Gmail Cracks Down on Third-Party Notifiers

crtfdgk writes "Recently, Google's gmail service has attempted to change login protocols to block third-party gmail notifiers that alert you to new email. Google has now taken it one step further and created a word-identification script filter as part of the login process. Personally, I find Google's gmail notifier annoying since it sits in my taskbar and doesn't have popup notification, unlike many other worthy Firefox or Mozilla plugins that feature gmail notification. Shouldn't I be free to use whatever third party software to check my email? Will we be seeing controls on browsers that can view gmail next?"

Gmail Notifier is NOT complete

I am really appalled seeing Google taking such an action.

I TRIED Gmail Notifier and it does NOT do what I want: it can only read new emails from the INBOX for example, NOT from the rest of my folders! :(

Re:Gmail Notifier is NOT complete

[ack154]

I'm sure he meant labels, but he's right. It doesn't tell when there's new mail in the labels, just the inbox. I submitted feedback about that to them. I suggest others do the same thing if it's something you'd like to see.

i'm logging in and out just fine

[Neophytus]

I thought it might be because I had https:// bookmarked, but it's not on either site.

really?

I notice no word verification... I like the google gmail notifier it does do pop ups. :) plus you can choose "tell me again" to see the pop up again if you missed it.

Simply put..

[artlu]

Third party notifications will cause Google to loose money on their adsense revenue. Simply put, if i was in google's position I would do something similar. Coincidently, some sites, like mine, rely on adsense revenue in order to stay online/stay as a free service. Thankfully, adsense pays well enough by people visiting a site and clicking on a link that it is a viable solution if you have a target audience (like the stock market or whatever).

I've also heard rumors of people making $50/click off of adsense which is absurd! Hence, why Google wants every dime they can get!

This is a rather stupid story.

[Radioactive+Zorm]

"Google has now taken it one step further and created a word-identification script filter as part of the login process." In fact if you go there now you won't see this. This is part of Gmail's anti bruteforcing stuff. If you get a password wrong so many times it starts requiring you to enter a word to try and stop an automated bruteforcing script. GMAIL ISN'T BLOCKING YOUR 3RD PARTY MAIL NOTIFIER JUST YOU FOR BEING STUPID!

Re:This is a rather stupid story.

[arose]

Seconded, there is no "word-identification script filter", at least not at this moment.

Re:This is a rather stupid story.

[russx2]

Yes, it seems as if you're right. Just tried this, entered the wrong password for my account about 5 - 6 times and up pops the image-verification scheme.

Article seemingly null and void.

Re:It will get better, not worse

[Lord+Jester]

Instant Messenger services change their protocols occasionally but they don't block 3rd party apps

Bullshit! Yahoo just did this very thing. They changed thier protocol in their new releasd that broke 3rd party apps. Yahoo, like others, do not publish protcol documentation or supply APIs, it is up to 3rd party programmers to reverse engineer it to get the 3rd party apps to work.

Re:It will get better, not worse

[gordyf]

IM services have tried repeatedly to block third-party apps. Both AIM and Yahoo have tried to block third-party clients.

Yahoo blocking

AIM blocking

"AOL made changes to their proprietary protocol (called OSCAR) that would ferret out anyone who wasn't using the official client."

Re:Browsers

THey are working on a PLAIN HTML version of gmail. give them time, it's still in beta for crying out loud.

Re:It will get better, not worse

[Trizor]

No, I just keep it in a tab. It refreshes itsself and the tab title changes when there are new messages. Really, you don't even need a checker. The only third party app for gmail I use is the firefox extension that allows you to open mailto addresses as gmail compose windows.

Re:Well...

[moonbender]

...Opera support...

Note that Opera 7.6 (currently in beta/development) has enhanced Gmail support. I just saw there is actually an entire website devoted to Gmail on Opera.

Re:It will get better, not worse

[halaloszto]

I do not know how it works for you in US, but here in Europe, i can by a phone from any manufacturer, and use it with any providers service. If i want a phone with camera, a red phone, a water resistant one, one with built in mp3 player, one that is round, one that is rectangular, one that is triangular, i can choose! Still some providers think this is bad as they do not profit on the sale fo the device. Still this is good for them, as the mere fact that people can find a device they like makes it possible for them to use their service. vajk

Re:You are naive

[Destoo]

Yes they do.

You need be in a message to see them.

Example: if the message has the word "IBM" in there, 3 or 4 ads for IBM RS6000 servers will show up on the right side, exactly like the sponsored links on Google.


Sponsored Links
IBM RS6000
Call Configsys for RS6000 systems Systems and parts available
www.configsys.com
Refurb RS/6000 Systems
Huge inventory, low pricing, custom configured & fast delivery
www.xsnet.com
IBM RS/6000 - pSeries
National IBM Distributors Wholesale - Free Tech Support
natdata.com
About these links

Re:Well...

