Every day Yahoo! sees hundreds of millions of forged emails pretending to come from trusted institutions. These abusive emails range from annoying spam, to phishing attacks, to potential malware that can take over your computer. Whether it’s downright nasty or just unpleasant, that’s all email you don’t want. To combat this abuse, Yahoo! helped create the Domain-based Message Authentication, Reporting and Conformance (DMARC), a specification spearheaded by major technology providers and email senders to collectively fight spam and phishing.
We’re pleased to announce that we have successfully completed the work required to support DMARC and will be rolling it out globally this week.
DMARC builds upon DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), existing email validation standards that use cryptography to prove the identity of the sender domain by using the Domain Name System (DNS). With the addition of DMARC, emails have to prove that they are coming from a trusted sender. Non-verifiable emails will never reach a recipient’s inbox. As a result, DMARC eliminates an email user’s exposure to potentially fraudulent and harmful messages.
What does this mean for you?
For Yahoo! Mail users, it means less email in your inbox from a non-verifiable source. For example, if you receive an email claiming that it is from your bank, the applicable DMARC policies require the email to prove that is indeed from your bank in order to be delivered to your mailbox. If the incoming email cannot be verified, Yahoo! Mail will not deliver the email to your mailbox.
For senders, it means you can protect your recipients and the reputation of your domain. You can tell Yahoo! how to handle non-verifiable emails, either keep it out of the inbox, or deliver to bulk. Yahoo! can also provide you with a report on emails from your domain that could not be verified.
In the coming months, we’ll be working with ISPs, email senders, and other email providers to encourage the creation and deployment of DMARC policies. At Yahoo! Mail, we’re working to make your email safer and are actively collaborating with other industry players to crack down on spam and phishing traffic.
Sr. Product Manager
With more than 300 million Yahoo! Mail inboxes worldwide, we take our responsibility to keep you safe and your inbox free of spam, phishing and other online scams very seriously. Did you know that in 2008, Yahoo! blocked more than a billion spam messages each day? And it doesn’t stop there. So far this year, we have reduced the amount of spam that comes to Yahoo! Mail inboxes by an additional 30 percent!
So how do we do it? Our anti-spam efforts use a multi-faceted approach to protect your inbox including the use of enhanced technologies, industry collaboration, public policy efforts, and consumer awareness campaigns. Here’s a look at some of the latest advancements from the front lines of fighting spam:
Analytical analysis – Because spammers adjust their messages in subtle ways to evade detection, we’re using Hadoop, a supercomputer consisting of thousands of individual PCs, to look at hundreds of different elements in each message. For example, Hadoop doesn’t just look for the word “viagra” or “v1agra” or “v.i.a.g.r.a.” to show up in the subject line, it also looks for extremely subtle signals like how many words are in the message, what time of day the message was sent, how different this message is from the last one we saw from that same sender, and so on.
The hunt is on – We welcome opportunities within both private and public sectors to eliminate spam and educate its users about phishing. For example, in 2008 we saw an increase in messages telling our users that they had “won” the Yahoo! Lottery. Sadly, no such lottery has ever existed! Yahoo! has formed a public-private coalition with Microsoft, the African Development Bank, and Western Union to allow victims of lottery scams to upload police reports that are used to track down these criminals and develop better ways of protecting people online, and filed a lawsuit directly targeting these criminal con-men.
Self defense – The old adage is true: an ounce of prevention is worth a pound of cure. Through ongoing consumer education and awareness, we are able to provide you with tips and strategies to identify spam, phishing and other online scams. Speaking of, the holiday season and “Cyber Monday”—one of the busiest e-commerce days of the year—are right around the corner. According to the Identity Theft Resource Center, Internet fraud surges around this time because more of us are shopping online. Be careful of those deals that sound too good to be true, because they almost always are. For more advice, be sure to check out our top tips for staying safe online and spotting online scams. Also, check out the sidebar below for specific tips for Cyber Monday. With a sharp eye and a little education, you can better protect your wallet and your identity this holiday season!
With Yahoo! Mail touching over 50 percent of U.S. email users, your protection online and the prevention of spam are issues that are always top of mind. Whether it be phishing scams, lottery scams, fund transfer scams or other crimes, rest assured that we are behind the scene working diligently to protect you and your inbox.
Happy holidays from me and my team as we protect you from spam, one message at a time.
