June 20, 2015

Gmail Frequently Asked Questions (FAQ)

The topics below represent many of the most commonly posted questions to the Gmail Help Forum. If your question is not covered below then you should try the following steps:


Index of questions (by forum category)


General
Account Access and Safety
Composing and Sending Messages
Reading and Receiving Messages
Managing Settings and Mail
Contacts and Sync


Questions and Answers


How do I get help and support?

The best source of help is the Google Help Center for your e-mail product:  Gmail, Inbox, or Google Apps. This provides online articles and troubleshooters that cover most everything you might need to know about Gmail.

Next would be to enter your question in the search bar of the Google Help Forum for your e-mail product:  Gmail, Inbox, or Google Apps.  These are Google managed user-to-user forums.  Since most questions about Gmail have been asked before, the greatest value is using search to find a question like yours that has already been answered.

Blogs written by expert users is another source of detailed information about the product. A partial list of such blogs in included in the forum post: Gmail Support Options

Google does not make use of any third-party companies for support. Still, a web-search on "Gmail support" will generate a list of third-party support sites. None of these sites are officially endorsed by Google, even if they claim otherwise.

Help Centers
Help Forums
Gmail Forum: Gmail Support Options

My account was hacked, how do I get it back?
My password no longer works, how do I get a new one?

If you are unable to log into your account, you will need to go to https://accounts.google.com/signin/recovery (also accessible from the "Need help?" link on the sign in page).  There you will have one or more of the following options:
  1. Using a pre-configured recovery phone.
  2. Using a pre-configured recovery email.
  3. Prove ownership by answering questions about the Google account (last password, creation date), receiving a verification code to an e-mail or phone, or providing other information.
The message beginning “Google couldn’t verify it’s you…” means you have not been able to prove ownership of the account. Repeating the process will not help unless you can provide more accurate information or attempt it on a computer/device normally used to access the account.

There are no other options for account recovery, and Google will not return an account unless you can prove ownership of it. If all three of the above fail then the account is probably lost

Help Center:  Account recovery options
Expert Blog:  Gmail Account Recovery and Security
Gmail Forum:  I can not access my Gmail account

Why am I receiving e-mail to an address similar to my own?

Gmail ignores both dots "." and caps in both account creation and e-mail delivery.  That means first.last@, firstlast@, and First.Last@ all represent the same account.  If you receive e-mail intended for someone else then either the sender accidentally used the wrong e-mail address, or they were given the wrong e-mail address.

Help Center:  Receiving someone else's mail
Expert Blog:  Wrong email! The GMail "dots issue"

Why am I receiving e-mail addressed to an address different than mine?

If you receive e-mail intended for someone else using an address with different characters or numbers in the address, it could be because your address is in the BCC field (very common for spam) or because the receiver made an error in auto-forwarding sending them to the wrong account.

Gmail Forum:  E-mail with no similarity
Gmail Forum:  I'm getting someone else's emails

My account may have been accessed by someone else, how to I secure it?

In order to fully secure your account you must check both your Gmail account settings (Gmail Security Checklist) and your Google account settings (Account Security Checkup).

Help Center:  Gmail Security Checklist
Help Center:  Account Security Checkup
Expert Blog:  How To Secure Your Account

How do I change my Gmail account password?

To change your Gmail password, use a browser to log into the Gmail web interface at https://mail.google.com/ then go to:  Settings -> Accounts -> Change Account Settings -> Change Password.

Help Center:  Change or reset your Google Account password
Gmail Forum:  I want to change my Gmail password

How do I make a password no-one can hack?

Pick a strong password including letters, numbers and other allowed symbols, and keep it just for Gmail - don’t use it on other sites. 
Help Center:  Creating a strong password
Expert blog:  How NOT To Get Hacked

How do I sign into a different Gmail account?

To switch the account you are viewing, start by signing out of whatever account you are in,  then go to https://mail.google.com/ and sign into the account you want to access.

To signing into another account you own in addition to the current one, click on your picture/avatar in the upper/right and select “Add account” from the drop-down panel.

Help Center:  Sign out
Help Center:  Sign in to multiple accounts at once
Gmail Forum:  Signing in as different user

How do I recover deleted messages?

The answer to this is dependent on when (less or more than 30 days) and why (by you or due to a compromised account) the messages were deleted.

Help Center:  Recovering deleted messages
Help Center:  Delete messages
Gmail Forum:  Recover deleted emails in Gmail after 30 days

Google says I have violated the Terms of Service (ToS). What do I do?

If you are notified that your account has been disabled and you feel it is a mistake, a link will be provided under “Next steps for disabled accounts” where you may submit an appeal.

Help Center:  Account has been disabled
Help Center:  Google Terms of Service
Help Center:  Gmail Program Policies

I can’t set up a Send Mail As address in Gmail for my Google Apps account.

To set up a Google Apps for Work address for Send Mail As, you must use the Gmail outgoing mail server. So your settings need to read:
    SMTP Server: smtp.gmail.com (over-write any suggestion Gmail may have entered)
    Port number: 465 using SSL or 587 using TLS
    Username: the full Google Apps address you are trying to set up, including the domain
    Password: the Google Apps password for the account you are trying to set up.
Help Center: Send mail from a different address or alias

I can’t set up a Send Mail As address in Gmail for my non-Google email account.

For all non-Google email accounts you must ask your other provider for the SMTP Server name, port number and security setting they require you to use, and enter that information in the set-up boxes.
If your “other account” is only a forwarding address and has no entitlement to use an SMTP server, then you cannot set it up as a Send Mail As address in Gmail.

Help Center: Send mail from a different address or alias

How do I make sure that all contacts on my phone get synced to my Google account and can be recovered if I lose them from the phone?