[attam]

actually, AFAIK, the official notifier has the annoying quality that you cannot change the ping frequency. i suspect the parents reasoning is an apt explanation

Re:Well...

[tylernt]

The 3rd party scenario is relatively CPU and network intensive. You have to handshake a TCP connection, then poll the server, then close the connection again. And you have to do it every X minutes (and most users will set X to as small a number as they can).

Google can set it up so that the client establishes a TCP connection and then using periodic keepalives, keeps it up. Then instead of the client polling every X minutes, the server can simply send the client notification (one little packet) when there is new mail. By eliminating polling and TCP handshake overheads, it's a little more server-friendly. It might require a little more RAM to keep track of all those TCP connections, but RAM is cheap and each connection only consumes a few bytes.

Wake up, people, there's other methods!

[AllNicksWereTaken]

It doesn't matter that Google have done this. You can still ask the user to login via the official website and then have a notifier program read your cookies and use them accordingly.

I made a post like a week ago in an mIRC scripting forum explaining how it can be done. (Even though my post is oriented towards mIRC scripting, it could very well be done in other scripting/programming languages).


I paste my post below for the sake of preventing a possible "minor slashdotting":
---------

Firstly, you will need my snippet for reading cookies from IE and Firefox, which I wrote and submitted sometime ago. (gimmie credit if you use that too :P)

This is how you do it:

1. You obtain the values for "GV" and "SID" off the Google/Gmail cookies.
GV is stored in the cookie for the host "gmail.google.com", while SID is stored in the google.com cookie.
Use my Firefox/IE cookie reader snippets to help you.

Note: In IE, it appears sometimes there may be more than one cookie for a host, in which case, you must obtain the cookie info from the one which was last modified. (For instance, I had 7 Google cookies in my IE Cookies dir for some reason, but only the 7th was the proper one.)

2. You send an HTTP request to gmail.google.com like the following:

GET /gmail?search=inbox&view=tl&start=0&init=1 HTTP/1.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Referer: http://gmail.google.com/gmail/html/hist2.html
Coo kie: GV=<HEREGOESTHEGVCOOKIE>; SID=<HEREGOESTHESIDCOOKIE>;
User-Agent: <WHATEVERYOUWANT>
Host: gmail.google.com
Connection: close

3. Parse the page that is returned to you. It's a little HTML and a bunch of JavaScript arrays.
I'm not gonna bother writing out this part 'cause you can easily try yourself and find out what token marks a message as unread, and other stuff. (Oh yeah, the page returned shows you how many invites you got left, too, where it says ``D(["i",<number>]&#180;&#180;.) Other things it shows include your usage quota, unread mail, a list of your available labels, number of messages in Inbox, their basic info (sender, subject, and also the text snippet if you got those enabled), the name of any attachments contained in whatever emails, date received, and there's probably more stuff that I haven't really figured out yet. You guys can do that. Just send emails to yourselves and watch how the output changes, and learn from that. Below is a sample from one of my tests...

<html><head><meta content="text/html; charset=UTF-8" http-equiv="content-type"></head><script>D=(top.js &&top.js.init)?function(d){top.js.P(window,d)}:fun ction(){};if(window==top){top.location='/gmail?sea rch=inbox&view=tl&start=0&init=1&fs=1';}</script>< script><!--
D(["v","fa5b7549467dd5fe"]
);
D(["p ",["bx_hs","1"]
,["bx_show0","1"]
,["bx_sc","1"]
,["sx_dn","Alan"]
]
);
D(["i",1]
);
D(["qu" ,"2 MB","1000 MB","0%","#006633"]
);
D(["ds",2,0,0,0,0,0]
);
D(["ct",[["bloggers",0]
,["drafts",0]
,["foward s",0]
,["friends",0]
,["google",0]
,["hotmail", 0]
,["pointless",0]
,["school",0]
,["signup",0]
,["strangers",0]
,["temporal",0]
]
]
);
D([ "ts",0,50,4,0,"Inbox","fdaeea5872",4]
);
D(["t", ["fd9fab67bacc8e2",0,0,"Jul 8","\<span id=\'_user_thisemailisnot@real.com\'\>Robert C\</span\>","\<b\>&#187;\</b\& g t; ","steeltiger image","k here it is, and one ive been working on for the computer version im looking for. based loosely &#133;"

Re:Well...

[Registered+Coward+v2]

Your call : does your Bill of Rights define all of the rights which you have?

No, it specifically limits the US Government's ability to curtail our rights. Our Constitution specically states that any rights not enumerated in it are reserved to the states or the people.

As a side note, it applies to our government, not private citizens and contracts that they undertake. Which is why , when people start screaming "Company X violated my 1st amendment rights" I realize they have no idea about what they speak.

Re:Well...

