Gmail Recognizes Addresses Containing Non-Latin Characters

An anonymous reader writes In response to the creation in 2012 by the Internet Engineering Task Force (IETF) of "a new email standard that supports addresses incorporating non-Latin and accented Latin characters", Google has now made it possible for its Gmail users to "send emails to, and receive emails from, people who have these characters in their email addresses." Their goal is to eventually allow its users to create Gmail addresses utilizing these characters.

Next wave of phishing?

[CRC'99]

So the next lot of phishing will come from: róót@gmail.com / Àdministrator@gmail.com or BìllGàtes@gmail.com etc?

Great.

Re:Next wave of phishing?

[rvw]

So the next lot of phishing will come from: róót@gmail.com / Àdministrator@gmail.com or BìllGàtes@gmail.com etc?

It's not about bìllgàtes@outlook.com, but billgates@óutlook.com. It's the domain that is going to cause problems, not the user!

Re:Next wave of phishing?

[Captain_Chaos]

Worse; they will come from root@gmail.com, administrator@gmail.com or BillGates@gmail.com, only those o's and a's will be Cyrillic or something like that (can't do it here; Slashdot doesn't display them).

Re:Next wave of phishing?

[dejanc]

That kind of phishing already exists, even more sophisticated: a bug that a lot of software contains is not distinguishing between same looking characters in different alphabets. E.g. you can sign up on many forum/bbs platforms as Administrator if your leading A is cyrillic A instead of latin A. Both look the same but have different html entity codes and are different unicode chracatres, which is true for most vowels and many consonants (e.g. cyrillic B and latin B, C and C, E and E...). Or, for more fun, look at this (single) character which looks exactly as "lj".

Those of us with customers who use two alphabets constantly have known about this problem for a long time and we've seen phishing on all different kinds of platforms using this strategy.

IDN (internationalized domain names) solves this problem in domain names with policy: you can't register a domain which looks exactly like some other domain except for that change in character. Still though, you can register both casino.it and casinò.it and that's where the real phishing potential is. I think, at least most native English speakers, would probably be fooled easier by a domain such as paypal-customer-division.com than paypàl.com.

Re:Next wave of phishing?

[rvw]

Worse; they will come from root@gmail.com, administrator@gmail.com or BillGates@gmail.com, only those o's and a's will be Cyrillic or something like that (can't do it here; Slashdot doesn't display them).

When you mix Latin htmail with a Cyrillic o to get hotmail, Google and all email programs should refuse that address immediately, mark it as spam, make the address red with a warning sign etc. Mixing character sets should not be allowed in a domain or in a username. So the username may be all Cyrillic or Greek, the domain name may be all Chinese or Latin, and these may mix, but no mixes in the domain name or username itself.

Re:Next wave of phishing?

[Chrisq]

I think that's the way to go - only allow characters from a single unicode script in the username and in the domain name. The domain name part is currently handled by registras so that may not need any additional rules.

However this really should be part of the RFC, or else anyone banning mixed names would be "non compliant". If the RCF does not specify this then the best that gmail (or any other system could do) would be to prevent people registering mixed names themselves and giving a warning (and maybe colour characters) if email is recieived from an address with mixed scripts.

Re: Next wave of phishing?

[Samantha+Wright]

Belarusian uses a Latin-style "i" in place of the typical Cyrillic short i... So you can still phish admirably with "paypaI" and never leave Cyrillic. e, x, c, y, i, o, p, a: how many words can you make?

Re:Next wave of phishing?

[rvw]

However this really should be part of the RFC, or else anyone banning mixed names would be "non compliant". If the RCF does not specify this then the best that gmail (or any other system could do) would be to prevent people registering mixed names themselves and giving a warning (and maybe colour characters) if email is recieived from an address with mixed scripts.

Gmail, Microsoft and Yahoo and others like gmx, universities, big companies should simply refuse these mails. Microsoft should make Exchange so that this is the default way for handling these mails. The same goes for qmail, postfix etc. But that won't be enough.

As another commenter said, you can make up latin looking names using cyrillic characters, and we won't notice. How do you catch that? I guess this will the the time that PGP will prove it's value.

Re:Next wave of phishing?

[ArsenneLupin]

... and they'll use a greek lower case omicron (), rather than an accented o. The looks exactly the same as an o (except on Slashdot, of course. Slashdot hates Unicode...)

Re:Next wave of phishing?

[MrNaz]

I agree. The real solution is hardened authentication getting baked right into email. I'm all for UTF8 domain names and email user names, however if the email protocol suite is going to be expanded to allow for more features, then I think security should be top of that list.

Sure, for a while, domains that span multiple character sets such as hotmail.com with a Cyrillic o could be spam flagged, however what happens when (not, if, but when) legitimate domains with multiple character sets start appearing? What about domains that use characters restricted to the intersection of two character sets such that they appear to be from one but are in fact from another?

The ONLY answer to this is an email client that can associate a certificate with a domain and checks it against received email as a matter of course. This solution not only has the property of preventing domain spoofing, but also comprehensively solves the spam problem. (It didn't get done earlier because it fell foul of the "requires everyone to agree at the same time" point on that pro forma "Why your proposal won't work" sheet.)

Re:Next wave of phishing?

[pla]

Worse; they will come from root@gmail.com, administrator@gmail.com or BillGates@gmail.com, only those o's and a's will be Cyrillic or something like that (can't do it here; Slashdot doesn't display them).

"Rich company problems". XD

Bluntly, this won't affect most Americans for the same reason spam from .il, ru, or .cn doesn't matter - Because we simply don't get any legitimate email from those domains. It doesn't take your spam filter long to figure out "if the address contains character-X, 100% chance of spam"... And that assumes your mail server doesn't outright block those as a hardcoded rule (in a former life I had to babysit the Exchange server for a small business; if you came from anywhere not in one of the big-six TLDs, auto-junk).