To sync to your Google account when Sync Contacts is turned on, all contacts created on your phone must be tagged with the Google contact type. Some phones provide this as the default - others, notably Samsung, require you to select the Google contact type every time. If you do not do that, then the contact will only be saved on your phone, will not sync to your Google account, and will be lost if you reset your phone or change phones.

Help Center: Sync contacts with your phone
Help Center: Sync contacts with your Apple device
Help Center: Sync Gmail, Calendar and Contacts on your iPhone and iPad

Why can’t I get or send my Gmail messages with my Outlook/Thunderbird/Apple Mail/Windows Mail clients? I get an error message.

Gmail recently enforced a higher security sign in procedure no longer using OAuth as the default access method. While developers have received warning from Google, not all e-mail clients and apps have been updated to use the new protocol.

To allow your email client apps to continue to sign in to Gmail the old way, you need to turn on access for these “Less secure Apps” in your Gmail security settings.

Help article: Allowing less secure apps to access your account
Gmail Forum: Has your email app stopped working properly with Gmail?


----------------------------------

Question

Answer.

References:
Index Question.

July 4, 2014

E-mail addressed to me intended for someone else

So you are receiving e-mail in your account that is intended for someone else.  It's bothersome if it was sent to your exact e-mail address.  It's confusing if they are using an address similar to yours differing only by a single character or perhaps capitalization.  It's scary if it was sent to a totally different e-mail address.

So why are you receiving this person's private e-mail, and what can you do about it?

This article is going to explore some of the reasons why you might be receiving e-mail intended for someone else from a slightly more technical point of view.  For Google's simpler overview on the subject you can see:  https://support.google.com/mail/answer/10313?hl=en and for another excellent article see:   http://gmail-miscellany.blogspot.com/2012/08/wrong-email-gmail-dots-issue.html

We will somewhat arbitrarily divide this problem into two cases:  that of receiving e-mail to a similar address as yours, and that of receiving e-mail to a totally different address.


Messages sent to an address similar to your own.

Question:  What's the difference between the following US phone numbers?
  • (123) 456-7890
  • 123-456-7890
  • 123.456.7890
  • 1234567890
Answer:  Nothing.  While the syntax is different, they each represent the same unique phone number owned by a specific individual.

Question:  What's the different between the following Gmail account names?
  • first.last@gmail.com
  • firstlast@gmail.com
  • First.Last@gmail.com
  • firstlast@googlemail.com
Answer:  Nothing.  While the syntax is different, they each represent the same unique e-mail account owned by a specific individual.

There are several differences allowed in the format of a Gmail address that do not actually represent a different account.  This means that an e-mail address can contain any of these syntax differences and it still represents the same unique account.

Gmail ignores dots (periods, full-stops, ".")

Gmail does not treat dots in a GMail address as significant.  That is, first.last@gmail.com is the same address as firstlast@gmail.com or any other combination like f.i.r.s.t.l.a.s.t@gmail.com.  Gmail simply allows users to enter a dot as a convenient word separator, like you add dashes or dots when writing your phone number.  And since Gmail does not allow the creation of duplicate addresses, it's physically impossible for both first.last@gmail.com and firstlast@gmail.com to exist as unique accounts.  Once one form of the address has been created, all other forms will be rejected as a duplicate (the account already exists).

This has always been true since Gmail first was introduced in 2004.  And even then, people were posting about it.
April 30, 2004:  http://www.errorik.com/archive/2004-04.htm
July 17, 2004:  http://itsmygmail.blogspot.com/2004/07/gmail-address-variations.html

Here's the current Gmail help article on the topic of dots in Gmail account names: https://support.google.com/mail/answer/10313?hl=en

Gmail ignores capitalization

Similar to the above, the case of the characters in a Gmail address is not significant.  That is, first.last@gmail.com, First.Last@gmail.com and FIRST.LAST@gmail.com all represent the same account.

As stated in the "Username" section of the article at:  https://support.google.com/accounts/answer/1733224
Username. You will use your username, which will also be your new Gmail address, to sign in to your Google Account. Your username isn’t case sensitive, and you can use letters, numbers, or periods.
Gmail treats @googlemail.com as equivalent to @gmail.com

The domain googlemail.com was used in a few countries (like the United Kingdom and Germany) in the first few years of Gmail.  But no matter which of the two domain names is used in an address, it still represents the same account.  In fact all mail addressed to a @googlemail.com address is delivered to the matching @gmail.com account.

More information about googlemail.com can be found here:  https://support.google.com/mail/answer/159001?hl=en

Why am I getting their e-mail?

So if you own all forms of your address (ignoring dots and case) then why is someone else using your e-mail address?  To start with, they absolutely do not own a duplicate copy of your account using a dot/case variation of your account name.  You already own it and duplicate accounts are not allowed.  They created a different and unique e-mail address.  They probably started with first.last@ and discovered that account was taken.  So they might have added a middle initial giving them first.m.last, or perhaps a number at the end like first.last.56@.  Whatever they added, it resulted in an account with a different name than yours of first.last@.

The problem came when it was time to give someone else their address or use it to register at a web-site.  They remember what they wanted (first.last@) not what they actually created (first.m.last@) and give out or use the wrong address.  The result is that any e-mail sent using that address, is correctly sent to where it was addressed (you).  This means you are receiving those messages which are addressed to you (first.last@) but actually intended for someone else (first.m.last@).

So how do I fix it?

The only way to resolve this problem is to get the other person to realize their error and start using or giving out their correct address.  But given that you don't know who they are or their actual e-mail address this can be hard to accomplish.

Contacting the web-site they used your address on is seldom effective because they typically don't understand the problem and don't want to get involved.  Contacting individual senders may only be helpful if they understand the problem and have another way to contact this other person.