[darc]

According to Gmail's feature wishlist : (you can get this by going to help and hitting send feedback)

done! Address book import
we'll try Opera support
we'll try Ability to send messages with HTML formatting
we'll try POP3 access
working on it Plain HTML version of Gmail
working on it Ability to save a draft

So this is not entirely out of the question.

Re:Well...

[no+soup+for+you]

Your call : does your Bill of Rights define all of the rights which you have?

Article IX: The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

Re:Why would google do this?

[MrNonchalant]

About a week back I downloaded GMail Notifier the official alternative. Then I fired up Ethereal. There is indeed a backdoor protocol. Though from what I can tell from the HTTP GET string it's protected to high hell. GMail notifier sends an HTTP GET query to the GMail server, the GMail server sends back the number (and almost only the number) of messages. Here's the dump:

GET /gmail?ui=pb&q=label%3A%5Ei%20label%3A%5Eu HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; GNotify 1.0.21.0)
Host: gmail.google.com
Cache-Control: no-cache
Cookie: en_US; GV=fea7b8d648-b9be26d2425258708508713e52327ed1; GMAIL_AT=6d9cba730be1a490-fea7ca187f; SID=AV8H4FYfeDJ-4lwENnL9kzcyiSJshVSKK2xixnjpjWgHsf 5ZeIhRBn0aSXNXqg9mNrvBpyrfx0ImAGmONYgxv0w=; PREF=ID=446f57901cff551a:TM=1093681541:LM=10937355 79:TB=2:S=QbSoqBBCOK7nKj0f; S=gmail=NK86NtM1S-k:gmproxy=rYXDOT5E60U

HTTP/1.1 200 OK
Set-Cookie: SID=AfvmInwaGVRkESW3REmGuiyongiyNzyqguZePHuQUyJ9sf 5ZeIhRBn0aSXNXqg9mNtCkJwBg2BEl1DvtQ6bT250=;Domain= .google.com;Path=/;Expires=Tue, 26-Aug-2014 23:45:55 GMT
Cache-control: no-cache
Pragma: no-cache
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Server: GFE/1.3
Date: Sat, 28 Aug 2004 23:45:55 GMT

4

0

I however absolutely hate the color scheme involved with Notifier, so I will NOT be using it until they improve that. GTray (http://torrez.us/gtray), my app of choice, still works just fine as of about 10 minutes ago. If Google really does close it off at some point, I think we should petition them to open up a version like Google API with similar restrictions.

Re:Well...

[follower-fillet]

> The 3rd party scenario is relatively CPU and network intensive. [snip]

> Google can set it up so that the client establishes a TCP connection and then using periodic keepalives, keeps it up.

The official Gmail notifier simply uses standard http/https requests to do its work. The only difference between it and the "unofficial" method is that it retrieves a binary encoded data block and processes that.

See these forum postings for more details I documented:

Official Gmail Notifier protocol documented

--Phil.

Re:Why would google do this?

[follower-fillet]

> Perhaps they're worried about coders going to next level,
> and coding up entire gmail readers--or incorporating gmail account readers
> into something like Thunderbird.
That sort of thing has already been done for months--there's POP & SMTP proxies for Gmail already. And if one of them doesn't work on your platform you can use the Gmail Python binding project `libgmail` to write one of your own.

> Adding that word-identification script filter to the login process
> would certainly prevent something like that
It wouldn't really prevent that because the proxies could just start presenting the image for verification if it encountered one. This approach doesn't stop individual users, it just stops fully automated approaches, such as the apparent brute force attacks were using. (And the much more feasible reason for the addition.)

> Which leads me to wonder how google's own system tray email
> notification program can still work.
The official Gmail notifier simply uses standard http/https requests to do its work. The only difference between it and the "unofficial" method is that it retrieves a binary encoded data block and processes that.

This might mean that if you encounter the Captcha after multiple bad logins via IE the official notifier may not work either.

See these forum postings for more details I documented:

Official Gmail Notifier protocol documented

--Phil.

Re:Well...

[mvpll]

Hey kiddo, welcome to the internet.

Now I know you young'uns are all soft from your time on the intranet, so I want you to keep in mind that not everyone out here on the digital plains has control of their border security.

Most of those that do have access to their firewalls are city slickers, and we all know they are either stupid or lazy. The stupid ones wouldn't know what a firewall was if it bit them on the ass, and the lazy ones whine everytime they have to go through the routine of opening ports.

Lame cowboy impressions aside, "server-push" is never something the sane suggest for the general internet population.

What a stupid question...

[Moofie]

"Shouldn't I be free to use whatever third party software to check my email?"

Sure. You're free to use any software you want. And Google is free to not allow you to use any software with their service that you don't want. And since you're not paying them anything, you don't have much leverage to get them to change their policy, do you?

It's a free service. Take it or leave it.