30 August 2012

Wrong email! The GMail "dots issue"

Wrong number!

OK, so you get a call for Jane Anthony - but there's no-one by that name at your house. "What number were you dialling?" you say to your caller. "Oh, 908 5674 5555" says the caller.

"Well," you say "That IS my number, but there's no-one by that name here. You must have a wrong number."
Caller apologises, you both hang-up, and you are both comfortable. Because you both know that wrong numbers HAPPEN. And always have, and always will.

The one thing you do NOT do is immediately call the phone company and demand to know why they gave your phone number to someone else, and how they are going to mend this hole in their security, and you certainly don't ask them if all your calls are now going to this other person.

Wrong street address!

Imagine another scenario....the mailman delivers a letter addressed to your house, using your street number, but it's clearly meant for someone else. This happens all the time, too. Always has and always will. You don't immediately call the US Mail demanding to know why they gave your address to a different person. Nor would you ask them whether this other person was now getting all your mail.

Why? Because we all know, from long experience, that people make mistakes. People give the wrong housenumber to the bank (or the person in the bank writes it down wrong!), other people can never remember their own phone number, and always get two digits the wrong way round - after all, how often do you call your own number? And when you do, doesn't your phone do it for you anyway?

Yet those same rational folks who accept that other people make errors, and will happily accept the results of those errors - unwanted mail, wrong number calls - find it hard to grasp that the identical thing happens with email addresses.

Perhaps it's because email has only been around for 20 years or so, so we haven't yet learned to accept that folks make just as many mistakes with their email addresses as they do with their phone numbers and their house or street numbers. And because we still find the Internet a dark and mysterious place, and have little idea what goes on behind the scenes and how it works, any error is immediately nailed to the on-line equivalent of the phone company or the US Mail. It must be their fault - they must have given someone MY address.

In reality, of course, the mere fact that allocation of email addresses is handled by totally automated systems using totally automated checking methods on totally automated databases means that it is virtually impossible for them to go wrong unless they fall over in a very major way, in which circumstance they would be shut down till fixed!

Let's work through an example....

If your email address is janeanthony@magicemail.com, and another person named Jane Anthony tries to sign up with MagicEmail using that address, MagicEmail will scan their user database, find you, and the other Jane will be told the address is taken, and asked to choose another. So Jane now adds in her middle initial and asks for janezanthony@magicemail.com. "Yep!" says MagicEmail, after another automated search of their database, "we don't have a janezanthony on the list, so you're in!"

Now Jane Z signs into her brand new email account for the first time, and her browser, SnappyDragon, says "I'll remember that for you, then, shall I?" - and bang, her email address and password are stored by SnappyDragon and she never has to type them or even think about them again...

A week or two later our Jane Z decides she'd like an account with FakeBook.com. (© bkc56)  So off she goes to their website to sign up. When she gets to the bit where she is asked to enter her email address, she has to think a bit - "Ah, yes! I remember now, it's my name!" So she enters - yes, you guessed it - janeanthony@magicemail.com. Now, just like Twitless, FakeBook doesn't bother checking or validating the email addresses their users enter before they let them open and use their new accounts. So Jane Z merrily adds a whole bunch of friends and posts a few messages and signs up for notifications of everything....

And guess what. She forgot to add her "z" and all her mail from FakeBook floods into your account!

What do you do? Do you just say "Wrong email!", like you'd say "Wrong number!" or "Wrong street address!"? Well, to be fair, many internet-savvy people do - they just create a rule or a filter, and get rid of this rubbish into their Trash. They know it's just the internet equivalent of a wrong phone number or house number being given out by someone with a hopeless head for figures.

But most of us less-experienced folks just assume that MagicEmail has given "our" email address to someone else as well, and because we are getting that someone's mail, that someone must also be getting all of ours...irrespective of passwords or any other security measures. Fear of the unknown and lack of familiarity with the system makes it hard for us to get a handle on what has happened. We just blame our mail service provider and rarely stop to consider that another user has simply made a mistake and supplied an incorrect email address which just happens to be the same as our own.

So what does this all boil down to?

If you have a GMail or Googlemail account, and you start to receive mail intended for someone who appears to have the same address as you - or a dot-variant of your address - or the same address but at Googlemail instead of GMail - then it is almost certainly just a "Wrong number" style mistake by the other user. And you can be rock-solid sure that if you own first.last@gmail.com there is no other user out there who owns firstlast@gmail.com or first1ast@gmail.com or FirstLast@googlemail.com or any other variant of your own unique username.

Because GMail has made sure that your address is unique - see below for the nitty gritty of how that is done. So next time you receive an email addressed to you that was not intended for you, you can confidently say "Wrong number!"

There's one additional error made by others which can also lead to you getting someone else's mail. GMail put a stop to this more than two years ago, by making you get permission from the owner before you can forward your mail to any other address, but not all email services do this. And many users of other services like to forward their mail to their GMail account and handle it there. If they make a mistake when entering their own GMail address into the forwarding set-up in their other account, and enter yours instead, you could end up receiving mail that is inexplicably addressed to a complete stranger with a completely different username at a completely different domain!

