Yahoo! Mail Blog
The latest scoop on Yahoo! Mail product updates, new releases, bug fixes,

I am a firm believer in the old adage ‘an ounce of prevention is worth a pound of cure’. That is why my colleagues and I write a lot of posts around online security, phishing prevention and spam. We want everyone to know how to recognize and avoid phishing emails, as well as share tips for staying safe online.

But I also recognize that even the best of us can get caught off-guard sometimes. Whether it happens by mistake or a particularly well done forgery, someday you may find yourself in the situation that you account has been phished. If you don’t realize it right away, you’ll know it when your friends start asking why you sent them an email to a strange online shop or whether or not you really are stuck in Chicago without your wallet and are in need of money.

If you do ever find yourself the victim of a phishing attack and think your Yahoo account has been compromised, here are some things you can do to help get your account back online and in your control:

Change your password immediately. If you find that your account is sending spam, and you are still able to access your account, login to your Yahoo! account and change your password. That will prevent the fraudster from entering your account again. (Tip: Also check that we have the correct alternate contact email address for you on file.)

Use our automated account recovery tool. Sometimes the hacker who stole your information changes your password so that you can no longer access your account. If that’s the case, our account recovery tool can help restore access to your account and change your password at the same time. (Tip: You will have to answer your secret questions to complete the tool. If you forgot, or haven’t set your secret questions/answers, you can do that here then click the link ‘Update password-reset info’.)

Contact our Customer Care Team. If you can’t remember or are unable to provide the information needed by the account recovery tool, you can always contact our customer care team. Have a look at our account verification help pages, and then click the ‘Contact Us’ link. They will help get access to your account.

Remember, prevention is the best medicine. So arm yourself with the knowledge to stay safe online, and make sure you are prepared in case you ever do find yourself the victim of phishing. To simplify the process and quickly regain control of your Yahoo! account, make sure you always have a current alternate contact email address, and know the questions and answers to your secret questions. You can update your Yahoo! account recovery information by logging into your Yahoo! Account.

Read more »

“Phishers” keep us up at night. These people deliberately try to con you and then steal your private information. This is a huge industry-wide problem, and Yahoo! dedicates significant resources to identify and block phishing emails before they reach your inbox.

Unfortunately, we can’t stop phishers without your help. The most effective way to prevent phishers from stealing your information is to remember a handful of common sense tips that can help stop intruders in their tracks and keep you safe online:

1. Don’t recycle your password
Got a favorite password you like to use? Well, don’t use it often because attackers that successfully obtain a password you use at one Website will likely try to use it to access your other accounts, such as your bank or favorite online retailer. Here’s a better idea: Use a different password for each Website you use to access sensitive information (i.e: email, bank, social networking, and major retail Website passwords).  Mix-up your passwords even if your username is the same.

2. Never send your sensitive information over email
No reputable businesses will ask you to send them your password or account information in an email. If you receive such a message, immediately click the “Spam” button on that message and we’ll get rid of it. Likewise, beware of messages from major companies asking you to “click this link” to verify your password. Instead of clicking on the link, visit that company’s homepage or call the company’s customer service line to verify the authenticity of that email. Phishers like to use these types of emails to direct people to legitimate-looking Websites that are really meant to steal IDs and passwords.

3. Check the “From” line
If you get an email message that seems too good to be true, it probably is. Always look at the email address itself and not only at the name of the sender.  If the “From” line seems too generic or the domain does not clearly identify who the sender is, such as “yourbank@freemmail.com”, or “servicealerts@mail-boxes.us”, then it’s likely a hoax. Be safe, not sorry.

4. Know thy friend
The other day a friend of mine sent me an email with a generic, “Hey, check this out!” in the subject line and a link from an unknown Website. Turned out his account had been compromised. Be suspicious if a friend sends you a link that seems phishy – and make sure to alert them so they can warn other recipients of the message and alert their email service provider. If they ask you to send money, give them a call first (even if the email says it’s pointless). Scammers steal accounts and send messages with sad stories to convince you to wire them money. We all want to help our friends, but not by sending money to strangers.