The best option is if one of the messages you receive intended for them has some contact information like a phone number.  You can then call them.  Here are some tips for trying to resolve the issue.
  • Start by expressing concern for their privacy because you have been receiving e-mail that was intended for them.  Listing some senders or web-site names can help prove you really are getting some of their e-mail.
  • Do not be confrontational.  They probably aren't doing this on purpose because most people want to receive the e-mail that is intended for them.
  • The problem started because they don't know their actual e-mail address.  So if you ask them what their address is expect them to say it's the same as yours (perhaps with dot/case differences).  But that doesn't mean it is the same as yours (since that's impossible).  That's the whole problem, they don't know their actual address and are using the wrong one.
  • The easiest way to show them their actual address is to have them click on their picture/avatar and have them read the address from the top/right of the drop-down panel.
  • You can also have them send you an e-mail (yes, they may believe they are sending it to their own address).  The From and Reply-To header fields should contain their actual e-mail address.
With a little patience you can help them figure out their correct e-mail address.  Be sure to remind them to update any web-sites with the correct address as well as notify any contact that may have the wrong address saved.


Messages sent to an address totally different than your own.

The other case is when you receive e-mail addressed to a totally different account than yours.  It may be just slightly different with an extra/missing character or two (for example first.last@ and first.last.56@), or it may be a completely different name which shares nothing in common.

The simplest situation is when your address is in the Bcc field (which means it is hidden) and another address is in the To field.  This is most common for spam messages which are often sent in groups addressed to similar addresses.  One address is in the To field, and the rest in Bcc.  So if you receive spam addressed to someone else, your address was also included but in the Bcc and you can't see it listed.  Receiving such a message does not indicate any sort of delivery problem.

The more complex situation is when someone mistakenly setup forwarding from their account to another account, but much like the dot/case problem above, they forwarded it to an address they thought they owned (but are wrong).  You will often need to look at the full message headers to identify this situation.

To see the full headers of a message, click next to the Reply button and select "Show original" from the drop-down menu.  A new tab will open that will include the full headers of the message.

We will now look at a number of actual headers collected from Gmail help forum posts that demonstrate some of the ways one might get a messages addressed to someone else.  In these examples the actual e-mail addresses have been changed to protect privacy.  We'll use first.last@gmail.com to represent your address, and first.m.last@gmail.com or someone@blahmail.com to represent the address the message was actually sent to.  We'll also throw in a fake sender address and server names to complete the headers.  To save space and simplify the examples, most of the header content will be excluded retaining only the significant parts that prove the forwarding.

Gmail Forwarded To Gmail

Perhaps the simplest and easiest to spot case is when a Gmail account is forwarding to another Gmail account.  This is obvious because Gmail adds X-Forwarded entries to the header documenting the forwarding.
Delivered-To: first.last@gmail.com
X-Forwarded-To: first.last@gmail.com
X-Forwarded-For: first.m.last@gmail.com first.last@gmail.com
Delivered-To: first.m.last@gmail.com
To: <first.m.last@gmail.com>
From: <sender@sourcemail.com>
Headers are read from the bottom (where the To, From, and Subject lines appear) up to the top (where the finally Delivered-To line appears).  So these headers show the message being delivered to the address specified in the To line, then forwarded on to the final destination.

These cases are interesting because Gmail requires e-mail verification while setting up the forwarding.  That means someone with access to the receiver's account had to click a link to accept the forwarding (whether anyone remembers doing it or not).

Other Provider Forwarded To Gmail

Sometimes other providers will insert a record into the headers to show forwarding, but they can be a bit harder to spot that Gmail's X-Forwarding records.  For example:
X-Get-Message-Sender-Via: root.blahmail.com: redirect/forwarder owner someone@blahmail.com -> first.last@gmail.com
But generally, forwarding from other providers to Gmail can be a lot harder to identify because often there is no clear forwarding record added to the headers.  Sometimes the only way to tell is by watching the message progress to the specified server and then suddenly switch to Gmail, as in this example.  There may not even be a Delivered-To entry to show it arrive at the specified address.
Delivered-To: first.last@gmail.com
Received: from gateway.blahmail.com ([5.9.45.195])
        by mx.google.com with ESMTPS id s1si20675769
        for <first.last@gmail.com>
        Thu, 29 May 2014 05:58:16 -0700 (PDT)
Received: from host.sourcemail.com (host.sourcemail.com [192.185.82.230]
        by gateway.blahmail.com (Postfix) with ESMTP id 8063E660000
        for <someone@blahmail.com>; Thu, 29 May 2014 07:57:36 -0500 (CDT)
To: someone@blahmail.com
From: sender@sourcemail.com
So the message progresses from the sender's server (host.sourcemail.com) to the receiver's server (gateway.blahmail.com) destined for someone@blahmail.com and then suddenly switches to the Google server (mx.google.com) destined for first.last@gmail.com when the forwarding re-directed it.  There could be a Delivered-To entry in there, but, like the case above, there may not be one.

Server Forwarded To Gmail

Sometimes the forwarding can take place as the server level as it possible with Google Apps accounts.  In this case the forwarding takes place when the message arrives on the destination server, but before it is delivered to the specified address.  Similar to the above, the message can suddenly change direction without any signs of a Delivered-To entry.
Delivered-To: first.last@gmail.com
Received: by mail-pa0-f51.google.com with SMTP id kq14so4423283
        for <first.last@gmail.com>; Fri, 09 May 2014 06:19:23 -0700 (PDT)
Received: from server.sourcemail.com (server.sourcemail.com. [208.74.105.157])
        by mx.google.com with ESMTP id px17si1832577
        for <someone@blahmail.com>;
        Fri, 09 May 2014 06:19:23 -0700 (PDT)
To: someone@blahmail.com
From: sender@sourcemail.com
In this case blahmail.com is a Google Apps domain.  The message is re-directed just like account forwarding, but there is no forwarding in the account.  It's actually defined at the server level.  There are no X-Forwarded records since it never got to the account to be forwarded.  This is common with Google Apps for Education accounts.