For example, if yet another Jane Anthony has an old account at her ISP with the username dreamteen@herISP.com but likes to handle it through her more grown-up account with GMail, she'd enter her GMail address into the forwarding set-up in the other account. If she forgets that she's actually janeanthony99@gmail.com and just enters her name, that's another batch of "wrong email!" messages you will receive, all addressed to dreamteen@herISP.com. Mystifying? You bet!

You can trace this kind of error by viewing the message headers - open the message and choose Show Original from the dropdown menu next to the Reply button. Any forwarding will be clearly spelled out for you.

So what can you do about it?

Sadly, very little. Unless you want Gmail to read all your mail and decide whether or not it was intended for you, there's nothing at all that GMail can do. They do machine-scan your mail for spammy content and filter that out for you, but they can't use a machine to determine that a message can't be meant for you because:
  • you don't have a Twitless account
  • your boss is not John Doe Jnr, or 
  • you don't have a bank manager called Mr Parsons.... 
  • your wife's name isn't Freda
 If it's addressed to you, then they are duty-bound to deliver it - just like the US Mail. Your best course of action is to send a polite note to the sender informing them they have the wrong address for their contact/client/friend. If you find a phone number or an alternative email addy in any of the messages sent to you by mistake, you could even contact the person involved. If all else fails, and if the other user's mail is addressed to a dot-variant of your address or another address entirely, then you can use a filter to send those messages straight to Trash.

Some nitty gritty....

Username polices of the free email services

The main free email services have complicated this whole issue, to be fair. The main problem is that the major well-used services have different username policies.

The basic RFC 5322 specification for the local part (the part before the @ sign = username) of email addresses is as follows:
  • Uppercase and lowercase English letters (a–z, A–Z) (ASCII: 65–90, 97–122)
  • Digits 0 to 9 (ASCII: 48–57)
  • Characters !#$%&'*+-/=?^_`{|}~ (ASCII: 33, 35–39, 42, 43, 45, 47, 61, 63, 94–96, 123–126)
  • Character . (dot, period, full stop) (ASCII: 46) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. John..Doe@example.com is not allowed.).
GMail's username policy is the most stringent. To protect users against any possibility of confusion, and to help avoid wilful impersonation, it does not allow most of the RFC-permitted local part characters. GMail flatly refuses any username that is not at least 6 characters long and is a unique combination of letters and digits. No periods are counted as username characters (though they can be used as name or initial separators if the user wants to add them), and capitalisation is ignored. So Jane.Z.Anthony is - to GMail's eyes - exactly the same address as janezanthony. Further exclusions include punctuation, all special characters (except the "+" sign in some circumstances) and any "lookalikes". For example, if janezanthony already exists, janezanth0ny is not permitted. GMail just doesn't allow any obvious possibility of confusion between usernames. No dots, no capitalisation differences, no underscores, no hyphens, no analog "lookalike" characters - only a different arrangement of simple alpha-numeric characters can result in a different GMail username.

Hotmail on the other hand - I was surprised to discover - DOES allow periods to differentiate between otherwise completely identical addresses, and was prepared to let me sign up for an account which was identical to an existing account except for a period in the middle. I found exactly the same at Yahoo. The pre-existing address was refused - the moment I added a period it was accepted. Yahoo was also willing to let me add a zero in place of an "o" and generate yet another new username.

It's no wonder, then, that so many GMail users find it hard to accept that Jane.Anthony and janeanthony are - as far as GMail is concerned - the same user. But it is not possible, unlike with Hotmail and Yahoo, for those two usernames to co-exist separately within the GMail system - the system will not and cannot allow it.


So which username policy is preferable?

As a GMail user I am naturally biased. But the whole push of the GMail system is towards increased user security and increased difficulty for those who wish to compromise GMail users.

Any possibility of making life harder for the bad guys by preventing confusion, impersonation and identity theft has got to be a good idea. Sadly for the other service providers, they now have so many users with what GMail would call 100% duplicate addresses that there isn't much they could do about increasing user security even if they wanted to. When janeanthony and jane.anthony and jane.anth0ny and janeanth0ny are all considered to be "different" email usernames, by both Hotmail and Yahoo, that horse has well and truly bolted and there's no point in belatedly shutting the stable door...

But there has just been a great opportunity to straighten up and fly right for Microsoft - except that they chose not to. Their new Outlook service - which was a firstclass opportunity to start again from scratch with a more secure and protective address policy for users - allows easy-to-hack 4-letter usernames, for a start. It also allowed me to sign up with myfirstmylast@outlook.com as well as myfirst.mylast@outlook.com - so the confusion will continue to reign, users will continue to have their security compromised by a lax username policy, and any ill-wisher can appear to have replicated a user's email address just by adding a dot or using "lookalike" characters.

In the meantime, Gmail users - whilst they will find the GMail policy on usernames hard to grasp because it runs counter to everything they are used to - are protected by Google as far as is possible from any wilful and deliberate replication, and all the accidental stuff as well.


References:

Someone Else's Mail - http://support.google.com/mail/bin/answer.py?hl=en&answer=10313
How to use Filters - http://support.google.com/mail/bin/answer.py?hl=en&answer=6579
Show Original - http://support.google.com/mail/bin/answer.py?hl=en&answer=22454