So by all means, spammers, please start using Cyrillic or vowels with diacritics in addresses - It will make you that much easier to filter.

Re:Next wave of phishing?

Except paypÃfl.com should generally be rejected as the Ãf is not a common letter in English, so it should not be allowed per the IDN policy if I remember correctly.

Re:Next wave of phishing?

[drinkypoo]

It doesn't take your spam filter long to figure out "if the address contains character-X, 100% chance of spam"...

Yes, yes it does. It took Google years to stop sending me spam in foreign languages that I couldn't read anyway.

Re: Next wave of phishing?

You forgot j and s.

Re:Next wave of phishing?

[Kjella]

Bluntly, this won't affect most Americans for the same reason spam from .il, ru, or .cn doesn't matter - Because we simply don't get any legitimate email from those domains. It doesn't take your spam filter long to figure out "if the address contains character-X, 100% chance of spam"... And that assumes your mail server doesn't outright block those as a hardcoded rule (in a former life I had to babysit the Exchange server for a small business; if you came from anywhere not in one of the big-six TLDs, auto-junk).

It must be wonderful to run a mom and pop operation where none of your customers, suppliers or anyone else has an international mail address. And it certainly won't work for any other country but the US, a canadian business that doesn't accept .ca mail? Don't think so. And if you're operating an ISP, university or whatever some of your users will be foreigners in real contact with the rest of the world. Neat that you can wave the WORKS4ME flag, it's still a problem for a lot of other people.

Re:Next wave of phishing?

[pla]

It must be wonderful to run a mom and pop operation where none of your customers, suppliers or anyone else has an international mail address. And it certainly won't work for any other country but the US, a canadian business that doesn't accept .ca mail? Don't think so.

Yellow flag: Failure to extrapolate.

Canadians can't block .ca, of course. They probably feel pretty much the same as I do about .il, .ru. and .cn, however. Canadians can't block the few diacriticals used in French (although in my experience, most Canadians would probably consider blocking Quebecois a feature, not a bug); I doubt they have a lot of use for Cyrillic, however. Similarly, a Russian mom-n'-pop probably doesn't get all that much email in Mandarin, even if they need to allow Cyrillic through.

Yes, as I originally said, the largest scale entities don't have the luxury of blocking based on the local norm. For the rest of us, yes, "WORKS4ME". You can find your own solution.

Re:Next wave of phishing?

[Megane]

I think ròót@gmail.com is a better choice because it looks angry.

Re:Next wave of phishing?

[CrankyFool]

How does confirming the domain's identity automatically solve this problem?

If someone from the gxail.com domain sends me email (let's assume here the 'x' is some weird Cyrillic character that looks just like an 'm'), any automated confirmation of the domain's validity would not do some sort of eyeball check "Oh, that looks like gmail.com, let's confirm if it is, oops it isn't..." but rather an automated "did that email come from gxail.com? Yup, sure did."

Even if you popped up a notice that said "hey, I don't know about that domain," the typical user -- heck, I'd argue even the typical Slashdot user -- would go "weird, looks like it lost creds for it" and click whatever the equivalent of "Oh well" button the notice had.

Re:Next wave of phishing?

[DarkOx]

No worse the will come from

updates@?tfosorcim?.com which will be displayed like:
updates@microsoft.com

Just imagine the ? marks being the left-right reverse character.

Re:Next wave of phishing?

[Behrooz]

Is it deeply wrong that I originally read "WORKS4ME" as 'worksame' due to excessive IRC leetspeak exposure in my youth... and yet it still kind of made sense?

Re: Next wave of phishing?

There are demons in the gmail username handling. They claim no, but every time a person leaves Australia, their email ends up at my inbox. Presumably they email inside Au and I don't get their messages.

Re:Next wave of phishing?

[kyrsjo]

There are languages, such as the Scandinavian languages, which are "mostly latin". This means we have the full A-Z as used in English (although C,Q,W,X,Z are never used) PLUS some extra letters "Æ/Ø/Å" (dunno if this displays correctly here). There are also domains which uses these letters like "lånekassen.no", which is the state agency handling student loans. (They are also available at the alternative address "laanekassen.no".)

Thus a "hard and fast" rule disallowing domain names with mixed types of characters won't work well, it needs to be slightly more nuanced.

Re:Next wave of phishing?

[tlhIngan]

It must be wonderful to run a mom and pop operation where none of your customers, suppliers or anyone else has an international mail address. And it certainly won't work for any other country but the US, a canadian business that doesn't accept .ca mail? Don't think so. And if you're operating an ISP, university or whatever some of your users will be foreigners in real contact with the rest of the world. Neat that you can wave the WORKS4ME flag, it's still a problem for a lot of other people.

Most of the French character set is in ASCII I believe, including most European languages as well.

So as a Canadian, who really only speaks English, I really just filter for anything using a non-ASCII character set. The only time I receive emails in French are either bilingual ones or spam. Bilinguals I can't do much about (they're usually from government or Canadian companies). French-only though is a red flag as it's spam or a phish since there's no reason to be sending me French emails.

Of course, no, it's not a universal solution - there are plenty of Canadian companies that have to deal with Chinese companies and such. But for me, that's a pretty damn good way that works for most individuals in Canada.

It's just like the other TLDs in the system. I mean, if you're getting emails from .biz, for an individual, most likely that's spam as they've never dealt with any company with a .biz TLD.

And to be fair, most Chinese companies are cheap and refuse to spend money on stuff (including workers). I've run into more than a few huge companies that use gmail as their primary email provider. (Think employee-company@gmail.com addresses, or company-employee@gmail.com).