The key here is that it was received by Google servers for someone@blahmail.com before being redirected to first.last@gmail.com.  Since Gmail always adds X-Forwarded records, that meant the forwarding was done before it reached an account.  In this case the server forwarding was confirmed by the poster once the probable cause was pointed out.

Use Of Bcc

Just to round out the header examples, here's a case where the Bcc header was used.
Delivered-To: first.last@gmail.com
Received: from server.sourcemail.com (server.sourcemail.com. [65.54.190.149])
        by mx.google.com with ESMTPS id cw6si22943103
        for <first.last@gmail.com>
        Thu, 03 Jul 2014 00:16:29 -0700 (PDT)
From: <sender@sourcemail.com>
To: <first.m.last@gmail.com>
Bcc:
In this case there are no other servers involved because the message was sent directly to the final account (no forwarding involved).  It's confusing because of the different address in the To field and the fact that there is no indication of all the other recipient addresses.

It's interesting to note that this specific example included an empty Bcc record which acts as a sort of hint or indicator that there are additional hidden recipients.  But there is no guarantee that and empty Bcc record will always appear in the headers.

Fetching Instead Of Forwarding

There is one other rare case to consider because sometimes the path of messages doesn't involve forwarding at all as in this example:
Delivered-To: first.last@gmail.com
X-Gmail-Fetch-Info: first.m.last@gmail.com 1 smtp.gmail.com 995 first.m.last
Delivered-To: first.m.last@gmail.com
To: <first.m.last@gmail.com>
From: sender@sourcemail.com
In this case the message was properly delivered, but then was fetched by the final destination using POP3 (Settings->Accounts->Check mail using POP3).  What made this case interesting is that the user didn't remember setting up the POP3 fetching and so was surprised to be getting e-mail addressed to a different account name.

Alternate Reply Address

One final case to mention is the use of an alternate reply address in the message someone might send.  In Gmail it's specified in Settings->Accounts->Send Mail As.  So a person may send a message from first.m.last@ with a reply address set as first.last@.  So when the receiver replies, the message goes where it is addressed:  first.last@.

The difficulty with this is there is no way for you as the receiver of the message (intended for someone else) to know what happened because it's correctly addressed and delivered to you.  The only way to identify this case would be to see the headers of the original message that was replied to.  There may be a Sender or Return-Path line in the header showing the actual sender while the From line shows the alternate reply address.
Delivered-To: someone@blahmail.com
Return-Path: <first.m.last@gmail.com>
Sender: first.m.last@gmail.com
From: <first.last@gmail.com>
To: <someone@blahmail.com>
The only reason this may come up is if you reply to someone@ telling them of the wrong address and they respond that all they did is reply to the message they received.  What would be the hint of what is going on if you chose to investigate.


Summary

So what does it all mean?

First, you can be confident that every message in your account was addressed and properly delivered to your account (or perhaps fetched from another account).  There are no delivery errors.  That does not mean the message was intended for you, just that it was addressed and delivered to you.

Second, you can be confident that no one has the same account name as yours (including caps or dots).  If you receive a message intended for someone else but addressed to you it is because someone gave out or used the wrong address.

Third, it may take some work to figure out just how the message got to your account.  It's easy if they accidentally used your exact address or a similar address (dots, caps) in error.  It's clear such messages will be delivered to your account.  But it will probably take a study of the full headers to identify the cause (forwarding, fetching, Bcc) when the e-mail address is different than yours.

Finally, you can also be sure that while you do appear to be receiving someone else's e-mail because they are using your address in error, they are not receiving your e-mail.  Your e-mail is still addressed to and delivered to your account as normal - it cannot arrive in someone else's account unless it is address to their (different) e-mail address.

So don't panic if you receive e-mail intended for someone else.  The e-mail system didn't make a mistake delivering it to you, although some person may have made a mistake addressing or forwarding it to you.

May 27, 2013

Managing Sent Mail

As many already know, Gmail doesn't use folders to organize messages as many traditional e-mail clients do.  Instead it uses labels.  All your messages are stored in All Mail.  Everything else (Inbox, Starred, Drafts, user-labels, etc) are just "views" into a sub-set of the messages in All Mail.

Labels could be though of as colored sticky or post-it notes that you might apply to physical letters so you can later easily find all the red ones, or all the yellow ones.  For more detail on this see:  http://gmail-miscellany.blogspot.com/2012/10/how-gmail-stores-your-mail.html

Sent Mail is a little different.  It could be thought of as a pre-defined filter that shows you all the messages you have sent rather than a simple label.  While it is possible to remove messages from Sent Mail using IMAP from an email client or mobile device, that is only a temporary change.  At any time Gmail may re-index your messages and cause all sent messages to once again show in Sent Mail.

So, in summary:
1.  Sent Mail is not a label.
2.  Using IMAP to move messages out of Sent Mail is not permanent.

The above behaviors can be a problem for people who like to manage their Sent Mail as if it was a normal label or folder.  They may wish to keep messages sent to other people in Sent Mail until they receive a reply or answer.  That is, the message being in Sent Mail acts an indicator of "action pending" and it's removal from Sent Mail signifies "action complete".

Fortunately, there's a way around the fact that Sent Mail doesn't behave like a normal label.  We can create a new sent label that will do exactly what we want.

