January 17, 2012

Blocking Senders

E-mail is a great tool for communication but there are times when one does not want to receive any messages from certain senders. There are many potential reasons for this: personal, relational, legal. But the bottom line is that you no longer want to receive messages from this sender in your Inbox.


Blocking a Sender

Some e-mail providers have a system to block or blacklist specific senders. In most cases it's simply an easy-to-use front-end to a filter system: you provide an e-mail address and it builds a filter for you to auto-delete any messages from that sender.  As of 9/2015 Google has added a similar one-click blocking mechanism to Gmail* (https://support.google.com/mail/answer/8151).  You can now easily mark a sender to be blocked and Gmail automatically creates a filter to do so which is listed on the Settings->Filters and Blocklist page.

Gmail's implementation of blocking is a little more forgiving of mistakes (blocking the wrong address) or "blocker's remorse" in that the blocked e-mail is placed in the Spam label.  Other providers who have a blocking feature permanently deleted the messages.  Placing them in Spam instead gives one the ability to recover messages that shouldn't have been blocked (as long as it is done before the 30-day auto-delete).  It should also be noted that while the message are placed in Spam, they are not reported as spam to Gmail's spam filtering system.  The spam label is just a place to store them until manually or automatically deleted.

The one down-side to this is that the blocked messages show up as unread in Spam.  This means that those who routinely check the Spam label for false-positives may be mislead to thinking there is new spam to check when it's just a new blocked sender's e-mail.  If this is an issue, the alternative is to create your own filter instead of using the block function.  This type of blocking has always existed in Gmail and it allows you more control over how it works and what it does with the messages.

Typically you will simply want to delete the messages. But there may be a case where there is some personal or legal reason you need to save these "blocked" messages. In such a situation you might label the messages, archive them (so they are not in the Inbox), and mark them as read. This is an example of why having full control over the filter is useful and more flexible than simple blocking.

So to create a simple blocking filter, do the following:
  1. Go to Settings->Filters and Blocklist
  2. Click the "Create a new filter" link towards the bottom of the page.
  3. Enter the sender's e-mail address in the From field
  4. Click the "Create filter with this search" link.
  5. Check the box for "Delete it".
  6. [optional] Check the box for "Mark as read".
Gmail help article: http://support.google.com/mail/bin/answer.py?hl=en&answer=8151

It may be interesting to note that Google Apps accounts have another option to do blocking: http://support.google.com/postini/bin/answer.py?hl=en&answer=141187 although this can only be done by the domain administrator.


Blocking with a Return Error Message

While the above process will satisfy most blocking requirements, there are times when one may want the sender to know their message was not delivered. That is, you want them to receive a bounced error message.

While there are a few providers that have this capability, it is not something Gmail supports. Even so, it is possible to simulate, or fake a bounced message back to the sender. Just like the above blocking, it involves creating a filter, but it adds the use of the Canned Response capability (Settings->Labs->Canned Response). So with the Canned Response lab enabled:
  1. Compose a message.
  2. Use the "Canned Responses" drop-down menu and select "New canned response..."
  3. Give it a name.
  4. Complete the message content (see below) and save the draft.
Now what should the canned response say? It needs to look similar to a real bounced message. Even so, it's not going to look exactly like one since it is being simulated. I would suggest something similar to the following which is the proper format and contains a correct SMTP error code for a refused message.
Delivery to the following recipient failed permanently:
your.name@gmail.com
Technical details of permanent failure:
The requested recipient could not be reached.
You do not have permission to send to this recipient.
SMTP Error 550 5.7.1 Requested action not taken: message refused.
Note: you should fill in your correct e-mail address in place of "your.name@gmail.com" to match the correct failure format. There's no problem using your address since they already have the address in order to send the message in the first place. It's not any new information. But if one is really concerned (paranoid) you could replace it with something like "*****@gmail.com" as if the address had been masked out. It just will look that much less like a true bounced message.

An alternative message that's a bit more to-the point about why it failed:
Delivery to the following recipient failed permanently:
your.name@gmail.com
Technical details of permanent failure:
SMTP Error 550 5.7.1 Rejected, your address is blacklisted by the recipient.
Unlike the earlier message that has some ambiguity, this one clearly says the sender was blacklisted.

Alternatively, you could use the error for a non-existent account which might suggest you deleted it:
Delivery to the following recipient failed permanently:
your.name@gmail.com
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 im3si6082088bkc.81 (state 13).