Re:Next wave of phishing?

[seyyah]

That kind of phishing already exists, even more sophisticated: a bug that a lot of software contains is not distinguishing between same looking characters in different alphabets. E.g. you can sign up on many forum/bbs platforms as Administrator if your leading A is cyrillic A instead of latin A. Both look the same but have different html entity codes and are different unicode chracatres, which is true for most vowels and many consonants (e.g. cyrillic B and latin B, C and C, E and E...).

What software (or library) is programmed to recognize that two chars look the same and therefore allows them based on the appearance rather than their encoding?

Re:Next wave of phishing?

[Antonovich]

If you're careful you can get pretty much all the major mailbox providers accepting email from any address, including many major ISPs, and at least Gmail (and Apps) and Hotmail (and Office 365). Again if you are careful, they will go into the inbox. SMTP was great back in the days when there were 20 networked computers. The continued lack of strict adhesion to the common authentication standards makes me want to both laugh and cry simultaneously.

I send email "from" bill.gates@microsoft.com from the command line (telnet) of a VPS server I have during my deliverability trainings to show why spam is still such a problem - I often make mistakes while typing but you can just try the command again and you're away. People start getting the point when I make several mistakes and the email I send still goes straight to their inbox.

Adding non-ascii is not going to make any difference to the problem...

Re:Next wave of phishing?

[lamber45]

No, they're not allowing gmail accounts to use non-ASCII local parts yet. However, mail to/from other domains can have non-ASCII local part and domain name. If that other domain allows a random user to create an account "róót", that's about the extent of the possible phishing.

Re:Next wave of phishing?

[Vitriol+Angst]

I'm glad everyone pointed this out because it's the first concern that came to mind.

This makes me happy because;
1) Great minds think alike.
2) Google will instantly realize the error of their ways with weird characters and change this policy.
3) I'm not alone. This could very well be my posse.
4) Slashdot has it handled, the world is safer.
5) I don't have enough things I'm happy about on a regular basis to make a top ten list -- and I've learned to be OK with that.

Re:Next wave of phishing?

[dejanc]

What software (or library) is programmed to recognize that two chars look the same and therefore allows them based on the appearance rather than their encoding?

I am not aware of any. My "solution" to this problem is to allow only unambiguous characters to be used. I really mostly have to deal with only about 60 characters in total which I allow people use for unique fields, so it's manageable.

Re:Next wave of phishing?

[Charliemopps]

So the next lot of phishing will come from: róót@gmail.com / Àdministrator@gmail.com or BìllGàtes@gmail.com etc?

Great.

I've heard this argument before.
Spoofing a return/sending mail address is incredibly simple. In fact, I do it every day as part of my legitimate non-hacker job. I could send you an email from Bill.Gates@microsoft.com if I wanted to. (though your mail server might have some security issues with that) Do you thing that when you email Support@somecompany.com there are a team of people that all log into that same mailbox? Or when they reply to you, they're really using that mailbox?

So there's no reason to use róót@gmail.com because you can just use root@gmail.com without an issue.

Your security should not have anything to do with an email account.

Re:Next wave of phishing?

[lsatenstein]

Lôvè yôûr ïdèàl Éxample.

Re:Next wave of phishing?

Looks like your wish was their command ;)

timothy

Dammit this is a terrible idea

Now we'll get spam from addresses that use code pages that just look like valid latin characters.

Re:Dammit this is a terrible idea

[Chrisq]

This is a real concern,and probably why gmail is not yet allowing internationalised gmail addresses. Most email names could be spoofed using Cyrillic characters which look exactly the same as latin ones. How could you tell if the "c" in chrisq@gmal.com really was a latin 'c' or a cyrillic Es?

Re:Dammit this is a terrible idea

Also, thin space, zero width space, zero width non joiner, combiners that combine in such a way that they essentially do nothing. There are a lot of possibilities and if any of them are missed it will be a disaster.
I forsee a lot of pain comming from this.

Re:Dammit this is a terrible idea

[stephanruby]

Most email names could be spoofed using Cyrillic characters which look exactly the same as latin ones. How could you tell if the "c" in chrisq@gmal.com really was a latin 'c' or a cyrillic Es?

gmail.ru (or its equivalent) will find a way to support cyrillic
gmail.qc.ca and gmail.fr will find ways to support French accents (otherwise, Google will get sued or blocked by Quebec or France)
These details will get worked out at the local level. It will take time, but they'll get there eventually.

Re:Dammit this is a terrible idea

[mwvdlee]

They might mark conspicuous characters, like when multiple character sets are combined in a single domainname.

Re:Dammit this is a terrible idea

Sure there are all sorts of things they 'might' do, the problem is that this adds a lot of complexity, it is almost inevitable that things will be missed.
The Unicode standard is *huge* and complex - there are going to be problems, legitimate people will get defrauded because of this it is inevitable, fancy solutions aside it is going to be an arms race just like all other phishing etc.
Is it worth opening Pandoras box? I'm not so sure, but then I'm an English speaker...

Re:Dammit this is a terrible idea

[idji]

It would be easy to WARN a USER if the name contains mixed alphabets or diacritics that differed from the user's browser's preferred language. Each Unicode Character has a name eg "Greek Upsilon With Hook Symbol", or "Latin Capital Letter R", or "Cyrillic Capital Letter Es With Descender", "Arabic Letter Qaf", or "CJK Ideograph" for Chinese/Korean/Japanese.

Re:Dammit this is a terrible idea

Yes, warning users works really well. Especially after decades of windows training users to click accept on alerts without reading them.