5. Keep your system virus-free
There are viruses out there that steal your passwords by recording your keystrokes. Using and regularly updating virus scanning software is a good way to protect yourself from these and other types of malicious code. There are a number of anti-virus companies that offer free versions or trial offers, including: http://security.symantec.com , http://usa.kaspersky.com/downloads/free-virus-scanner.php, http://us.mcafee.com/root/downloads.asp?id=freeTrials, and http://www.avast.com/eng/avast_4_home.html.

You’ll continue to see more tips from Yahoo! about how to protect yourself online. We’re committed to arming you with tools that will help keep you safe, including the improved spam protection we’ve built into the new Yahoo! Mail Beta. Take a test drive or learn more about it here .

Read more »

In Christopher Nolan’s mind-boggling blockbuster “Inception”, Leonardo DiCaprio’s character, Dom Cobb, spins a top (i.e., his personal totem) to determine whether he’s in the real world or the dream world. If the top doesn’t stop spinning, it means he’s in a dream.

Strangely enough, this concept of a totem got me thinking about email.

Warner Bros. Pictures Photo by Stephen Vaughn/Warner Bros. Pictures

As shown in my previous post, spammers have gotten very good at crafting legitimate-looking messages that appear to be the real thing, but are as fake as the Rolexes they peddle. They’ll spoof just about anyone or any brand to lure you into opening and clicking on their emails. With that said, wouldn’t it be great if we had a totem that could tell us whether a message is authentic or forged? Thankfully, we do have such a totem, sort of. Two of them, in fact.

• DomainKeys Identified Mail (aka DKIM) makes use of digital signatures in an email to identify authentic messages. It’s like having a virtual, verifiable fingerprint in every email that identifies it as a valid message from a domain. You can read more about DKIM at dkim.org.
• Sender Policy Framework (aka SPF) is a method of identifying authorized sources of messages for a domain. As a rough analogy, it’s akin to knowing all the possible phone numbers from which your bank can call you, so if you get a call from someone with an unknown number claiming to be from your bank, you know it’s suspicious. More information about SPF is available at openspf.org.

We’ve been utilizing both DKIM authentication and SPF validation on all messages sent to our users. These two technologies give us the ability to verify if an email came from a valid source for a particular domain—that is if the email sender utilizes these technologies as well. Remember that forged Angelina Jolie Facebook invite I received in my spam folder in my previous post? Since Facebook uses DKIM and SPF on their email-sending domains (facebookmail.com and facebook.com), we can essentially prevent the delivery of such forged messages since they will fail these email authentication checks. Out of sight, out of mind.

As we continue to enhance our implementation of these anti-spoofing techniques, and through our collaboration with partners who specialize in these technologies, we are helping to broaden the adoption of email authentication across financial institutions, social networks, shopping sites, and others. Our ultimate goal is to reject messages that are spoofing legitimate brands and trusted domains so you don’t even get to see them in your mailbox.

This is just one initiative in 2011 that we in the anti-spam team are really excited about. We’re also working on other technological measures to bring trust and security to your email experience. Suffice to say, there won’t be any sleeping on the job as we rid your inboxes of spam. Take that, Dom Cobb!

Read more »

Independent empirical studies done by the prestigious Fraunhofer Institute show that Yahoo! Mail is #1 in blocking malware and spam from reaching mailboxes.

We, at Yahoo! are proud about putting technology to work for our users. Under the hood, a complex system of spam filters is combing every mail coming into the system for spam signals and automatically detecting the spammers’ next steps. Every spam report counts and tells a little more about how to counteract unwanted email.

Spammers use every trick in the book to distribute millions of spam and scam emails every day – but with Yahoo! Mail, most of these messages are stopped even before they get to our users. In fact, unlike our competitors’ antispam systems, our filters flag or block greater than 99% of spam. With nearly 300 million Yahoo! Mail users worldwide, we are blocking over 120 billion spam messages every month. That’s an average of 400 blocked spam messages per Yahoo! Mail inbox per month.

And we are not the only ones who have noticed our spam-reduction efforts.

The Fraunhofer Institute, an independent research firm, found that Yahoo! Mail users saw the least amount of spam out of the five providers tested, with nearly 40% less spam than Hotmail and 55% less spam than Gmail – meaning Gmail users in the study saw more than twice as much spam as Yahoo! Mail users.

While it’s great to lead the industry with our efforts, it is just as important for us to work together to win the war against spam. As we push forward with our collaboration with anti-spam industry partners, and advance our technology efforts, we’ll continue to arm you with tools, tips and strategies to keep your inbox away from spam, phishing and online scams.