The first step is to hide the system Sent Mail label.  Pretend it doesn't exist and never use it again.
Settings -> Labels and set Sent Mail to Hide.
Next we create a new label to hold all the e-mail that has been sent.
Settings -> Labels click Create New Label and name it "MySent' (or whatever you want).
Settings -> Labels and set "MySent" to Show
Settings -> Labels and un-check the "Show in IMAP" for "MySent"
Now we need to make sure all messages we send are labeled with this new label.
Settings -> Filters click Create New Filter
Enter "me" in the "From" field
On page 2, check "Apply the label" and select "MySent"
Click Create Filter
The new filter should look like this in Settings->Filters
Matches: from:me
Do this: Apply label "MySent"
Note that "from:me" works correctly even if you have multiple from addresses configured in your account.

We now have our own label which will hold all the messages sent, and can be managed in any way we want.

Of course the normal rules about labels still apply.  Since there is only one copy of each message (potentially with multiple labels applied), if you delete the message from any label it will be removed from all of them and placed in Trash.  This means you'll probably want to remove the "MySent" label from messages rather than deleting them.

January 17, 2012

Blocking Senders

E-mail is a great tool for communication but there are times when one does not want to receive any messages from certain senders. There are many potential reasons for this: personal, relational, legal. But the bottom line is that you no longer want to receive messages from this sender in your Inbox.


Blocking a Sender

Some e-mail providers have a system to block or blacklist specific senders. In most cases it's simply an easy-to-use front-end to a filter system: you provide an e-mail address and it builds a filter for you to auto-delete any messages from that sender.  As of 9/2015 Google has added a similar one-click blocking mechanism to Gmail* (https://support.google.com/mail/answer/8151).  You can now easily mark a sender to be blocked and Gmail automatically creates a filter to do so which is listed on the Settings->Filters and Blocklist page.

Gmail's implementation of blocking is a little more forgiving of mistakes (blocking the wrong address) or "blocker's remorse" in that the blocked e-mail is placed in the Spam label.  Other providers who have a blocking feature permanently deleted the messages.  Placing them in Spam instead gives one the ability to recover messages that shouldn't have been blocked (as long as it is done before the 30-day auto-delete).  It should also be noted that while the message are placed in Spam, they are not reported as spam to Gmail's spam filtering system.  The spam label is just a place to store them until manually or automatically deleted.

The one down-side to this is that the blocked messages show up as unread in Spam.  This means that those who routinely check the Spam label for false-positives may be mislead to thinking there is new spam to check when it's just a new blocked sender's e-mail.  If this is an issue, the alternative is to create your own filter instead of using the block function.  This type of blocking has always existed in Gmail and it allows you more control over how it works and what it does with the messages.

Typically you will simply want to delete the messages. But there may be a case where there is some personal or legal reason you need to save these "blocked" messages. In such a situation you might label the messages, archive them (so they are not in the Inbox), and mark them as read. This is an example of why having full control over the filter is useful and more flexible than simple blocking.

So to create a simple blocking filter, do the following:
  1. Go to Settings->Filters and Blocklist
  2. Click the "Create a new filter" link towards the bottom of the page.
  3. Enter the sender's e-mail address in the From field
  4. Click the "Create filter with this search" link.
  5. Check the box for "Delete it".
  6. [optional] Check the box for "Mark as read".
Gmail help article: http://support.google.com/mail/bin/answer.py?hl=en&answer=8151

It may be interesting to note that Google Apps accounts have another option to do blocking: http://support.google.com/postini/bin/answer.py?hl=en&answer=141187 although this can only be done by the domain administrator.


Blocking with a Return Error Message

While the above process will satisfy most blocking requirements, there are times when one may want the sender to know their message was not delivered. That is, you want them to receive a bounced error message.

While there are a few providers that have this capability, it is not something Gmail supports. Even so, it is possible to simulate, or fake a bounced message back to the sender. Just like the above blocking, it involves creating a filter, but it adds the use of the Canned Response capability (Settings->Labs->Canned Response). So with the Canned Response lab enabled:
  1. Compose a message.
  2. Use the "Canned Responses" drop-down menu and select "New canned response..."
  3. Give it a name.
  4. Complete the message content (see below) and save the draft.
Now what should the canned response say? It needs to look similar to a real bounced message. Even so, it's not going to look exactly like one since it is being simulated. I would suggest something similar to the following which is the proper format and contains a correct SMTP error code for a refused message.
Delivery to the following recipient failed permanently:
your.name@gmail.com
Technical details of permanent failure:
The requested recipient could not be reached.
You do not have permission to send to this recipient.
SMTP Error 550 5.7.1 Requested action not taken: message refused.
Note: you should fill in your correct e-mail address in place of "your.name@gmail.com" to match the correct failure format. There's no problem using your address since they already have the address in order to send the message in the first place. It's not any new information. But if one is really concerned (paranoid) you could replace it with something like "*****@gmail.com" as if the address had been masked out. It just will look that much less like a true bounced message.

An alternative message that's a bit more to-the point about why it failed:
Delivery to the following recipient failed permanently:
your.name@gmail.com
Technical details of permanent failure:
SMTP Error 550 5.7.1 Rejected, your address is blacklisted by the recipient.
Unlike the earlier message that has some ambiguity, this one clearly says the sender was blacklisted.

Alternatively, you could use the error for a non-existent account which might suggest you deleted it:
Delivery to the following recipient failed permanently:
your.name@gmail.com
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 im3si6082088bkc.81 (state 13).

