How Google Secures Gmail Against Spam and Ransomware

At the RSA Conference, Elie Bursztein, anti-fraud and abuse research team lead at Google, explains the many technologies in place to protect Gmail users.

Elie Bursztein RSA Conference 2017

SAN FRANCISCO—Google's Gmail web email service is used by millions of companies and consumers around the world, making it an attractive target for attackers. In a session at the RSA Conference here, Elie Bursztein, anti-fraud and abuse research team lead at Google, detailed the many technologies and processes that Google uses to protect users and the Gmail service itself from exploitation.

At the core of Google' Gmail defenses are deep learning artificial intelligence systems. Bursztein told the capacity crowd that Google's deep learning has been continuously improved over the years and is now 99.9 percent accurate in detecting spam email.

The deep learning capabilities that Google has deployed involve both software and hardware assets. Bursztein said Google has built and deployed dedicated ASICs (application specific integrated circuits) to accelerate the deep learning workflow, helping Gmail to stay ahead of spammers and email threats.

There are also a host of internet standards that help Google keep its Gmail users safe. Among those standards is STARTTLS, which as the name implies, starts TLS (Transport Layer Security) to encrypt email data transfer. SMTP (Simple Mail Transfer Protocol), which is the protocol used to enable email, does not by default make use of encryption, potentially exposing email users to the risk of message interception.

While Google is a big advocate of STARTTLS, Gmail isn't the only provider of email inboxes and not all email connections are secure. However, Bursztein said the trend in the last few years has been moving in the right direction. At this point in 2017, he said that 80 percent of inbound email to Gmail inboxes is encrypted, while 87 percent of outbound email is encrypted.

Wider use of STARTTLS is the result of Google improving the visibility of when emails are not encrypted. Bursztein said Google last year began to visually indicate—with a broken lock icon indicator—to Gmail users when email is not encrypted, and that has helped to speed up adoption of STARTTLS.

Having STARTTLS is just the start of making sure email connections are secure. It's also important to have trust in the integrity of the TLS certificate that is used for encryption which is where the ongoing SMTP Strict Transport Security initiative comes into play. Bursztein explained that the goal of SMTP Strict Transport Security is to have an industrywide effort to prevent man-in-the-middle (MiTM) attacks against email with rogue certificates.

Validating the integrity of email is also about preventing impersonation. There are multiple email integrity efforts and standards that Gmail employs, including DKIM (DomainKeys Identified Mail) for signing emails; SPF (Sender Policy Framework), which specifies which email servers are trusted to send email on behalf of a given domain; and DMARC (Domain-based Message Authentication, Reporting and Conformance), which provides a mechanism for reporting.

Bursztein said that adopting DMARC is very important for organizations of all sizes as it provides visibility into impersonation attacks against email domains. Overall, he warned that DMARC adoption is too low, which is why Google is providing Google Postmaster tools, to help organizations use the right standards to help improve email security.


Among the biggest email threats today is ransomware, which has aggressively attempted to exploit Gmail users. In particular, the Locky ransomware family was particularly active against Gmail in 2016, Bursztein said.

In an attack that Google has not widely discussed, Bursztein said that on May 5, 2016, Google was impacted by a very large Locky incident. At 2 a.m. PT, Gmail was seeing 20,000 Locky messages an hour come in, which spiked up to 30 million an hour at 5 a.m.

Bursztein said that although the attackers were using very sophisticated techniques that attempted to evade Google's security, they weren't successful.


While Google has gone to great lengths to secure Gmail and its users, there are still some cases where things slip through and users are exploited. In the question-and-answer segment of Bursztein's RSA Conference session, an attendee asked how Google let John Podesta, the campaign director for U.S. Democratic presidential candidate Hillary Clinton, click on a phishing link in his Gmail account that led to a major leak. Bursztein was visibly uncomfortable answering the question, shrugging and noting that Google is continuously trying to improve its abilities to protect users and limit risk.

"For phishing attacks, no defense is perfect," he said. "We advocate for the use of Security Keys as helping to provide the best defense."

The Security Key effort is a physical USB key that adheres to the FIDO Alliance U2F (Universal Second Factor) standard, providing an additional layer of security to prevent phishing attacks. Google has widely deployed Security Keys among its own employees and over a two-year period found that it had a dramatic impact on improving security.

"It was an important incident," Bursztein said of the Podesta Gmail phishing attack. "There were some learnings out of it, and we're always improving."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.