And now create the actual filter:
  1. Go to Settings->Filters and Blocklist
  2. Click the "Create a new filter" link towards the bottom of the page.
  3. Enter the sender's e-mail address in the From field
  4. Click the "Create filter with this search" link.
  5. [optimal] Check the box for "Skip the Inbox (Archive it)"
  6. [optinal] Check the box for "Apply the label" and select one from the drop-down list.
  7. Check the box for "Send canned response" and select one from the drop-down list.
  8. [optional] Check the box for "Mark as read".
Note 1, and this is important, you can not check the box to delete the message because the system will not send a canned response for a deleted message.

Note 2, the optional steps are basically to keep these messages out of your Inbox by placing them in a label of your choice. You can then decide to save them if needed, or every so often go and delete all the messages in that label.

Clearly this system isn't perfect. The biggest problem being that you can't delete the message and also send the canned response. Still, it's a reasonable work-around given that Gmail doesn't have the ability to bounce a messages. And it will satisfy the needs some users have to block a sender with a message so they know they are blocked.

Of course, as already mentioned, it may not fool a more knowledgeable e-mail user. But what can they do about it? If they send a message saying "I know it's fake" all they'll get is another failure report.

Summary

It's unfortunate that there are reasons why one may want or need to block a sender from e-mailing to your account. But fortunately Gmail provides the tools to keep such messages out of your Inbox. It may take some self-control to not look at them in Trash if the content may be disturbing. But they can be deleted permanently without opening.

And the workaround for simulating a bounced error return is pretty easy to setup and use. It should work for most cases, and help provide one a level of protection from unwanted contact.




* Gmail is a trademark of Google, Inc. This page is not sponsored by or affiliated with Google.
at

January 11, 2012

Gmail Backup

Last update: 10/2020

For most people, e-mail is a critical part of their life. Many important documents and collections of information can be stored there, the loss of which can be devastating. But we all assume that "since it's stored in the cloud, it must be safe, right?"

Well, yes and no.

While most companies have server-level backup and disaster recovery plans, they may not support account-level recovery. So for example, if one of their data-centers burns down, everything can be safely restored to another data-center. But if the contents of your specific account are lost, there may be no way to get it restored. This is generally true of Gmail*, although there are some cases where messages deleted as a result of a compromised (hacked) account may be able to be restored.

Because of this, it's critical that people provide their own backups of their e-mail accounts, and in fact all important information that is stored in "the cloud". There are various ways the information can be lost, the most common of which is a compromised (hacked) account, and the provider may not have a way to restore the lost data.

For Gmail accounts, you have three primary backup paths to choose from:
  • An e-mail client (like Thunderbird, Outlook, etc).
  • A stand-alone backup utility.
  • A cloud-based backup service.

There are a number of advantages and disadvantages to using an e-mail client:
  • The saved messages can be easily viewed with the client.
  • The messages can be sorted or have other actions performed that Gmail may not support.
  • It may not be possible to do automated backups, you may have to manually open the client and do an update.
  • It may not be obvious where the messages are saved on the computer.
  • The file format may not be convenient to use by anything other than the e-mail client.
  • It may not be easy or obvious how to restore the messages back to a Gmail account.
  • Configuration errors could result in messages being deleted from from Gmail or the client when it synchronizes (using IMAP).

A stand-alone utility will have a different set of advantages and disadvantages:
  • It will be a smaller program than a full e-mail client.
  • The utility will probably be easier to setup and use than a full e-mail client.
  • The utility should provide an easy way to restore the backup.
  • The location where it stores the messages will be easier to determine so they can be included in normal computer backups.
  • The utility probably won't be able to view the messages (although, depending on the format, an e-mail client might be able to view the message files).
  • The utility probably won't support restoring the backup to an account leaving you to figure that out yourself.

Finally, a cloud-based service has some things to consider:
  • It requires no local storage space on your computer.
  • It is probably fully automated with a regular schedule requiring no actions on your part.
  • The service may support backups of other Google services: Docs, contacts, etc.
  • If available, free accounts tend to be small (2GB-4GB) and crippleware. Paid accounts are subscription based so the expense is ongoing.

Additionally, be aware that most tools/services are account specific. That means you may only be able to restore to the specific account you were doing backups on. That's fine if you loose the contents of the account, you can just restore them. But if you loose the account itself (deleted, disabled, lost password, etc) and you can't restore to a new account, then the backup becomes worthless.