And now create the actual filter:
  1. Go to Settings->Filters and Blocklist
  2. Click the "Create a new filter" link towards the bottom of the page.
  3. Enter the sender's e-mail address in the From field
  4. Click the "Create filter with this search" link.
  5. [optimal] Check the box for "Skip the Inbox (Archive it)"
  6. [optinal] Check the box for "Apply the label" and select one from the drop-down list.
  7. Check the box for "Send canned response" and select one from the drop-down list.
  8. [optional] Check the box for "Mark as read".
Note 1, and this is important, you can not check the box to delete the message because the system will not send a canned response for a deleted message.

Note 2, the optional steps are basically to keep these messages out of your Inbox by placing them in a label of your choice. You can then decide to save them if needed, or every so often go and delete all the messages in that label.

Clearly this system isn't perfect. The biggest problem being that you can't delete the message and also send the canned response. Still, it's a reasonable work-around given that Gmail doesn't have the ability to bounce a messages. And it will satisfy the needs some users have to block a sender with a message so they know they are blocked.

Of course, as already mentioned, it may not fool a more knowledgeable e-mail user. But what can they do about it? If they send a message saying "I know it's fake" all they'll get is another failure report.

Summary

It's unfortunate that there are reasons why one may want or need to block a sender from e-mailing to your account. But fortunately Gmail provides the tools to keep such messages out of your Inbox. It may take some self-control to not look at them in Trash if the content may be disturbing. But they can be deleted permanently without opening.

And the workaround for simulating a bounced error return is pretty easy to setup and use. It should work for most cases, and help provide one a level of protection from unwanted contact.





* Gmail is a trademark of Google, Inc. This page is not sponsored by or affiliated with Google.

January 11, 2012

Gmail Backup

Last update: 10/2020

For most people, e-mail is a critical part of their life. Many important documents and collections of information can be stored there, the loss of which can be devastating. But we all assume that "since it's stored in the cloud, it must be safe, right?"

Well, yes and no.

While most companies have server-level backup and disaster recovery plans, they may not support account-level recovery. So for example, if one of their data-centers burns down, everything can be safely restored to another data-center. But if the contents of your specific account are lost, there may be no way to get it restored. This is generally true of Gmail*, although there are some cases where messages deleted as a result of a compromised (hacked) account may be able to be restored.

Because of this, it's critical that people provide their own backups of their e-mail accounts, and in fact all important information that is stored in "the cloud". There are various ways the information can be lost, the most common of which is a compromised (hacked) account, and the provider may not have a way to restore the lost data.

For Gmail accounts, you have three primary backup paths to choose from:
  • An e-mail client (like Thunderbird, Outlook, etc).
  • A stand-alone backup utility.
  • A cloud-based backup service.

There are a number of advantages and disadvantages to using an e-mail client:
  • The saved messages can be easily viewed with the client.
  • The messages can be sorted or have other actions performed that Gmail may not support.
  • It may not be possible to do automated backups, you may have to manually open the client and do an update.
  • It may not be obvious where the messages are saved on the computer.
  • The file format may not be convenient to use by anything other than the e-mail client.
  • It may not be easy or obvious how to restore the messages back to a Gmail account.
  • Configuration errors could result in messages being deleted from from Gmail or the client when it synchronizes (using IMAP).

A stand-alone utility will have a different set of advantages and disadvantages:
  • It will be a smaller program than a full e-mail client.
  • The utility will probably be easier to setup and use than a full e-mail client.
  • The utility should provide an easy way to restore the backup.
  • The location where it stores the messages will be easier to determine so they can be included in normal computer backups.
  • The utility probably won't be able to view the messages (although, depending on the format, an e-mail client might be able to view the message files).
  • The utility probably won't support restoring the backup to an account leaving you to figure that out yourself.

Finally, a cloud-based service has some things to consider:
  • It requires no local storage space on your computer.
  • It is probably fully automated with a regular schedule requiring no actions on your part.
  • The service may support backups of other Google services: Docs, contacts, etc.
  • If available, free accounts tend to be small (2GB-4GB) and crippleware. Paid accounts are subscription based so the expense is ongoing.

Additionally, be aware that most tools/services are account specific. That means you may only be able to restore to the specific account you were doing backups on. That's fine if you loose the contents of the account, you can just restore them. But if you loose the account itself (deleted, disabled, lost password, etc) and you can't restore to a new account, then the backup becomes worthless.

The following is a partial list of stand-alone utilities and cloud-based services you can use to backup your account. Some are much better than others. Some are free, some cost money. Some support restoring the backup, some don't.

The last section lists some services to support Google's domain products: Legacy Google Apps, G Suite, and Google Workspaces. An advantage to these services is they often include multiple products like Gmail, Contacts, Drive, and perhaps others. These aren't useful for regular Gmail accounts, but are listed for completeness.