Re:Dammit this is a terrible idea

[Chrisq]

Most email names could be spoofed using Cyrillic characters which look exactly the same as latin ones. How could you tell if the "c" in chrisq@gmal.com really was a latin 'c' or a cyrillic Es?

gmail.ru (or its equivalent) will find a way to support cyrillic gmail.qc.ca and gmail.fr will find ways to support French accents (otherwise, Google will get sued or blocked by Quebec or France) These details will get worked out at the local level. It will take time, but they'll get there eventually.

I don't think that would work in protecting users against attacks unless you said that only users if gmail.ru could receive emails from users with Cyrillic characters in the name, etc.

Re:Dammit this is a terrible idea

Because no language ever makes use of characters from other languages, I mean surely Latin capital letter R is only used by latin speakers. Seriously you should get a better understanding of what you are saying before you make bold claims about how 'easy' something is going to be, could it be done, maybe, will there be oversights, bugs and glitches for people to exploit, almost definitely.

Re:Dammit this is a terrible idea

[Chrisq]

Because no language ever makes use of characters from other languages, I mean surely Latin capital letter R is only used by latin speakers. Seriously you should get a better understanding of what you are saying before you make bold claims about how 'easy' something is going to be, could it be done, maybe, will there be oversights, bugs and glitches for people to exploit, almost definitely.

Actually Unicode does make a good effort of classifying characters into scripts, with some "common" characters that can appear in any scripts and some "inherited" characters (like diacritics) that belong to the character that they are applied to. Thus the Cyrillic"Es" looks like a Latin "C" but is a different Unicode character, one belonging to the Cyrillic scripts and the other to the Latin script. The different languages using the same scriptis a red-herring, it doesn't matter that both French and English use the capital "R", what does matter is that you can't put a Cyrillic character into the middle of a Latin script string to make something that looks like a certain name but isn't. Checking whether a name contains characters from more than one script is easy. there are methods in some languages that trivialise this.

Re:Dammit this is a terrible idea

Until you take a closer look at the scripts, and notice that they encompass so many characters that people won't need to 'mix scripts' for trickery.
Take "mathematical letter kappa" and "latin k" for example, do you think your mom will be able to tell the difference?

Sure some of this stuff can be handled, with enough work, but you can rest assured there will be mistakes, anyone who thinks this will be 'easy' and go down without a hitch is either stupid, naive or in denial.

Re:Dammit this is a terrible idea

Of course that is exactly why unicode is a security risk. The same visual representation has different encodings, therefore the "wrong" address appears "correct". bye-bye bank login details. Adopting unicode in DNS was a severely bad idea; adopting it in email is also a bad idea but granted email was already easy to make appear "correct" while being "wrong".

Re:Dammit this is a terrible idea

[petermgreen]

Usually with such things it's better to whitelist than blacklist. As you add characters to the whitelist you determine what character they should be equivilent to for conflict-management purposes.

Out of interest does anyone know if people actually use internationalised domain names as their main domains or if they stick to conventional names that work with all software and which everyone can type.

Re:Dammit this is a terrible idea

[ArcadeMan]

I wouldn't be surprised to see l'Office québécois de la langue française do something like that. I speak french and I still think they're assholes who are over-reaching their boundaries.

Re:Dammit this is a terrible idea

[Chrisq]

Take "mathematical letter kappa" and "latin k" for example, do you think your mom will be able to tell the difference?

To be fair they do have different script values so would be identified by the proposal

Re:Dammit this is a terrible idea

[CODiNE]

I don't know about the c, but that "gmal" domain looks mighty suspicious.

Re:Dammit this is a terrible idea

Why is this not modded up? i suspect it's only because you posted AC :( (i don't have/want an account)

Well, I'm impressed.

Google updated their regular expression. Good for them.

Re:Well, I'm impressed.

[Chrisq]

I would imagine that there they implemented RFC6532, which involves a lot more than changing a regular expression

Re:Well, I'm impressed.

And again, an army of PhDs engages in some useless administrative activity, while not saving the world.
Thanks, Google!

Re:Well, I'm impressed.

Half the web sites I try to register with spit chips if you try to use an ASCII plus symbol (+) in your email address. It's a perfectly valid character and legal in the RFCs, but dumbass web developers can't even get that right. What hope will there be for people with internationalized usernames and domain names?

Re:Well, I'm impressed.

Half the web sites I try to register with spit chips if you try to use an ASCII plus symbol (+) in your email address. It's a perfectly valid character and legal in the RFCs, but dumbass web developers can't even get that right. What hope will there be for people with internationalized usernames and domain names?

Gmail truncates the local part at the + character. me+linux@gmail.com and me+hacker@gmail.com both go to me@gmail.com (also, the . character is meaningless in the local part for Gmail). As an admin, I translate addresses into a standard form before checking for multiple accounts from the same email address.

Re:Well, I'm impressed.

Gmail truncates the local part at the + character.

Well, good for Gmail! Not everybody in the world uses Gmail, so how about you just...

Re:Well, I'm impressed.

[hcs_$reboot]

I would imagine that there they implemented RFC6532, which involves a lot more than changing a regular expression

So we get sometimes unreadable mails because the encoding of the content is unknown. Then some mails will be rejected because of an encoding problem in the address itself. At least in the first case the mail was received and we had enough time to fix the problem.

Metal umlaut!

Finally I can get motörhead@gmail.com!

Re:Metal umlaut!

[jones_supa]

I will represent myself as a shady unofficial sales representative for an Australian microphone brand.

Re:Metal umlaut!

Lemmy, you magnificent bastard, I went deaf at your concert!

Re:Metal umlaut!

[Deep+Esophagus]

Finally I can get motörhead@gmail.com!