And, as always, keep reporting spam so we can make our engines work even harder to keep your inbox clean.

Read more »

I am a firm believer in the old adage ‘an ounce of prevention is worth a pound of cure’. That is why my colleagues and I write a lot of posts around online security, phishing prevention and spam. We want everyone to know how to recognize and avoid phishing emails, as well as share tips for staying safe online.

But I also recognize that even the best of us can get caught off-guard sometimes. Whether it happens by mistake or a particularly well done forgery, someday you may find yourself in the situation that you account has been phished. If you don’t realize it right away, you’ll know it when your friends start asking why you sent them an email to a strange online shop or whether or not you really are stuck in Chicago without your wallet and are in need of money.

If you do ever find yourself the victim of a phishing attack and think your Yahoo account has been compromised, here are some things you can do to help get your account back online and in your control:

Change your password immediately. If you find that your account is sending spam, and you are still able to access your account, login to your Yahoo! account and change your password. That will prevent the fraudster from entering your account again. (Tip: Also check that we have the correct alternate contact email address for you on file.)

Use our automated account recovery tool. Sometimes the hacker who stole your information changes your password so that you can no longer access your account. If that’s the case, our account recovery tool can help restore access to your account and change your password at the same time. (Tip: You will have to answer your secret questions to complete the tool. If you forgot, or haven’t set your secret questions/answers, you can do that here then click the link ‘Update password-reset info’.)

Contact our Customer Care Team. If you can’t remember or are unable to provide the information needed by the account recovery tool, you can always contact our customer care team. Have a look at our account verification help pages, and then click the ‘Contact Us’ link. They will help get access to your account.

Remember, prevention is the best medicine. So arm yourself with the knowledge to stay safe online, and make sure you are prepared in case you ever do find yourself the victim of phishing. To simplify the process and quickly regain control of your Yahoo! account, make sure you always have a current alternate contact email address, and know the questions and answers to your secret questions. You can update your Yahoo! account recovery information by logging into your Yahoo! Account.

Read more »

I get questions from users now and again, whether or not we sent an email asking for account information. The answer is always NO! (Sorry for shouting) We will never send you an email asking for your account information. This is something that I’ve written about before but it never hurts to post about it again.

Here is an example of a phishing email that I received recently:

We definitely did not send this email. This one, and others like it, all pretty much follow the same formula:

• They are sent from a strange email address (but sometimes masked to look genuine)
• They usually use a scare tactic
• They want you to reply with your account information
• They have bad grammatical errors and use crazy fonts and lots of logos.

The most important thing to know is we will never ask you for your password! Here are some other tips to protect you from phishing threats: Never click on links in emails that ask you to provide account information, go directly to the website and login from there, don’t believe every warning you read in an email. And finally, there is no Yahoo Lottery.

To coin a phrase from my all-time favorite daytime cartoon series G.I. Joe – “Now you know, and knowing is half the battle.”

Read more »

With more than 300 million Yahoo! Mail inboxes worldwide, we take our responsibility to keep you safe and your inbox free of spam, phishing and other online scams very seriously. Did you know that in 2008, Yahoo! blocked more than a billion spam messages each day?  And it doesn’t stop there. So far this year, we have reduced the amount of spam that comes to Yahoo! Mail inboxes by an additional 30 percent!

So how do we do it?  Our anti-spam efforts use a multi-faceted approach to protect your inbox including the use of enhanced technologies, industry collaboration, public policy efforts, and consumer awareness campaigns. Here’s a look at some of the latest advancements from the front lines of fighting spam:

Analytical analysis – Because spammers adjust their messages in subtle ways to evade detection, we’re using Hadoop, a supercomputer consisting of thousands of individual PCs, to look at hundreds of different elements in each message.  For example, Hadoop doesn’t just look for the word “viagra” or “v1agra” or “v.i.a.g.r.a.” to show up in the subject line, it also looks for extremely subtle signals like how many words are in the message, what time of day the message was sent, how different this message is from the last one we saw from that same sender, and so on.