  • Recommended
    • Got Your Back - https://github.com/jay0lee/got-your-back/wiki
      This is the current best-in-class for a Gmail backup solution. It's supported, and written specifically for Gmail (which means proper handling of labels and other tags). It can restore to the original account, or a different account (if the original was lost). It's a command-line tool which is important to be able to run it as a scheduled task. It's only negatives are that it's command-line only (there is no graphical interface), and setup has become more challenging due to increased account security by Google. As an aside: this is the tool I use.
  • Acceptable
    • IMAPSize - http://www.broobles.com/imapsize/
      A free stand-alone program to backup and manage an e-mail account using IMAP. Very flexible, but treats labels as folders.
    • OwnMyCopyhttp://ownmycopy.com/
      This one appears to be full-featured (backup and restore, handles labels), it's a paid utility (which ranks it below a free one).
    • Spinbackup Personal - https://spinbackup.com/solutions/individual-use/
      A cloud-based free or paid service that handles GMail, Contacts, Drive, Calendar, Sites, Photos. The free 4GB version is crippleware and may not be optimal for most people.
  • Inadequate
    • MailStore - http://www.mailstore.com/
      A paid utility (free for home use) generic backup tool. Since it's generic it doesn't fully handle Gmail labels (treating them more like folders) which would create some issues for a restore.
    • Gmail Backup - http://www.gmail-backup.com/
      This used to be the preferred solution for a free Gmail backup utility. Unfortunately, it's no longer supported, and has an IMAP bug that causes it to mark all messages as read when doing a backup.
    • BackupGoo - http://en.backupgoo.com/
      A paid utility that does not support restore.
    • SysTools - https://www.systoolsgroup.com/gmail-backup.html
      A paid utility.  Can not do restore.
  • Obsolete (past options that are no longer available, links are not safe)
    • BackupMyNet - http://backupmy.net/
      No longer exists.
    • Backup Gmail - http://backupgmail.m4ss.net/
      No longer exists.
    • Beyond Inbox - http://www.beyondinbox.com/
      No longer exists.
    • Gmail Keeper - http://gmailkeeper.com/
      Obsolete, replaced by OwnMyCopy.
    • Simplicato - http://www.simplicato.com/
      No longer exists.
    • TheGmailBackup - http://www.thegmailbackup.com/
      No longer exists.
    • UpSafe - http://www.upsafe.com/
      No longer exists.
  • G Suite / Google Workspaces
    • AFI - https://afi.ai/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites. Correctly handles Gmail labels.
    • Backupify - http://www.backupify.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar.
    • CloudAlly - http://www.cloudally.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites.
    • Spanning - https://spanning.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites.
    • Spinbackup - https://spinbackup.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites, Photos.
    • SysCloudSoft - http://www.syscloudsoft.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites.

    The G Suite / Workspaces options are all pretty similar. The main differences are in price, the user interface, and storage limitations (some are unlimited, some aren't). The other BIG question for the context of this article is if they correctly handle the restoration of conversations (not as individual messages) and of labels (including nesting). Most sites aren't clear on that meaning the only way to be sure is to test it with a free demo (which was beyond the scope of this article).

    While prehaps not 100% objective, here is a review of the above Google Workspace solutions that goes into more detail, and covers more providers: https://afi.ai/blog/best-g-suite-backup-solution. As a footnote: this is the tool I use for my Legacy Google Apps account.

    As you can see there are a variety of good choices to protect your Gmail account (if you're willing to spend some money).  There are also a number of "feel good" choices (you feel good because you're doing a backup, but the inability to access the backup or restore it may make them less useful).

    Of course, when using a stand-alone utility, once the messages are saved to your computer, you can and should include them in your normal computer backup, or you can manually save them to an external device (like a USB drive).

    Some may well ask if it's really safe to use a cloud-based service to backup another cloud-based service (e-mail). The key to a good backup is both redundancy and separation. You want multiple backups, and you want them in multiple locations. So, for example, an external USB disk setting on top of the computer it's used to backup is not a good idea. You only have one copy of the backup, and if the location is hit by fire/flood/disaster, both the computer and the backup will be lost. But the odds of two independent companies experiencing a major disaster with data loss is small enough to justify a cloud-based backup.

    Whatever backup method you choose, make sure it either gives you access to the messages (like an e-mail client) or a well-defined way to do a restore (like Got-Your-Back). A backup you can't view or restore isn't a backup at all. And if it's a manual process make sure you do it on a regular schedule as a badly out-of-date backup isn't of much value either.

    So now you know why, you know how, and you know what tools to use. Set it up today so tomorrow you aren't another statistic posting to the forum: "Help, my account was hacked and everything deleted. How do I get it all back?"




    * Gmail is a trademark of Google, Inc. This page is not sponsored by or affiliated with Google.

January 9, 2012

How NOT To Get Hacked

Every day e-mail accounts get compromised. This is not unique to any one e-mail provider; it happens to them all. When an account is compromised, it tends to be used for any one of a number of common reasons:
  • To send out spam advertising to all the contacts stored in the account.
  • To send out scams to all the contacts stored in the account attempting to steal money from them.
  • To gain access to other accounts from information stored in messages. This could be other e-mail accounts (to send spam) or bank and financial accounts.
  • To gain access to private information or to destroy information stored in the account.
Besides the obvious embarrassment and potential financial loss to you or your contacts, other results can include:
  • Loss of all your contacts (deleted so you can't warn them of the scam).
  • Loss of all your e-mail history (deleted for various reasons).
  • Loss of your entire e-mail account (deleted when the hacker is done with it).
While Gmail* has ways to recover lost or deleted accounts, contacts, and sometimes e-mail, it's best if the account compromise never happened in the first place. To that end one needs to be aware of how e-mail accounts can be compromised and what steps to take to prevent it.

Below is a partial list of ways accounts can be compromised. It's not an exhaustive list, but it includes the most common methods and a few of the less common ways.  The first two are the most important ones to be aware of and guard against.

Common Password Usage

This is the practice of using the same password for multiple web-sites.  It can be hard to remember a lot of different passwords, so many people take the short-cut of repeating password usage or, in the most extreme case, only using a single password for every account they have.  While Google's e-mail servers are extremely secure, that can't be said of every web-site in the world.  Hackers will compromise less secure web-sites and steal the account registration database.  That typically includes an e-mail address and password for each account.  For people who use the same password everywhere, the hacker just got the e-mail address and password and can directly log into the account.

So the single best, and most important thing you can do to keep your e-mail account secure is to use a unique password that you don't use anywhere else.  This is more important than the password length or complexity neither of which help if they harvest the password from another site.


Phishing

At its core, phishing is the process of someone asking for your password and you giving it to them.  Of course it's not that simple.  The request may be buried in a long e-mail about policy changes, or account verification.  It may tell you to sign in to your account, but the link provided doesn't actually go to google.com (even though it may perfectly mimic the Gmail sign-in page).  Often it includes threats of account loss or deletion to encourage (that is scare) you to provide the information.

