staying safe online and spotting online scams. Also, check out the sidebar below for specific tips for Cyber Monday. With a sharp eye and a little education, you can better protect your wallet and your identity this holiday season!
With Yahoo! Mail touching over 50 percent of U.S. email users, your protection online and the prevention of spam are issues that are always top of mind. Whether it be phishing scams, lottery scams, fund transfer scams or other crimes, rest assured that we are behind the scene working diligently to protect you and your inbox.
Happy holidays from me and my team as we protect you from spam, one message at a time.
Tips for a Safe and Productive Cyber Monday!
As I mentioned earlier, Cyber Monday is almost here. So be sure to use the following tips when you’re receiving emails from vendors on deals and bargains or shopping online at Yahoo! Shopping or any other online shopping store for that perfect gift this holiday season:
Stay updated: Make sure your anti-virus software, internet browser, and operating system are all up-to-date, to protect your computer against viruses and fraudulent websites.
Know whom you’re buying from: Make sure you understand something about the company you are making a purchase from, and be familiar with their practices and policies. While there are many perfectly-reputable online merchants, there are also scammers out there, so be wary of deals that seem too good to be true. Check out their return policies, shipping procedures, and packaging timeframe. Be comfortable with the website and confident that you are going to be protected in the event an issue arises.
Keep your password to yourself: Most websites will require a log-in to make a purchase. Create a secure and unique password, with a combination of letters (uppercase and lowercase), numbers and symbols. If you need to, it’s much better to pick strong passwords and write them down in a secure location than to reuse the same, simple password on multiple sites.
Look for the padlock: When you’re entering sensitive data – such as passwords or credit card numbers – you should always look for the locked padlock symbol at the bottom of the screen or in the web address toolbar. If the lock isn’t there, it means the site is not securing your information and the site should definitely not be trusted (unfortunately, just because the lock is there doesn’t mean the site is legit, but if it’s not there you know something’s up)
Use your better judgment: You know better! If that Cyber Monday deal sounds too good to be true, chances are that it is. The same can be said about e-mail. While our spam filters work hard to weed out the bad from the good, never click on links in unsolicited or untrusted messages; doing so exposes you to the fraud and also encourages spammers to send more spam.
Keeping you safe while you’re online is a top priority for us here at Yahoo!. One important part of your online safety is making sure that nobody else can access your Yahoo! Mail account without your permission, and the best way to do that is to make sure you choose a good password and make sure nobody else knows it or can easily guess it.
I know it can feel like a pain typing out a more detailed password, but none of us want to make it any easier for the bad guys.
My top advice is to be mindful of any Web page that requests your Yahoo! password. The #1 way people get their passwords stolen is by typing them into lookalike “phishing” web sites, pages that pretend to be Yahoo! or another trusted Web site but actually are run by the bad guys. Scrutinize carefully any page that requests your Yahoo! password. In addition:
- Make sure the Web page address doesn’t have any misspellings or extra words (e.g. http://www.yah000.com, http://www.yahoo-members.com, or http://www.yahoo.BadGuyEnterprises.com) in it. When it doubt, go straight to http://www.yahoo.com and log in from there.
- Be vigilant about anything that doesn’t look right on the page, such as typos, outdated content, or broken or missing pictures.
- Best idea: be sure to set up a customized “Sign-In seal” picture — instructions are at https://protect.login.yahoo.com/ — and never enter your password unless you see that picture on the page.
Here are a few more tips to help keep you safe online:
- Don’t use the same password on multiple sites. Your Yahoo! Mail account is important to you, so it deserves its own password. That way, if the unthinkable happens on another site, at least your Yahoo! mailbox remains secure.
- Never send your password over email. Yahoo! will never request your password from you in an e-mail; if you ever receive such a request, you should treat it as fraud. Do not pass “Go!” Instead immediately click the “Spam” button on that message.
- Protect yourself with a virus scanner. Another way passwords get stolen is from a virus that records your keystrokes. Don’t give the bad guys that option: There are a number of anti-virus companies that offer free versions or trial offers, including (in no particular order and with no specific endorsement implied) http://security.symantec.com , http://usa.kaspersky.com/downloads/free-virus-scanner.php, http://us.mcafee.com/root/downloads.asp?id=freeTrials, and http://www.avast.com/eng/avast_4_home.html.
Unfortunately there is no silver bullet against these criminals and con-men, but hopefully these tips will help us all keep the bad guys at bay.
You may have heard or read about email accounts and their passwords being posted online. While I’ve read different versions of how the person(s) responsible was able to get the email account information, it was not a result of any insecurity at Yahoo! It looks to be a result of phishing attacks. Should you feel that one of your email accounts was affected by the recent publication, whether it is a Yahoo!, Hotmail or Gmail account, I would suggest changing your password as well as other account security information like secret questions and alternate email addresses.
We are aware that a limited number of Yahoo! IDs have been made public, it’s uncertain if any of those email/password combinations have resulted in any accounts being compromised. Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security.