Tips for a Safe and Productive Cyber Monday!
As I mentioned earlier, Cyber Monday is almost here. So be sure to use the following tips when you’re receiving emails from vendors on deals and bargains or shopping online at Yahoo! Shopping or any other online shopping store for that perfect gift this holiday season:
Stay updated: Make sure your anti-virus software, internet browser, and operating system are all up-to-date, to protect your computer against viruses and fraudulent websites.
Know whom you’re buying from: Make sure you understand something about the company you are making a purchase from, and be familiar with their practices and policies. While there are many perfectly-reputable online merchants, there are also scammers out there, so be wary of deals that seem too good to be true. Check out their return policies, shipping procedures, and packaging timeframe. Be comfortable with the website and confident that you are going to be protected in the event an issue arises.
Keep your password to yourself: Most websites will require a log-in to make a purchase. Create a secure and unique password, with a combination of letters (uppercase and lowercase), numbers and symbols. If you need to, it’s much better to pick strong passwords and write them down in a secure location than to reuse the same, simple password on multiple sites.
Look for the padlock: When you’re entering sensitive data – such as passwords or credit card numbers – you should always look for the locked padlock symbol at the bottom of the screen or in the web address toolbar. If the lock isn’t there, it means the site is not securing your information and the site should definitely not be trusted (unfortunately, just because the lock is there doesn’t mean the site is legit, but if it’s not there you know something’s up)
Use your better judgment: You know better! If that Cyber Monday deal sounds too good to be true, chances are that it is. The same can be said about e-mail. While our spam filters work hard to weed out the bad from the good, never click on links in unsolicited or untrusted messages; doing so exposes you to the fraud and also encourages spammers to send more spam.
- Posted October 29th, 2008 at 11:02 pm by HuongT
- Categories: Address Book & Calendar, Anti-Spam, Classic Mail, General, Security, Tips & Tutorials
If he keeps this up I may just have to find a way to give Mark his own byline, but in case you missed the Yodel post, our resident anti-spam czar Mark (the same one who held the recent workshop) had a few words to share about the ever increasing “lottery” scams. Check it out!
Coalition crackdown on lottery spammers
What generally increases when the overall economy declines? That’s right – crime. And these days, when you receive an email that proclaims that you’ve won the “Yahoo! Lottery,” the financially-pressured optimist in you might be more inclined to bite the bait.
Last May, we filed a lawsuit against “Yahoo! Lottery” spammers who use our brand to trick unsuspecting users into handing over personal data to claim a prize. And we’re making progress on catching these scammers, but we’re concerned that they may step up efforts to dupe people impacted by these tough times.
Today we announced a public-private coalition with Microsoft, the African Development Bank, and Western Union to allow victims of lottery scams to upload police reports we can use with the goal of tracking down these devious criminals and developing better ways of protecting people online. INTERPOL has gotten involved to inform international law enforcement agencies about the initiative and provide guidance on critical information to collect to identify trends and common patterns.
Here’s how it works. Yahoo! and the other coalition members have set up dedicated email addresses and Web sites (ours is http://antispam.yahoo.com/phishingtips) where lottery scam victims — those who took the bait and handed over personal information — can share details of the police report they have filed. These reports may be helpful to other coalition members and law enforcement in fighting lottery scammers.
For readers who spot a scam but don’t fall for it, we have tips for you, too. First off, don’t ever reply to the message, even as a joke. You don’t want to be encouraging these guys. Instead, click the “Spam” button, which helps us and our anti-spam systems block these types of messages and kick these criminals off the Internet. We also have a form you can use to report lottery scams and other kinds of abuse originating from Yahoo! users.
As we’ve said before, no one ever wins the Yahoo! Lottery. And that’s simply because there is no Yahoo! Lottery. We’re on a mission to protect you from these online predators, but in addition to what we’re doing on our end, you can also find some tips on how you can protect yourself on our anti-spam resource site.
Anti-Spam Czar, Yahoo! Mail
- Posted May 13th, 2008 at 3:54 pm by HuongT
- Categories: Anti-Spam, General, Security, Tips & Tutorials
I received a lot of positive responses (comments and email) after last week’s warning about bogus Yahoo! Lottery scams, so I thought I’d keep with that theme and offer up some more tips.
Hopefully just about everyone knows that when someone sends an “URGENT” message “from the desk of…” some guy insisting that you just lucked into a fortune, your “too good to be true” alarms should sound off.