Whatever form it takes, the bottom line is the same:  they have the account name and password and can log in any time they want to.  And of course the best phishing scams are the ones where the user never realizes they were phished.  They just suddenly lose access to their account with no idea why or what happened.

No reputable web-site (Gmail or any other) will ask you for your password in an e-mail.  Never ever reply to a message with your account password.  Never!  And even if the e-mail looks totally legitimate, always verify that the link you follow really ends up at the correct site before you enter any information.  Always!

Keyloggers and other Malware

A keylogger is a utility installed on a computer that captures every keystroke as people use the computer.  It's not too hard to search through the resulting information to find e-mail address and passwords entered by people logging into accounts.  As with other methods, someone now has direct access to the account.

This problem is usually found on public computers, like at a school, library or workplace.  Anyplace where a computer is not physically secure and anyone can use it and potentially install programs on it.  It can also be a risk in a home or work environment if anyone else has access to the computer.  And since keyloggers are a different class of problem, they may not be identified by the anti-virus software running on the computer.

The best defense from this class of attack is to never use a computer that you are not 100% sure is safe.  Also, never leave a computer you own logged in (or without a locking screen-saver) when you are not physically present.

Logging Out

This is related to the physical security of the computer(s) used.  If anyone has access to the computer, you must always log out of any accounts when leaving the computer unattended.  Otherwise anyone who walks up has full access to all accounts (including e-mail) that may be active.

Browser Auto-Fill

This is similar to the above in that it relies on a secure computer.  If you have your account login information saved in your browser (so it automatically fills it in for you) then anyone else using the computer can also log into the accounts.  If the computer is not physically secure, then it's important to not have account information saved in the browser (or in any files saved on the computer).

Password Guessing

This is a brute-force process of guessing the password to an account.  It's made easier if the hacker knows you and can make guesses using family/pet names, locations, etc.

There are basically three levels of brute-force attacks.
  • Someone with personal knowledge of you (often a spouse or ex-spouse, girl/boy-friend, etc) who can figure out your password. These are people who know your kids/pets/parents/etc names or what you're probably use as a password. They might even know your actual password.
  • Using trivial or common passwords. This includes using trivially guessed (and unfortunately all too common) passwords like: "Password", "123456", "qwerty", etc. If your password is on the following list you're at-risk: http://mashable.com/2011/11/17/worst-internet-passwords/
  • Use of a program that tries dictionary words/combinations just trying to figure out the password. This is what is typically thought of as a "brute-force" attack.

In reality, most modern password systems have protections in place to prevent this.  After some number of incorrect guesses the system will do something to prevent further guesses.  It may lock the account for a while, or require the manual solving of a Captcha (the squiggly letters), or something else. Gmail has this sort of protection.

The best defense against any sort of brute-force attack is to follow standard password generation safeguards:  no common words or proper names, no patterns (123456 or qwerty), use mixed case and include numbers or punctuation, etc. And of course, make sure no one else knows your password.

Network Packet Capture

This is the process of using hardware or software utilities to monitor the raw traffic on a network to try and capture account login information.  The risk here is typically when using unsecured wireless networks, like the type provided free at various businesses.

While this is a real threat, it requires someone with the right tools and a good knowledge of network protocol.  The odds of such a person sitting next to you at that coffee shop are pretty small.

The best defense against this risk is to never use an insecure wireless network.  If the network doesn't require an encryption key to use, then you probably don't want to connect to it.

Server Attack

As discussed above with common password usage, this is the process of hacking a provider's e-mail servers to gain direct access to the login database or e-mail accounts.  As an end-user there is nothing you can do to guard against this sort of problem other than using only reputable companies for on-line services.

Again, Google's e-mail servers are extremely secure (both from network and physical access) so the risk of this is infinitesimal.

Extra Protection

Google offers an extra layer of protection for accounts beyond a password. This extra layer is called 2-Step Verification (2SV). It further restricts account access based on both something you know (your password) and something you have (a physical device). Typically the device is a pre-registered mobile phone where you can receive the 2-step verification codes. When signing into your account you need to provide both the password and this code to gain access. That means that if someone were to obtain your password (through a phishing scam for example) they still could not access your account because they would have no way to get the 2-step verification code.

Recently Google added another type of physical device you can use that eliminates the hassle of obtaining and entering codes: Universal 2nd Factor verification (U2F). This uses a small USB security key as the something you have part of 2-step verification.

Closing Thoughts

Protecting your e-mail account is sort of like keeping yourself healthy. You pay attention to the most common threats (heart disease, effects of smoking, accidents) and typically ignore the ones with a very low probability (getting hit by a meteor, getting struck by lightening, being bitten by a snake). They're all bad, but they're not all equally probable.

For account security, put a lot of effort into the first two methods listed above.  Use unique passwords.  Be very suspicious of any request for private account information.  And be aware the security of any computer you use (which one could argue includes always logging out and not storing account information on the computer).

Finally, always keep your account recovery settings up-to-date so if anything does happen to your account one day, you are in a better position to recover it.  This is critical because if you don't have a secret question or if your recovery e-mail is no longer valid, it can be very difficult to recover an account.

How about this idea:  do it NOW.

Settings -> Accounts and Import -> Change Account Settings -> Change password recovery options

Additional Reading

Choosing a smart password: https://support.google.com/accounts/answer/32040
Google account security info: http://www.google.com/help/security/
How to recover a lost or compromised account: http://gmailaccountrecovery.blogspot.com/




* Gmail is a trademark of Google, Inc. This page is not sponsored by or affiliated with Google.