The following is a partial list of stand-alone utilities and cloud-based services you can use to backup your account. Some are much better than others. Some are free, some cost money. Some support restoring the backup, some don't.

The last section lists some services to support Google's domain products: Legacy Google Apps, G Suite, and Google Workspaces. An advantage to these services is they often include multiple products like Gmail, Contacts, Drive, and perhaps others. These aren't useful for regular Gmail accounts, but are listed for completeness.

  • Recommended
    • Got Your Back - https://github.com/jay0lee/got-your-back/wiki
      This is the current best-in-class for a Gmail backup solution. It's supported, and written specifically for Gmail (which means proper handling of labels and other tags). It can restore to the original account, or a different account (if the original was lost). It's a command-line tool which is important to be able to run it as a scheduled task. It's only negatives are that it's command-line only (there is no graphical interface), and setup has become more challenging due to increased account security by Google. As an aside: this is the tool I use.
  • Acceptable
    • IMAPSize - http://www.broobles.com/imapsize/
      A free stand-alone program to backup and manage an e-mail account using IMAP. Very flexible, but treats labels as folders.
    • OwnMyCopyhttp://ownmycopy.com/
      This one appears to be full-featured (backup and restore, handles labels), it's a paid utility (which ranks it below a free one).
    • Spinbackup Personal - https://spinbackup.com/solutions/individual-use/
      A cloud-based free or paid service that handles GMail, Contacts, Drive, Calendar, Sites, Photos. The free 4GB version is crippleware and may not be optimal for most people.
  • Inadequate
    • MailStore - http://www.mailstore.com/
      A paid utility (free for home use) generic backup tool. Since it's generic it doesn't fully handle Gmail labels (treating them more like folders) which would create some issues for a restore.
    • Gmail Backup - http://www.gmail-backup.com/
      This used to be the preferred solution for a free Gmail backup utility. Unfortunately, it's no longer supported, and has an IMAP bug that causes it to mark all messages as read when doing a backup.
    • BackupGoo - http://en.backupgoo.com/
      A paid utility that does not support restore.
    • SysTools - https://www.systoolsgroup.com/gmail-backup.html
      A paid utility.  Can not do restore.
  • Obsolete (past options that are no longer available, links are not safe)
    • BackupMyNet - http://backupmy.net/
      No longer exists.
    • Backup Gmail - http://backupgmail.m4ss.net/
      No longer exists.
    • Beyond Inbox - http://www.beyondinbox.com/
      No longer exists.
    • Gmail Keeper - http://gmailkeeper.com/
      Obsolete, replaced by OwnMyCopy.
    • Simplicato - http://www.simplicato.com/
      No longer exists.
    • TheGmailBackup - http://www.thegmailbackup.com/
      No longer exists.
    • UpSafe - http://www.upsafe.com/
      No longer exists.
  • G Suite / Google Workspaces
    • AFI - https://afi.ai/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites. Correctly handles Gmail labels.
    • Backupify - http://www.backupify.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar.
    • CloudAlly - http://www.cloudally.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites.
    • Spanning - https://spanning.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites.
    • Spinbackup - https://spinbackup.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites, Photos.
    • SysCloudSoft - http://www.syscloudsoft.com/
      A cloud-based subscription service that handles GMail, Contacts, Drive, Calendar, Sites.

    The G Suite / Workspaces options are all pretty similar. The main differences are in price, the user interface, and storage limitations (some are unlimited, some aren't). The other BIG question for the context of this article is if they correctly handle the restoration of conversations (not as individual messages) and of labels (including nesting). Most sites aren't clear on that meaning the only way to be sure is to test it with a free demo (which was beyond the scope of this article).

    While prehaps not 100% objective, here is a review of the above Google Workspace solutions that goes into more detail, and covers more providers: https://afi.ai/blog/best-g-suite-backup-solution. As a footnote: this is the tool I use for my Legacy Google Apps account.

    As you can see there are a variety of good choices to protect your Gmail account (if you're willing to spend some money).  There are also a number of "feel good" choices (you feel good because you're doing a backup, but the inability to access the backup or restore it may make them less useful).

    Of course, when using a stand-alone utility, once the messages are saved to your computer, you can and should include them in your normal computer backup, or you can manually save them to an external device (like a USB drive).

