How Gmail lets spammers grab your attention with emoji


What could be worse than email spam? Animated gifs in the subject line of email spam!

This is a trend I've recently started to see on Gmail - here's what it looks like and how it works.
Gmail Flashing Spam

So, what's going on here? How have they got an animated image into the subject line?

Here's the raw text of the message's subject line:

Subject:=?UTF-8?B?876tqQ==?==?utf-8?q?__=79=6f=75=27=76=65=20=62=65=65=6e=20=63=68=6f=73=65=6e=20=66=6f=72=20=33=30=20=66=72=65=65=20=73=70=69=6e=73_?==?UTF-8?B?876tqQ==?=

Let's take a look at the code sequence at the start and end of the subject: =?UTF-8?B?876tqQ=

As all good geeks know, characters outside the ASCII range are encoded as Base64 in emails.

The resultant character is U+FEB69 - a "Private Use" character which has no defined representation in Unicode.

For most of us, the character "󾭩" doesn't display as any meaningful symbol - but on the web version of Gmail, it shows up as: B69, a flashing star.

WTF?

Ok, here's what's going on...

Way back in the midsts of time (well, about 2009) there was no standard for Emoji. Each company made use of Unicode's private use characters in a different way. If you had a phone from Google and sent a message using the "Glowing Star Emoji" to a phone made by another manufacturer - the symbol would either not display properly, or show up as a completely different character!

Obviously, in an interconnected world, such a situation is untenable - so Google and several other companies set up the Emoji4Unicode project.

Google uses Private Use mappings to represent Emoji ("picture character") symbols in Unicode text. These characters are commonly used by Japanese cell phone carriers. This project makes these mappings available.

Google and other members of the Unicode consortium are also developing a proposal for the addition of standardized Emoji symbol characters to Unicode.

The Unicode consortium banged some heads together (in a friendly way) and everyone agreed on a new standardised set of characters.

The new Unicode standard has "Glowing Star" set as U+1F31F and looks like this: 🌟.
(If your computer doesn't support Unicode 6.0 you can take a look at the official reference chart.)

But the old version lives on! The animated GIF lives at https://mail.google.com/mail/e/B69 where it is used for the web version of Gmail. (You can alter that end number to get all manner of odd characters.)

Modern Android phones still recognise this relic - although, in Google's typically slapdash fashion, Android's Gmail app won't display the animation in the subject line, only in the body:

Gmail Flashing

The same happens with the iOS version of Gmail. Animated in the body, not in the subject line,

Try it yourself by sending an email with the subject and body "Star 🌟 vs Animated 󾭩".

It doesn't seem to work in Google Hangouts - or any other Google apps, just mail.

Interestingly, when sending this characters from the web or Android version of Gmail, it adds an "X-Goomoji-Subject" header and automatically converts the characters to GIFs. The Unicode is completely stripped away from the message.

So there we have it. An ancient form of Emoji, probably all but forgotten, has been resurrected by spammers in the hope that you'll notice their wares.

What a load of 󾓴!

5 thoughts on “How Gmail lets spammers grab your attention with emoji

  1. As you mentioned "all manor of odd characters", I thought it'd be rude not to take a look...! The one I found which has (mildly) concerning connotations for me was https://mail.google.com/mail/e/B86 which is a padlock symbol. Seeing as how my (aged) mother in law's only understanding of internet security is "look for the padlock", this could (perhaps) be used to make an email look more legit and secure.

    Thank goodness she doesn't have a gmail account!

    1. :-) I had reported this to Google last week. Their response was

      Thanks for your report! This would not be considered a security vulnerability, as it does not influence or replace any existing security indicator used inside of GMail.

  2. I guess the better question would be, how do we block (or filter out) messages that have the animated subject lines? I have never once seen a legit email use one. I wonder if we could filter on the X-Goomoji-Subject: header. Might make for an interesting experiment!

    1. I've also been trying to figure out how to filter this. So far the best thing I can do is to create an Adblock filter for: mail.google.com/mail/e/

  3. Do any of those emails with the old animated emoji actually make it to your inbox? For me I get zero, I didn't even know this was possible until I cleaned my spam after a few months. I think Google is actually using those old emojis as signal to mark the email as spam. which is perfectly fine with me.

    Who see's these emoji's in their inbox?

What do you reckon?