This is exactly what is going to happen, and I don't mean that in a good way. I already see it in other chat environments, like Second Life, where the full power of Unicode allows any and all characters in usernames. It's bad enough that they substitute Latin letters with superficially similar characters from other languages so we end up with names like ££¥ and , but miles of decorative symbols drawn from Braille and mathematics... and don't even get me started about the entire upside-down alphabet. These typographic idiots don't realize or care that they are making their names (and often text) completely unreadable, as long as it looks cool.

Thanks for stripping the illustrative part of my post out, Slashdot. The first name should have shown a Greek Beta, an i with a little circle over it (1F34), then the Pound and Yen symbols for "Billy". The next example, "Sarah", should have shown an Arabic Kaf, a Greek A with a bunch of curlicues (1F8C), the Cyrillic Ya (backwards R), another A, and a Cyrillic N (looks like H) with more curlicues (04A2).

Anyhow, you get the idea.

Sigh

[ledow]

From what I can tell, a mail server has two options when receiving this mail:

Accept it.
Reject it.

The default, with software that doesn't understand this RFC yet (which seems to be... just about everything), is to reject. So trying to use this as an email is not only going to mess up every form you try to fill in online (because they won't see it as an email address either), but quite likely just gets you bouncebacks from everyone you email.

What was needed was surely a system similar to the IDN system for internationalisation, which would allow those with ASCII-only DNS servers etc. to STILL WORK, by converting the Unicode characters to ASCII subsets and then sending the email as normal, through the entire PLANET-worth of working email servers out there that could accept it.

Having a content negotiation option at the SMTP level, that mail servers have to implement and handle specifically, is just ridiculous, and even with GMail's kickstart it could be decades before you can guarantee that your UTF-8 email address will work across the Internet and even then there'll be some old legacy server that will just bounce all your email BECAUSE of that character set in your address. And it will be perfectly legitimate to do so.

However, as others have pointed out, if this goes through, it will be nigh-on impossible to spot phished/faked email addresses, just like it is with IDN links unless you know how to find the original ASCII-encoding of them.

Re:Sigh

From what I can tell, a mail server has two options when receiving this mail:

Accept it.
Reject it.

Temporary failure, try again later.

There! Are! THREE! Options!

Re:Sigh

[hawkinspeter]

Nope, there's four options:

Accept it.
Reject it.
Temporary failure, try again later.
User not local, will forward to <somewhere>.
Syntax error, command unrecognised.

Wait, I'll come in again...

Re:Sigh

[scdeimos]

Picard? Is that you?

Re:Sigh

[gurps_npc]

Many email accounts have the option of setting up a temporary clone email with different letters. That is, you could be something_in_Mandarin@gmail.com and also AlexanderTheGreat@gmail.com All in one single account. So you use the Mandarin email address for your mandarin business cards, and the English one for all web sites and even on your English business cards.

Re:Sigh

Lol at latin alphabet whineboys.
Just like DNS, make the leap to full UTF-8 in the spec.
And if you're a stupid enough whineboy to insist on having a UTF-8 address, it's your own damn fault if your mail doesn't get through.

Good luck

[Pascal+Sartoretti]

My e-mail address ends with the suffix ".name". It is perfectly correct (even if not common), but I still sometimes have issues today because some stupid website has an outdated regular expression which says that ".name" is not correct.

Now imagine this with non-latin characters (or just non-ASCII characters)... If you only write to people also using GMail, it might work.

Re:Good luck

Try including a plus symbol in the localpart and see how far you get.

Re:Good luck

[RevWaldo]

I was once given a corporate e-mail address with an apostrophe for my last name. Perfectly legal, but many web sites choked on it. And they left the apostrophe off my first batch of business cards.

(Fortunately I also had an alias address which didn't have the apostrophe and was about two dozen characters shorter.)

.

Re:Good luck

My e-mail address ends with the suffix ".name". It is perfectly correct (even if not common), but I still sometimes have issues today because some stupid website has an outdated regular expression which says that ".name" is not correct.

Now imagine this with non-latin characters (or just non-ASCII characters)... If you only write to people also using GMail, it might work.

Well well well.

Imagine that.

Google is walling off their garden...

Could that be considered, oh, maybe, EVIL?

Re:Good luck

Well, it has to start somewhere.

Re: Good luck

[osiaq]

It's not stupid website. It's just stupid 4 char tld that shouldn't exist according to the standards. There are myriad of validators out there that will reject it and they are not stupid, they worked well for decades.

Re: Good luck

[Pascal+Sartoretti]

It's not stupid website. It's just stupid 4 char tld that shouldn't exist according to the standards.

Please show me in RFC 1035 where you see this 3 letter limitation.

By the way, the ".arpa" pseudo-domain has always existed.

There are myriad of validators out there that will reject it

No, most validators correctly implement the standard, only a handfew are incorrect.

they worked well for decades.

Something on the web that worked well for decades has necessarily been enhanced at some point...

Terrible idea

The Internet is about interoperability. Intentionally breaking that goes against everything that has made the Internet worthwhile.

Re:Terrible idea

Interoperability as long as it's by american english rules?

Re:Terrible idea

The Latin alphabet is not American.

Re:Terrible idea

Right, but ASCII is still used too damn much. Even the US gov doesn't understand ASCII is not enough for the world, so interoperatively speaking, shouldn't we all just have to live with ASCII? Fuck that. So even with limiting to latin, latin alphabet is missing half the world, that's just another half assed way to go.

Re:Terrible idea

I can only think of the Babel tower finally coming down again... It was a sweet dream...

And don't forget that maybe some Chinese dude has problem with typing English (although I think most keyboards all around the world do keep ASCII letters and base ASCII punctuation at least, so there's that at least today...), but I'm pretty sure he will fare much worse if he ever has to type Arabic or Burmese... You are just as much considering only the viewpoint of the English/Latin world vs. the rest of the world lumped together...