    Some may well ask if it's really safe to use a cloud-based service to backup another cloud-based service (e-mail). The key to a good backup is both redundancy and separation. You want multiple backups, and you want them in multiple locations. So, for example, an external USB disk setting on top of the computer it's used to backup is not a good idea. You only have one copy of the backup, and if the location is hit by fire/flood/disaster, both the computer and the backup will be lost. But the odds of two independent companies experiencing a major disaster with data loss is small enough to justify a cloud-based backup.

    Whatever backup method you choose, make sure it either gives you access to the messages (like an e-mail client) or a well-defined way to do a restore (like Got-Your-Back). A backup you can't view or restore isn't a backup at all. And if it's a manual process make sure you do it on a regular schedule as a badly out-of-date backup isn't of much value either.

    So now you know why, you know how, and you know what tools to use. Set it up today so tomorrow you aren't another statistic posting to the forum: "Help, my account was hacked and everything deleted. How do I get it all back?"



    * Gmail is a trademark of Google, Inc. This page is not sponsored by or affiliated with Google.
at

January 9, 2012

How NOT To Get Hacked

Every day e-mail accounts get compromised. This is not unique to any one e-mail provider; it happens to them all. When an account is compromised, it tends to be used for any one of a number of common reasons:
  • To send out spam advertising to all the contacts stored in the account.
  • To send out scams to all the contacts stored in the account attempting to steal money from them.
  • To gain access to other accounts from information stored in messages. This could be other e-mail accounts (to send spam) or bank and financial accounts.
  • To gain access to private information or to destroy information stored in the account.
Besides the obvious embarrassment and potential financial loss to you or your contacts, other results can include:
  • Loss of all your contacts (deleted so you can't warn them of the scam).
  • Loss of all your e-mail history (deleted for various reasons).
  • Loss of your entire e-mail account (deleted when the hacker is done with it).
While Gmail* has ways to recover lost or deleted accounts, contacts, and sometimes e-mail, it's best if the account compromise never happened in the first place. To that end one needs to be aware of how e-mail accounts can be compromised and what steps to take to prevent it.

Below is a partial list of ways accounts can be compromised. It's not an exhaustive list, but it includes the most common methods and a few of the less common ways.  The first two are the most important ones to be aware of and guard against.

Common Password Usage

This is the practice of using the same password for multiple web-sites.  It can be hard to remember a lot of different passwords, so many people take the short-cut of repeating password usage or, in the most extreme case, only using a single password for every account they have.  While Google's e-mail servers are extremely secure, that can't be said of every web-site in the world.  Hackers will compromise less secure web-sites and steal the account registration database.  That typically includes an e-mail address and password for each account.  For people who use the same password everywhere, the hacker just got the e-mail address and password and can directly log into the account.

So the single best, and most important thing you can do to keep your e-mail account secure is to use a unique password that you don't use anywhere else.  This is more important than the password length or complexity neither of which help if they harvest the password from another site.


Phishing

At its core, phishing is the process of someone asking for your password and you giving it to them.  Of course it's not that simple.  The request may be buried in a long e-mail about policy changes, or account verification.  It may tell you to sign in to your account, but the link provided doesn't actually go to google.com (even though it may perfectly mimic the Gmail sign-in page).  Often it includes threats of account loss or deletion to encourage (that is scare) you to provide the information.

Whatever form it takes, the bottom line is the same:  they have the account name and password and can log in any time they want to.  And of course the best phishing scams are the ones where the user never realizes they were phished.  They just suddenly lose access to their account with no idea why or what happened.

No reputable web-site (Gmail or any other) will ask you for your password in an e-mail.  Never ever reply to a message with your account password.  Never!  And even if the e-mail looks totally legitimate, always verify that the link you follow really ends up at the correct site before you enter any information.  Always!

Keyloggers and other Malware

A keylogger is a utility installed on a computer that captures every keystroke as people use the computer.  It's not too hard to search through the resulting information to find e-mail address and passwords entered by people logging into accounts.  As with other methods, someone now has direct access to the account.

This problem is usually found on public computers, like at a school, library or workplace.  Anyplace where a computer is not physically secure and anyone can use it and potentially install programs on it.  It can also be a risk in a home or work environment if anyone else has access to the computer.  And since keyloggers are a different class of problem, they may not be identified by the anti-virus software running on the computer.

The best defense from this class of attack is to never use a computer that you are not 100% sure is safe.  Also, never leave a computer you own logged in (or without a locking screen-saver) when you are not physically present.