The hunt is on – We welcome opportunities within both private and public sectors to eliminate spam and educate its users about phishing. For example, in 2008 we saw an increase in messages telling our users that they had “won” the Yahoo! Lottery.  Sadly, no such lottery has ever existed!  Yahoo! has formed a public-private coalition with Microsoft, the African Development Bank, and Western Union to allow victims of lottery scams to upload police reports that are used to track down these criminals and develop better ways of protecting people online, and filed a lawsuit directly targeting these criminal con-men.

Self defense – The old adage is true: an ounce of prevention is worth a pound of cure.  Through ongoing consumer education and awareness, we are able to provide you with tips and strategies to identify spam, phishing and other online scams.  Speaking of, the holiday season and “Cyber Monday”—one of the busiest e-commerce days of the year—are right around the corner.  According to the Identity Theft Resource Center, Internet fraud surges around this time because more of us are shopping online. Be careful of those deals that sound too good to be true, because they almost always are.  For more advice, be sure to check out our top tips for staying safe online and spotting online scams.  Also, check out the sidebar below for specific tips for Cyber Monday.  With a sharp eye and a little education, you can better protect your wallet and your identity this holiday season!

With Yahoo! Mail touching over 50 percent of U.S. email users, your protection online and the prevention of spam are issues that are always top of mind.  Whether it be phishing scams, lottery scams, fund transfer scams or other crimes, rest assured that we are behind the scene working diligently to protect you and your inbox. 

Happy holidays from me and my team as we protect you from spam, one message at a time.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Tips for a Safe and Productive Cyber Monday!
As I mentioned earlier, Cyber Monday is almost here.  So be sure to use the following tips when you’re receiving emails from vendors on deals and bargains or shopping online at Yahoo! Shopping or any other online shopping store for that perfect gift this holiday season:

Stay updated: Make sure your anti-virus software, internet browser, and operating system are all up-to-date, to protect your computer against viruses and fraudulent websites.

Know whom you’re buying from: Make sure you understand something about the company you are making a purchase from, and be familiar with their practices and policies. While there are many perfectly-reputable online merchants, there are also scammers out there, so be wary of deals that seem too good to be true. Check out their return policies, shipping procedures, and packaging timeframe. Be comfortable with the website and confident that you are going to be protected in the event an issue arises.

Keep your password to yourself: Most websites will require a log-in to make a purchase. Create a secure and unique password, with a combination of letters (uppercase and lowercase), numbers and symbols. If you need to, it’s much better to pick strong passwords and write them down in a secure location than to reuse the same, simple password on multiple sites.

Look for the padlock: When you’re entering sensitive data – such as passwords or credit card numbers – you should always look for the locked padlock symbol at the bottom of the screen or in the web address toolbar.  If the lock isn’t there, it means the site is not securing your information and the site should definitely not be trusted (unfortunately, just because the lock is there doesn’t mean the site is legit, but if it’s not there you know something’s up)

Use your better judgment: You know better! If that Cyber Monday deal sounds too good to be true, chances are that it is. The same can be said about e-mail. While our spam filters work hard to weed out the bad from the good, never click on links in unsolicited or untrusted messages; doing so exposes you to the fraud and also encourages spammers to send more spam.

Read more »

Keeping you safe while you’re online is a top priority for us here at Yahoo!. One important part of your online safety is making sure that nobody else can access your Yahoo! Mail account without your permission, and the best way to do that is to make sure you choose a good password and make sure nobody else knows it or can easily guess it.

I know it can feel like a pain typing out a more detailed password, but none of us want to make it any easier for the bad guys.

My top advice is to be mindful of any Web page that requests your Yahoo! password. The #1 way people get their passwords stolen is by typing them into lookalike “phishing” web sites, pages that pretend to be Yahoo! or another trusted Web site but actually are run by the bad guys. Scrutinize carefully any page that requests your Yahoo! password. In addition:

• Make sure the Web page address doesn’t have any misspellings or extra words (e.g. http://www.yah000.com, http://www.yahoo-members.com, or http://www.yahoo.BadGuyEnterprises.com) in it. When it doubt, go straight to http://www.yahoo.com and log in from there.
• Be vigilant about anything that doesn’t look right on the page, such as typos, outdated content, or broken or missing pictures.
• Best idea: be sure to set up a customized “Sign-In seal” picture — instructions are at https://protect.login.yahoo.com/ — and never enter your password unless you see that picture on the page.