There sure are some mitigations possible, notably for text-only identifiers, which you can more or less easily copy-paste (hopefully everything you use now supports full Unicode and all fonts everywhere), but text in images, on business cards, on magazines, etc., will be significantly more difficult to handle... Good luck OCR-ing badly-handwritten Japanese unagi pr0n URL on some low-definition GIF picture to find out more... (well, with some luck, I suppose you could try to send the picture to Google Images or some other image source identification website, in this case...).

Well, that is if you can even recognize it is an URL... 'cause of course those ASCII punctuation symbols should be localized too, going this way... Their shape may mean something completely different in another language, or not exist at all...

Anyway, let's take another example outside of the Internet... What about localizing again all traffic and caution/information signs all around the world? Even colors and basic shapes can have very different original meanings depending on the culture...

What about localizing math/physics/chemistry units and formulas again?

There's a balance in everything... Too much localization just breaks the web.

Re: Terrible idea

[jrumney]

Interoperability is why we still write to anonymous@slashdot.org!mail.comcast.net!mail.myisp.com!gateway.local instead of just having globally resolvable addresses. Upgrading the infrastructure is just too hard and will never happen.

Re:Terrible idea

[RevWaldo]

And don't forget that maybe some Chinese dude has problem with typing English (although I think most keyboards all around the world do keep ASCII letters and base ASCII punctuation at least, so there's that at least today...)

Phonetic entry using pinyin is still the most common method, which has been greatly sped up with predictive text like on cell phones, so the most common characters can be entered with a few keystrokes. Google Pinyn in this regard is, as the kid's say, the shiznit.

.

Re:Terrible idea

[petermgreen]

If a chinaman and a russian swap buisness cards and both have used their own scripts for email addresses are thier thoughts going to be "great" or "how the fuck do I type this?"

My guess is nationalists who don't care about the world beyond their countries borders may adopt this, those who care about being part of the global community (or simply about interoperating with older software) will avoid it like the plauge it is.

Re: Terrible idea

[mjwalshe]

Wuss I prefer the old days when you could just sent mail to me at c=uk cn=firstname - kids today cant parse a x.400 address to save their lives. And yes I did have root on the UK's ADMD -)

Anti-phishing measures?

[Captain_Chaos]

I hope they implement the same kind of anti-phishing measures that browsers are taking for displaying domain names with non-Latin scripts. http://en.wikipedia.org/wiki/I...

Great idea

How on earth am I supposed to email someone when I don't even have a key that corresponds to a letter in their email address. And do I'm not keeping a huge chart of Alt+number combinations handy.

Re:Great idea

[Chrisq]

How on earth am I supposed to email someone when I don't even have a key that corresponds to a letter in their email address. And do I'm not keeping a huge chart of Alt+number combinations handy.

Of course there is probably someone in China or Korea thinking "why do I have to use this special keyboard mode with characters I don't understand to write emails".

Re:Great idea

Use the Character Map program.

Re:Great idea

[OolimPhon]

Hit the 'Reply-To' button, naturally.

- After adding the user to your Address book.

Re:Great idea

More specifically, use the Character Map program for Windows. The Character Map in Ubuntu seems to show a lot of the code pages with just squares containing numbers in them. More open source garbage. :(

Re:Great idea

[Richy_T]

Cause while his countrymen were running around killing sparrows with sticks at the behest of an insane, leftist ruler, the capitalist west had already been working on the transistor for 10 years, and was continuing working on improving the integrated circuit it had become part of and thus had a huge head start on defining the standards that would be used in a global communications network of billions of computers.

Re:Great idea

[petermgreen]

That would probablly work reasonablly well for greek and cryllic scripts.

For other scripts have fun dealing with weired rules for mixing LTR and RTL chacters. Characters that join together into something that looks more like squiggly handwriting that what we would recognise as printed text, or a sea of thousands of characters that all look very similar to the western eye.

Re:Great idea

[naris]

The same what they email you when they don't even have a key that corresponds to a letter in your email address.

Re:Great idea

[naris]

Cause now that the capitalist west has offshored the production of those billions of transistors, integrated circuits and computers to his countrymen, we need to be able to e-mail them.

Re:Great idea

[Zontar_Thing_From_Ve]

Of course there is probably someone in China or Korea thinking "why do I have to use this special keyboard mode with characters I don't understand to write emails".

Any educated person there, and in countries that use Cyrillic in case you wondered, will learn the Latin alphabet in school. By the way, their keyboards always have the Latin alphabet on them along with symbols for certain characters in their own writing systems.

Re:Great idea

[Richy_T]

We can just use the corollary of the standard westerner's mode of improving communications with furriners of raising your voice, ALL CAPS!!!

ó nie dziaa, do bani

you cannot use solely international characters, the first one need to be simple ascii

Re: ó nie dziaa, do bani

[Chrisq]

you cannot use solely international characters, the first one need to be simple ascii

What?Where do you get that from? TFA gives examples where the whole email address is in international characters (katakana)

Re: ó nie dziaa, do bani

They're making it up, of course, unless they're including the '<' character in the addr-spec, http://tools.ietf.org/html/rfc...

The ABNF in that section is so broken, though, I have no idea how anyone could hope to provide a compliant implementation.

Homoglyph attack generator

[Thanshin]

http://www.irongeek.com/homogl...

Ah, great!

[Black+Parrot]

Maybe now my e-mails to Tutankhamun will quit bouncing.

Re:Ah, great!

[Megane]

Last I checked, you can't use a JPEG image in the To: field of an e-mail header. Maybe you could give a link to a UTF-8 text example?

Try installing international fonts

By default ubuntu doesn't unless your codepage requires it. Most of the 'complete' unicode fonts aren't included by default.

Re:Try installing international fonts

One font including the full Unicode map would be sufficient.