We also have the following online resources that provide information and guidelines on email safety:
Our anti-spam site: http://antispam.yahoo.com/
With a phishing prevention sub-section: http://antispam.yahoo.com/phishing
Our help pages: http://help.yahoo.com/l/us/yahoo/mail/yahoomail/abuse/
And of course, I’ve posted a number of articles about online safety to this blog: Spotting phishing emails, how to spot online scams, avoiding the lottery scams, and account recovery help
Here are a couple FAQs that provide additional information:
Have accounts been compromised because of this?
We are unable to confirm whether accounts have been compromised at this time. However, we strongly suggest that consumers take caution in securing their email and other online accounts by regularly changing their passwords, and updating account security information.
What do I do if I think my account has been compromised?
You should change your password immediately. Also, if you are unable to enter your account, you can take steps to recover it here: https://edit.yahoo.com/forgotroot
We take online security seriously at Yahoo! We strive to make you and your Yahoo! account as safe as possible. Of course if you have any questions or issues with your account, please contact our Customer Care team.
- Posted June 2nd, 2009 at 3:42 am by HuongT
- Categories: All-New Mail, Anti-Spam, Classic Mail, Featured, New Stuff
These days many of you are engaged in an epic battle… separating the important emails from everything else. You get a lot of emails, some good (from friends, family, even favorite interests that you’ve added to your Address Book), and a lot of not-so-important emails (special offers, newsletters, emails you rarely read). All this has made your Inbox more work than fun. Wouldn’t it be great if you could simply snap your fingers and poof! – your Inbox magically transformed to only show the important emails?
Well, we’re not magicians on the Mail team but we are rolling out a new feature that lets you filter your Inbox (or any folder) to just show the emails from senders you’ve added to your Address Book – with just the simple click of a button! It is a crazy easy way to let the “good guys” (important emails) win! Let me show you how it works.
Step 1: Go to your Inbox or any folder. Above the list of emails, you’ll see links to View from All, Contacts, or Connections.
Click on Contacts:
Like magic, your Inbox (or any folder) transforms to only show emails from Contacts you’ve currently added to your Address Book! No work required (who says all things good in life have to be difficult)? Now you can easily see just the emails from your friends, family, and favorite interests (I love U2 and added them to my Address Book) right up front, minus the noise and clutter. Of course, you can always create filters if you want even more control.
Please check it out and let us what you think! Thank you very much for continuing to use Yahoo! Mail.
PS: This feature will roll out in the next few weeks to both Classic and the new Yahoo! Mail users who have the Smarter Inbox features enabled. To get these new features, first create a Profile at profiles.yahoo.com and then log back into Yahoo! Mail. Only users in the US and Australia can get it now, but users from many more countries will be eligible soon.
- Posted March 3rd, 2009 at 4:57 am by HuongT
- Categories: All-New Mail, Anti-Spam, Classic Mail, General, Mac, New Stuff
This week we have a guest blogger. So let me take a moment to introduce you to Rick Pal. Rick is the Senior Product Manager for our smarter, more social Yahoo! Mail. He’s got some exciting info to share about some changes to your smarter Inbox
Hello everyone! As you may know, the Yahoo! Mail team has been pretty busy lately – adding Apps, strengthening our anti-spam, integrating IM into Classic Mail – and of course we’ve also been listening intently to you! Of course, not all of you have the new social features, but based on feedback from those that do, I’d like to talk about some upcoming changes we’re making.
You: Updates rock! Keep em coming.
Us: You might notice that your “Welcome” page in Yahoo! Mail has a new look and feel. For those using the social features in Yahoo! Mail, we’ve brought updates to the forefront and we now integrate non-Yahoo! sites directly in Updates — places you regularly visit such as YouTube, Blogger, Yelp, Picasa, and more. And there are many more Yahoo! sites now live, including Yahoo! Sport and Flickr. By adding more places to sites from which you can see Updates, we hope to make it easier for you to stay in the loop with the people that matter.
You: News over Connections Suggestions, please
Us: We’ve moved the entire connections module (invites, suggestions) to the right so you can continue to see the news and weather higher on the page.
You: I want to manage my connections inside of Mail
Us: We’re rolling out a brand new Address Book (what we’re now calling Yahoo! Contacts) that integrates contacts and connections (we’ll do a separate blog post on these features). The new Yahoo! Contacts will only be available to social users for now but it will be made available to all Mail users in the coming months. Stay tuned!
You: Holy Batman! I don’t want this thing!
Us: It is your Mail! Some of you just prefer the old welcome page and don’t want connections features. Here’s how to go back.
You: Holy Batman! I really want this thing!
Us: We are adding several new features that make it even easier to communicate and share before rolling it out to more users. Don’t have it yet? To get to the front of the line when we add more users, please create a profile.
Thanks again for all the helpful feedback. And thank you for continuing to use Yahoo! Mail!
Sr. Product Manager