Logging Out

This is related to the physical security of the computer(s) used.  If anyone has access to the computer, you must always log out of any accounts when leaving the computer unattended.  Otherwise anyone who walks up has full access to all accounts (including e-mail) that may be active.

Browser Auto-Fill

This is similar to the above in that it relies on a secure computer.  If you have your account login information saved in your browser (so it automatically fills it in for you) then anyone else using the computer can also log into the accounts.  If the computer is not physically secure, then it's important to not have account information saved in the browser (or in any files saved on the computer).

Password Guessing

This is a brute-force process of guessing the password to an account.  It's made easier if the hacker knows you and can make guesses using family/pet names, locations, etc.

There are basically three levels of brute-force attacks.
  • Someone with personal knowledge of you (often a spouse or ex-spouse, girl/boy-friend, etc) who can figure out your password. These are people who know your kids/pets/parents/etc names or what you're probably use as a password. They might even know your actual password.
  • Using trivial or common passwords. This includes using trivially guessed (and unfortunately all too common) passwords like: "Password", "123456", "qwerty", etc. If your password is on the following list you're at-risk: http://mashable.com/2011/11/17/worst-internet-passwords/
  • Use of a program that tries dictionary words/combinations just trying to figure out the password. This is what is typically thought of as a "brute-force" attack.

In reality, most modern password systems have protections in place to prevent this.  After some number of incorrect guesses the system will do something to prevent further guesses.  It may lock the account for a while, or require the manual solving of a Captcha (the squiggly letters), or something else. Gmail has this sort of protection.

The best defense against any sort of brute-force attack is to follow standard password generation safeguards:  no common words or proper names, no patterns (123456 or qwerty), use mixed case and include numbers or punctuation, etc. And of course, make sure no one else knows your password.

Network Packet Capture

This is the process of using hardware or software utilities to monitor the raw traffic on a network to try and capture account login information.  The risk here is typically when using unsecured wireless networks, like the type provided free at various businesses.

While this is a real threat, it requires someone with the right tools and a good knowledge of network protocol.  The odds of such a person sitting next to you at that coffee shop are pretty small.

The best defense against this risk is to never use an insecure wireless network.  If the network doesn't require an encryption key to use, then you probably don't want to connect to it.

Server Attack

As discussed above with common password usage, this is the process of hacking a provider's e-mail servers to gain direct access to the login database or e-mail accounts.  As an end-user there is nothing you can do to guard against this sort of problem other than using only reputable companies for on-line services.

Again, Google's e-mail servers are extremely secure (both from network and physical access) so the risk of this is infinitesimal.

Extra Protection

Google offers an extra layer of protection for accounts beyond a password. This extra layer is called 2-Step Verification (2SV). It further restricts account access based on both something you know (your password) and something you have (a physical device). Typically the device is a pre-registered mobile phone where you can receive the 2-step verification codes. When signing into your account you need to provide both the password and this code to gain access. That means that if someone were to obtain your password (through a phishing scam for example) they still could not access your account because they would have no way to get the 2-step verification code.

Recently Google added another type of physical device you can use that eliminates the hassle of obtaining and entering codes: Universal 2nd Factor verification (U2F). This uses a small USB security key as the something you have part of 2-step verification.

Closing Thoughts

Protecting your e-mail account is sort of like keeping yourself healthy. You pay attention to the most common threats (heart disease, effects of smoking, accidents) and typically ignore the ones with a very low probability (getting hit by a meteor, getting struck by lightening, being bitten by a snake). They're all bad, but they're not all equally probable.

For account security, put a lot of effort into the first two methods listed above.  Use unique passwords.  Be very suspicious of any request for private account information.  And be aware the security of any computer you use (which one could argue includes always logging out and not storing account information on the computer).

Finally, always keep your account recovery settings up-to-date so if anything does happen to your account one day, you are in a better position to recover it.  This is critical because if you don't have a secret question or if your recovery e-mail is no longer valid, it can be very difficult to recover an account.

How about this idea:  do it NOW.

Settings -> Accounts and Import -> Change Account Settings -> Change password recovery options

Additional Reading

Choosing a smart password: https://support.google.com/accounts/answer/32040
Google account security info: http://www.google.com/help/security/
How to recover a lost or compromised account: http://gmailaccountrecovery.blogspot.com/



* Gmail is a trademark of Google, Inc. This page is not sponsored by or affiliated with Google.
at