Re:Try installing international fonts

There is no such font.

Re:Try installing international fonts

[Richy_T]

Shouldn't there be? Serious question.

Re:Try installing international fonts

[petermgreen]

Afaict there are no fonts covering all of unicode, partly because it's a moving target, partly because the unicode consortium doesn't release a free reference font leaving it up to third parties to look at the standard and come up with their own versions of the characters (the fonts used in the spec pdfs are propietary).

There are fonts that come reasonablly close to full coverage but they tend to be large and have poor quality coverage of some scripts. Also the only free one i'm aware of is a bitmap font.

Re:Try installing international fonts

Yes there should, I think it is cheap of the Unicode consortium not to make a reference font, but hey thats where we are.
Apparently, not sure how true, with all the combining possibilities that need to be handled etc. it would be astronomically huge, the best we can hope for at the moment is a font that handles most the basic stuff.

Re:Try installing international fonts

[amRadioHed]

Google is working on a font family which supports every Unicode character, it's a big job though.

http://www.google.com/get/noto...

Re:Try installing international fonts

[Richy_T]

Yeah, definitely they should have one. It wouldn't need to be fancy and it wouldn't matter if it was so huge, it blew stuff up (that stuff needs fixing) but I'm sure it would have helped adoption.

Looks like google is making one according amRadioHed below. Which is good news but I'm not quite sure how they're going to make joining Google+ a requirement to use it.

A new email standard?

The IETF devoted time to a _new_ email standard and still hasn't fscking solved the spam problem?

WTF? Send them to bed without dinner.

Re:A new email standard?

It's not a spam problem, it's a people problem. There are too many people, sending spam.

Re:A new email standard?

[MrNaz]

Implementing proper domain and user authentication by baking PGP or some other PKI right into the email protocols will both solve the spam problem comprehensively AND allow UTF8 domains with minimum risk of phishing /spoofing.

Cyrillic substitutes for 'aoe': long-forgotten..

So there was an IRC network running in CP1251.
So there were attempts to substitute letters and impersonate other users.. so an ircd patch was written to treat all similar-looking characters as Latin.

Next wave of Unicode dirty-hacks and workarounds surely will be even more strange than that. // irccity, nya.

Anti-Semitism

Don't be afraid of it.

Re:Anti-Semitism

[INT_QRK]

You are beneath contempt, and it would be otherwise intuitive that you should be ignored as an aberration. However, it is extremely important that decent people of good will realize that their opposites, people like you, are not an aberration, that you exist in the environment as a pervasive and pernicious evil, and therefore appropriate countermeasures must be put in place and vigilance maintained.

Re:Anti-Semitism

[ArcadeMan]

I don't want to sound racist, but I've never heard of Jewish suicide bombers, Jewish plane hijackings, etc.

Re:Anti-Semitism

[ArmoredDragon]

Posts like these are just random pot shots looking for a response. Chances are he doesn't even believe what he says, rather he just wants to cause somebody to come out speak in a righteous manner. Mission accomplished, I think?

Re: Anti-Semitism

The very first suicide bomber in occupied Palestine was in fact a Zionist Israeli Jew...

Re:Anti-Semitism

I don't want to sound racist, but I've never heard of Jewish suicide bombers, Jewish plane hijackings, etc.

The methods of response you listed are used by people without killer drones, professional armies, airforces etc.
consider, "The law, in its majestic equality, forbids the rich as well as the poor to sleep under bridges, to beg in the streets, and to steal bread."
But you don't see the rich sleeping under bridges, begging in streets or stealing bread.
Pretty much the same reason.

+ in an e-mail address

My e-mail address ends with the suffix ".name". It is perfectly correct (even if not common), but I still sometimes have issues today because some stupid website has an outdated regular expression which says that ".name" is not correct.

I'm still waiting for web developers to realize that a "+" character is valid in the local-part of an e-mail address. It's been around since RFC 822, and yet the web folks still can't get their shit together.

Re:+ in an e-mail address

[hobarrera]

"+" or plenty of other special characters. Stuff like quotes can even be valid if used properly, while we still have some website that won't even accept a dash/underscore.

Re:+ in an e-mail address

[Pascal+Sartoretti]

"+" or plenty of other special characters. Stuff like quotes can even be valid if used properly, while we still have some website that won't even accept a dash/underscore.

I had to wait nearly 10 years for my ".name" domain to be accepted by most websites (say, 99.5%).

For "+" or other funny characters, my estimate is that you will need at least 10 years starting from now.

I would not hold my breath.

Re:+ in an e-mail address

[amorsen]

"+"-characters keep out an amazing amount of spam. Please do not teach the world to recognize them.

Re:+ in an e-mail address

For "+" or other funny characters, my estimate is that you will need at least 10 years starting from now.

I'm unsure how long +, ' and " have been valid in e-mail addresses. I'm suspect they've been valid longer than the WWW has existed (they've certainly been valid longer than most websites have existed). Depending upon your point of view we've been waiting better than 25 years for everyone to accept them. You and your puny 10 year wait for .name to be accepted by most websites.

Internet Engineering Task Force Realised...

[danknight48]

That "signed char" was a bad coding choice back in the day.

Pile of poo at gmail dot com

5 times pile of poo at gmail dot com!

They better filter out non-printing characters

[Megane]

They better be filtering out the non-printing characters that do fun stuff like reverse the text direction, overstrike, etc. How long until people start registering gmail addresses with Zalgo text?

And how long until someone registers pile of poo @gmail.com?

What should the rest of us do?

[Zaiff+Urgulbunger]

As a webdev who gets irritated at websites that fail badly with their email validation (e.g. not allowing + in the local part, or only allowing 2 or 3 char TLDs), I do try very hard to get this right. So I've got a solid(ish) email validation function. But, I'm a bit sketchy on what to do with UTF-8.