But a well crafted phishing email can be a little harder to spot without looking for key indicators. A quick glance at my spam folder revealed two different scammers posing as PayPal, notifying me of an urgent need to click a link and verify information.
If you look at the screenshot on the right you will see that the scammer is using the updated PayPal logo, but don’t let that give you a false sense of security. The greeting gives it all away. PayPal will ALWAYS address you formally by the name registered to your account. So if you have a personal account it will be your name, and if you have a business account it will reference your business name. Never as “Dear PayPal Member” or “Account Holder”.
Now that doesn’t mean that a message addressing you correctly is guaranteed to be legit, but it does mean that a message not addressing you directly is an obvious ruse.
Once you get past the greeting, you can also look for mistakes in the copy. In the above example there is an extra period at the end of a paragraph. In the other sample there is a missing return space between paragraphs. These are small things, but a lot of scammers seem to miss them.
Also, both examples urge you to click a link to go somewhere and input information … which most reputable sites won’t ask you to do.
Remember that these aren’t tips to confirm that a message is authentic, but rather clues to easily filter out a lot of the bad ones that aren’t authentic. Ultimately your best bet is open a new window and visit the site how you normally would, and look for any alert messages there. If you have a problem with your account they will usually notify there too.
Hope this helps a little more!
I trust that the vast majority of you all would never fall for such an obvious ruse (notice I spelled that correctly this time), but given the number of questions I’m getting via email, as well as what many users are asking on Yahoo! Answers (more than 6,000 questions!), I think it’s worth a reminder.
If you have received a message notifying you that you have won a Yahoo! Lottery award (no matter what country it claims to be from), don’t trust it. Over on the right I have a sample of a UK & Ireland version that offers winnings of £845,000. All you have to do is reply with all of your personal information!
Keep in mind that these types of messages can come in all shapes and sizes, and be any style imaginable. So the best thing to do is look for certain red flags. Be
weary wary of any message containing the following:
- requests for sensitive account information, passwords, or bank information.
- offers of some form of unexpected financial windfall from estates or lotteries.
- anything that warns you not to tell anyone.
There are more, but those are some good ones to start with. If you are ever undecided about a message (some of the spammers are pretty crafty, after all) simply open a new browser and login to your account directly. If there is something important going on with your account, you should be notified when you login (this goes for most sites).
It also can’t hurt to keep an eye on the good ‘ol Yahoo! Security Site for all sorts of valuable tips to stay safe online!
I’m happy to report that the previously reported delays in responding to Postmaster troubleshooting forms have been resolved, and all inquiries should receive a response within 24 – 48 hours.
We apologize for any frustration this may have caused.
- Posted April 21st, 2008 at 9:27 am by HuongT
- Categories: Anti-Spam, General, Security, Tips & Tutorials
In the spirit of Yahoo! Security Month, I wanted to put up a quick post so you all can check out this recent clip from KGO-TVs The View from the Bay. Yahoo! Web Life Editor Heather Cabot breaks down several tips to help everyone be smarter online!
Hello everyone and welcome to 2008! With the first post of the New Year I have something that I’m sure will be especially interesting to many of you. I tracked down resident “Spam Czar” Mark (he leads the team that is in charge of our anti-spam efforts) and he had some exciting news to share. Check it out! (Please note that Mark is not really a Czar, but he is looking for tips on where he can pick up his own ushanka for the winter .)
We know you hate receiving spam in your mailbox, and we’re working hard to help. While there may always be bad guys trying to get their messages through to you, at Yahoo! we’re tightening up on our spam controls in ’08, and in fact we’ve already begun rolling out a significant new defense system (and it’s only January 4th!).
One reprehensible tactic spammers use is hijacking thousands of innocent home computers and forcing them to send out spam messages in the background, often without the owners even knowing! Collectively, these “zombie” computers spew out millions of spam messages a day, and that’s something that has to stop.
Starting today, we will be taking the bold move of rejecting mail from these zombie computers, using information from a number of third-party companies and ISPs to help in the identification. When these unauthorized computers attempt a connection to our back-end mail servers, they’ll be politely informed that their unsolicited mail is not welcome at Yahoo!. (This change is on the back-end only; users connecting through the Classic or All-New Yahoo! Mail web interfaces will not be
affected blocked by this change.)