[Nobody believes Yahoo is acting maliciously, as I should have made clear. At worst it would be some regexps going awry. But Yahoo may have stopped the practice or tuned their regexps, as also noted by Paul Hoffman. --Declan] --- Date: Mon, 15 Jul 2002 06:18:27 -0400 (EDT) To: Declan McCullagh <declanat_private> Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags In-Reply-To: <5.1.1.6.0.20020714223313.01b13dd0at_private> From: John Adams <jnaat_private> This just sounds like a set of bugs in their javascript protection parser (i.e. to stop people from sending other people malicious javascript) and I don't think they would do something like this in a malicious manner. As a programmmer, I've made similiar mistakes and can see how this would seriously bother people who send email using their service. Politech has always been a bastion of good news, and little of your work has been subject to sensationalism. Don't give into it in the same way slashdot has. They have a tendancy to take small bugs like this and turn them into major political events. -john --- From: "Ben Serebin" <benat_private> To: "Declan McCullagh" <declanat_private> Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags Date: Mon, 15 Jul 2002 12:53:18 -0400 Hey Declan, HTML.... I re-did the test below to insure it used html tages. Note the <p> and <b> tags. Fancy HTML. -Ben ---------- Received: from web10104.mail.yahoo.com ([]) by mail.operationemail.com (Merak 5.0.0) with SMTP id JGA36956 for <<mailto:bennyat_private>bennyat_private>; Mon, 15 Jul 2002 12:48:40 -0400 Message-ID: <<mailto:20020715164839.54396.qmailat_private>20020715164839.54396.qmailat_private> Received: from [216.89.86.242] by web10104.mail.yahoo.com via HTTP; Mon, 15 Jul 2002 09:48:39 PDT Date: Mon, 15 Jul 2002 09:48:39 -0700 (PDT) From: Ben <<mailto:ben2300at_private>ben2300at_private> Subject: Testing Yahoo..... To: <mailto:bennyat_private>bennyat_private MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-902498927-1026751719=:53936" --0-902498927-1026751719=:53936 Content-Type: text/plain; charset=us-ascii Is this anal bullshit real.... oh, are we fucked. Evaluation, my penis. Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over free e-mail. -Ben --------------------------------- Do You Yahoo!? Yahoo! Autos - Get free new car price quotes --0-902498927-1026751719=:53936 Content-Type: text/html; charset=us-ascii <p><b>Is this anal bullshit real.... oh, are we fucked. Evaluation, my penis. Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over free e-mail. -Ben</b></p> <p><br><hr size=1><b>Do You Yahoo!?</b><br> <a href="! Autos</a> - Get free new car price quotes --0-902498927-1026751719=:53936-- ---------- ----- Original Message ----- From: "Declan McCullagh" <<mailto:declanat_private>declanat_private> To: "Ben Serebin" <<mailto:benat_private>benat_private> Sent: Monday, July 15, 2002 10:54 AM Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags > Did you send HTML email to yourself (see Subject: line) or text email? > > -Declan > > At 09:47 AM 7/15/2002 -0400, you wrote: > >Hey Declan, > > > > Did you test it, because I did, and it's not the case the word > > replacement. Below is what I sent to myself. > > > >-Ben > > > >--------------------- > > > >Received: from web10103.mail.yahoo.com ([]) > > by mail.operationemail.com (Merak 5.0.0) with SMTP id JGA36956 > > for <<mailto:benat_private>benat_private>; Mon, 15 Jul 2002 09:44:58 -0400 > >Message-ID: <<mailto:20020715134457.8328.qmailat_private>20020715134457.8328.qmailat_private> > >Received: from [66.114.69.91] by web10103.mail.yahoo.com via HTTP; Mon, 15 > >Jul 2002 06:44:57 PDT > >Date: Mon, 15 Jul 2002 06:44:57 -0700 (PDT) > >From: Ben <<mailto:ben2300at_private>ben2300at_private> > >Subject: Fucking Shit... > >To: Ben <<mailto:benat_private>benat_private> > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; boundary="0-1666993424-1026740697=:8233" > > > >Is this anal bullshit real.... oh, are we fucked. Evaluation, my penis. > >Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over > >free e-mail. -Ben > > > > > > > >Do You Yahoo!? > ><<http://autos.yahoo.com/>Yahoo>http://autos.yahoo.com/>Yahoo! Autos - Get free new car price quotes > >--------------------- > > > > >--- > > > > > >Date: Sun, 14 Jul 2002 11:03:19 -0400 > > >To: Declan McCullagh <<mailto:declanat_private>declanat_private> > > >From: Monty Solomon <<mailto:montyat_private>montyat_private> > > >Subject: Do y*u Y*h**? > > > > > >http://www.ntk.net/2002/07/12/ > > > > > > > > > >> HARD NEWS << > > > in powers of two > > > > > > Nice to see, in the midst of all these scandals, Yahoo > > > turning a healthy profit. But as other companies fiddle the > > > figures, Yahoo's been busy instead with fiddling its own > > > users' private correspondence. In a fantastically clumsy > > > attempt to prevent cross-site scripting attacks, the free > > > e-mail wing of the sprawling giant has long been replacing > > > complete English words in the text of HTML mail sent to its > > > users. Mention "mocha" in an HTML mail to a friend with a > > > @yahoo.com account, and your choice in coffee will be > > > silently switched to "espresso". Talk about "free > > > expression", and your recipient will think you said "free > > > statement". Here's the full list of swaperoos: > > > <http://www.ntk.net/2002/07/12/yahoo.txt>http://www.ntk.net/2002/07/12/yahoo.txt > > > - try not to mail it to your friends > > > > > > This fiddling has been going on now for over a year year > > > (the ever vigilant RISKS digest noted it back in March > > > 2001). But because of Yahoo's underhand methods, very few > > > people have spotted the turnabout - certainly far fewer than > > > if Yahoo had done the sensible thing and, say, "**"'ed out > > > the vowels in the word, or, God forbid, written a smarter > > > parser. But the sneakier you are, the wider the damage > > > spreads. The word "medieval" (since it contains the > > > javascript command "eval") is converted in Yahoo mail to > > > "medireview". Google now shows over 640 sites (and 1,150 > > > separate instances) of the word "medireview" being used as a > > > synonym for medieval. University papers, bibliographies and > > > book reviews, Indian newspaper columnists, and endless > > > enthusiast sites drop it unseen into texts. People have > > > begun to ask where it originally came from, and does it have > > > a subtler meaning beyond "medieval"? Is Yahoo ever going to > > > fix its filters? Or is it time we pushed to get the first > > > regexp-obfuscated word into the Oxford English Dictionary? > > > <http://catless.ncl.ac.uk/Risks/21.34.html>http://catless.ncl.ac.uk/Risks/21.34.html > > > - does anyone still at Yahoo even know how to turn it off? > > > <http://www.google.com/search?q=medireview>http://www.google.com/search?q=medireview > > > - NTK now entirely filled with google links > > > > > > > ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 11:09:15 PDT