For the domain, I'd hope that the MTA (Postfix in my case) would allow UTF-8 and convert to punycode as required, but I'm not sure it does. So currently I don't allow for that. I _could_ convert to punycode myself, but I don't.

And as for the local-part, I'm fairly certain Postfix doesn't allow for UTF-8 at present.... at least, not the Postfix version supported on Debian 7.

So I'm just wondering what everyone else is doing? Should I improve my support, or should I just wait for support to be added to my MTA before I bother?

Re:What should the rest of us do?

[Richy_T]

I don't see much point getting anal about email validation, especially since it's fairly hard problem. It's been a while since I've written one but something along the lines of something@something.something is usually enough and let the mail servers sort out the rest.

Re:What should the rest of us do?

youre a moron for having a 'validation function' in the first place. if the user screws their address up its their fault, not yours. and so long as you don't pass it to your shell like an idiot, you shouldn't care either. let the damn thing bounce.

Re:What should the rest of us do?

[Zaiff+Urgulbunger]

Yeah, for the most part, I prefer validation that does as little as possible. I previously had a simple check for a single @ symbol. That worked, except someone used a comma which caused the mailer to think there was more than one email address. I should have anticipated that one. Not a biggie, but there was crap in the mail.log where it was trying to use an invalid address... I don't recall the exact issue, but I believe it though it might be a local address or something.

So as a result, I thought I should make the validation a bit more robust to protect the server and at that point, I blocked UTF-8 because it seemed unlikely to work and thus was just a _potential_ vector for attack.

They should all be duel email addresses

[gurps_npc]

As in, one email account connected to two email addresses, one in say Russian, and the other using the latin alphabet.

Probably set up so that if the Russian gets bounced, it tries again with the latin alphabet.

Also, the signature of all emails sent from this should have a copy of the latin email address, so that people that don't have the Russian capability can reply.

Re:They should all be duel email addresses

[RockDoctor]

As in, one email account connected to two email addresses, one in say Russian, and the other using the latin alphabet.

And when there is no "one-to-one", "official" transliteration from one script to the other.

My wife's Russian passport transliterated her name into Latin characters in two different ways. This cause non-trivial issues when trying to get her citizenship sorted out.

So, you add TWO Latin 2equivalents to the one Russian one? Doesn't work, does it?

Re:They should all be duel email addresses

[RockDoctor]

2equivalents

Sorry, got a sticky shift key ; "equivalents"

Slashdot's time?

[J'raxis]

Now that Google has implemented 2012 i18n technology, maybe vaunted technology site Slashdot can catch up to 1998 and implement UTF-8 properly?

Nah.

address standards are a nightmare

[netsavior]

first off, I went down the slippery death defying slope of email address validation recently... Our software had simple regex rules... so I thought I would just implement RFC rules, or find a library that did... wow. RFC is a mess... APIs are worse.
This is a valid email address:
dude"".dude@[192.168.1.1]
so is this:
a@com
also valid:
test+test=gmail.com@test.com
none of those will work in MS Outlook or exchange, none of them will work with jquery validation plug-in, some close to that will work with java mail API. Most funky but standards compliant email addresses will pass Apache commons validation.

In the end, I went with a 2 part validation: 1) Apache Commons Validation (mostly RFC correct), then a second pass on Javax.mail because if I can't send email to it, then what is the point of having it? We still get addresses that pass both validations, and bounce at some SMTP relay due to "invalid address format."

I am sure internationalization will make all this better.

Re:address standards are a nightmare

[netsavior]

take the name part of your gmail address... add this string to it:
+a."b(c)d,e:f;gh>i[j\k]l".a@gmail.com

not only is yourname+a."b(c)d,e:f;gh>i[j\k]l".a@gmail.com a valid email address... but you will actually get email addressed that way. It will fail most email address validation that I have found.

Re:address standards are a nightmare

[allo]

just send a mail. if it fails, discard the pending registration or whatever, possibly via "not confirmed" timeout some days later.

Re:address standards are a nightmare

[netsavior]

I would love to do that. I beg our management every week. Our customers are Luddites. Email is optional.

WTF?

[allo]

Isn't this something, which was introduced years ago?

If only they recognized the difference...

[goofyspouse]

...between these two addresses:

firstname.lastname@gmail.com
firstnamelastname@gmail.com

I keep getting email at the former addressed to the latter. Anyone else encounter this oddity with Gmail?

Re:If only they recognized the difference...

[devman]

In case you are asking this for real, this is a documented gmail feature.

https://support.google.com/mail/answer/10313?hl=en

You can actually log in with any variant of your username that includes 1 or more periods added in arbitrary locations.

Re:If only they recognized the difference...

[piripiri]

Periods are ignored in gmail addresses.

firstname.lastname = firstnamelastname = first.name.last.name = f.i.r.s.t.n.a.m.e.l.a.s.t.n.a.m.e

It'll all end in tears.

What's next, smiley faces in phone numbers?

We're one step closer to "I'll just text you the address" level of frustration with someone who needs a cutesy e-mail address that you can tell them over the phone.

It's like IPv6 . . . I want to remember an address by the time I cross the room.

Who cares?

[Archwyrm]

The "From:" header has been spoofable in ASCII since the beginning of e-mail. Given its unreliability, you are foolish if you put much stock into it.

Innovation at extreme pace!

[aspa]

I'm just can't help being amazed how fast the tech industry keeps moving and innovating!

It feels like yesterday when the first Unicode specification was published 23 years ago.

Just amazing! What next?

Cant wait...

Looking forward to wingdings in my email address.

Too bad you won't be able to register with those

[ayesnymous]

Try using those email addresses to register on various web sites and watch them say "invalid email address".