Here are a few more tips to help keep you safe online:

• Don’t use the same password on multiple sites. Your Yahoo! Mail account is important to you, so it deserves its own password. That way, if the unthinkable happens on another site, at least your Yahoo! mailbox remains secure.
• Never send your password over email. Yahoo! will never request your password from you in an e-mail; if you ever receive such a request, you should treat it as fraud. Do not pass “Go!” Instead immediately click the “Spam” button on that message.
• Protect yourself with a virus scanner. Another way passwords get stolen is from a virus that records your keystrokes. Don’t give the bad guys that option: There are a number of anti-virus companies that offer free versions or trial offers, including (in no particular order and with no specific endorsement implied) http://security.symantec.com , http://usa.kaspersky.com/downloads/free-virus-scanner.php, http://us.mcafee.com/root/downloads.asp?id=freeTrials, and http://www.avast.com/eng/avast_4_home.html.

Unfortunately there is no silver bullet against these criminals and con-men, but hopefully these tips will help us all keep the bad guys at bay.

Read more »

You may have heard or read about email accounts and their passwords being posted online. While I’ve read different versions of how the person(s) responsible was able to get the email account information, it was not a result of any insecurity at Yahoo! It looks to be a result of phishing attacks. Should you feel that one of your email accounts was affected by the recent publication, whether it is a Yahoo!, Hotmail or Gmail account, I would suggest changing your password as well as other account security information like secret questions and alternate email addresses.

We are aware that a limited number of Yahoo! IDs have been made public, it’s uncertain if any of those email/password combinations have resulted in any accounts being compromised. Online scams and phishing attacks are an ongoing and industry-wide issue and Yahoo! takes great effort to protect our users’ security.

We also have the following online resources that provide information and guidelines on email safety:
Our anti-spam site: http://antispam.yahoo.com/
With a phishing prevention sub-section: http://antispam.yahoo.com/phishing
Our help pages: http://help.yahoo.com/l/us/yahoo/mail/yahoomail/abuse/
And of course, I’ve posted a number of articles about online safety to this blog: Spotting phishing emails, how to spot online scams, avoiding the lottery scams, and account recovery help

Here are a couple FAQs that provide additional information:
Have accounts been compromised because of this?
We are unable to confirm whether accounts have been compromised at this time. However, we strongly suggest that consumers take caution in securing their email and other online accounts by regularly changing their passwords, and updating account security information.

What do I do if I think my account has been compromised?
You should change your password immediately. Also, if you are unable to enter your account, you can take steps to recover it here: https://edit.yahoo.com/forgotroot

We take online security seriously at Yahoo! We strive to make you and your Yahoo! account as safe as possible. Of course if you have any questions or issues with your account, please contact our Customer Care team.

Read more »

There are few things more frustrating than losing access to your email – whether because you forgot your password or, worse, someone else guessed it – which is why we want to ensure that if it happens to you, the recovery process is as smooth and painless as possible. On that note, beginning this week, we’re rolling out some changes that will both improve recovery rates and make the overall Yahoo! experience even more reliable.

Here’s how it works: To help prove you are who you say you are if you ever lose access to your account, Yahoo! will now give you the option to provide additional account information such as an alternate email address and new secret questions. For US users, we will also incorporate the option to include your mobile phone number. We’ll store this information securely in your record so that if you ever lose access to your account, this data can be used to expedite the recovery process.

We’re doing this to help eliminate the headaches caused when people forget their registration details – you’d be surprised how many people can’t recall the basic information they provided when they signed up for their Yahoo! ID. In addition, with the advent of social networking and public profiles, details like your zip code or birthday may be publicly available, and we want to better protect your online experience by making sure you’re the only one who can accurately answer our account recovery challenges.

Beginning this week, after successfully logging into Yahoo! Mail, select users will be automatically redirected to a page where they will be asked to update their account with this new information. Users who wish to update their account information proactively can do so by visiting https://edit.yahoo.com/commchannel/manage. Also from now on, anyone who successfully recovers a lost or compromised account will be asked to update their information to this new standard at the end of the recovery process.

We take privacy very seriously at Yahoo!, and this is part of our overall commitment to providing a safe, easy to use, and reliable online experience. For more tips, be sure to check out our guidelines for spotting online scams and top tips for protecting your Yahoo! Mail account. You can also head over to antispam.yahoo.com for additional information on protecting yourself online.

Read more »