Politech mailing list archives
FC: Does Yahoo currently ban HTML email text with Javascript tags?
From: Declan McCullagh <declan () well com>
Date: Mon, 15 Jul 2002 13:25:53 -0400
[Nobody believes Yahoo is acting maliciously, as I should have made clear. At worst it would be some regexps going awry. But Yahoo may have stopped the practice or tuned their regexps, as also noted by Paul Hoffman. --Declan]
--- Date: Mon, 15 Jul 2002 06:18:27 -0400 (EDT) To: Declan McCullagh <declan () well com> Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags In-Reply-To: <5.1.1.6.0.20020714223313.01b13dd0 () mail well com> From: John Adams <jna () retina net> This just sounds like a set of bugs in their javascript protection parser (i.e. to stop people from sending other people malicious javascript) and I don't think they would do something like this in a malicious manner. As a programmmer, I've made similiar mistakes and can see how this would seriously bother people who send email using their service. Politech has always been a bastion of good news, and little of your work has been subject to sensationalism. Don't give into it in the same way slashdot has. They have a tendancy to take small bugs like this and turn them into major political events. -john --- From: "Ben Serebin" <ben () serebin com> To: "Declan McCullagh" <declan () well com> Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags Date: Mon, 15 Jul 2002 12:53:18 -0400 Hey Declan,HTML.... I re-did the test below to insure it used html tages. Note the <p> and <b> tags. Fancy HTML.
-Ben
----------
Received: from web10104.mail.yahoo.com ([])
by mail.operationemail.com (Merak 5.0.0) with SMTP id JGA36956
for <<mailto:benny () serebin com>benny () serebin com>; Mon, 15 Jul
2002 12:48:40 -0400
Message-ID:
<<mailto:20020715164839.54396.qmail () web10104 mail yahoo com>20020715164839.54396.qmail () web10104 mail yahoo com>
Received: from [216.89.86.242] by web10104.mail.yahoo.com via HTTP; Mon, 15
Jul 2002 09:48:39 PDT
Date: Mon, 15 Jul 2002 09:48:39 -0700 (PDT) From: Ben <<mailto:ben2300 () yahoo com>ben2300 () yahoo com> Subject: Testing Yahoo..... To: <mailto:benny () serebin com>benny () serebin com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-902498927-1026751719=:53936" --0-902498927-1026751719=:53936 Content-Type: text/plain; charset=us-asciiIs this anal bullshit real.... oh, are we fucked. Evaluation, my penis. Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over free e-mail. -Ben
--------------------------------- Do You Yahoo!? Yahoo! Autos - Get free new car price quotes --0-902498927-1026751719=:53936 Content-Type: text/html; charset=us-ascii<p><b>Is this anal bullshit real.... oh, are we fucked. Evaluation, my penis. Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over free e-mail. -Ben</b></p>
<p><br><hr size=1><b>Do You Yahoo!?</b><br> <a href="! Autos</a> - Get free new car price quotes --0-902498927-1026751719=:53936-- ---------- ----- Original Message ----- From: "Declan McCullagh" <<mailto:declan () well com>declan () well com> To: "Ben Serebin" <<mailto:ben () serebin com>ben () serebin com> Sent: Monday, July 15, 2002 10:54 AM Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags > Did you send HTML email to yourself (see Subject: line) or text email? > > -Declan > > At 09:47 AM 7/15/2002 -0400, you wrote: > >Hey Declan, > > > > Did you test it, because I did, and it's not the case the word > > replacement. Below is what I sent to myself. > > > >-Ben > > > >--------------------- > > > >Received: from web10103.mail.yahoo.com ([]) > > by mail.operationemail.com (Merak 5.0.0) with SMTP id JGA36956> > for <<mailto:ben () serebin com>ben () serebin com>; Mon, 15 Jul 2002 09:44:58 -0400 > >Message-ID: <<mailto:20020715134457.8328.qmail () web10103 mail yahoo com>20020715134457.8328.qmail () web10103 mail yahoo com>
> >Received: from [66.114.69.91] by web10103.mail.yahoo.com via HTTP; Mon, 15 > >Jul 2002 06:44:57 PDT > >Date: Mon, 15 Jul 2002 06:44:57 -0700 (PDT) > >From: Ben <<mailto:ben2300 () yahoo com>ben2300 () yahoo com> > >Subject: Fucking Shit... > >To: Ben <<mailto:ben () serebin com>ben () serebin com> > >MIME-Version: 1.0> >Content-Type: multipart/alternative; boundary="0-1666993424-1026740697=:8233"
> > > >Is this anal bullshit real.... oh, are we fucked. Evaluation, my penis. > >Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over > >free e-mail. -Ben > > > > > > > >Do You Yahoo!?> ><<http://autos.yahoo.com/>Yahoo>http://autos.yahoo.com/>Yahoo! Autos - Get free new car price quotes
> >--------------------- > > > > >--- > > > > > >Date: Sun, 14 Jul 2002 11:03:19 -0400 > > >To: Declan McCullagh <<mailto:declan () well com>declan () well com> > > >From: Monty Solomon <<mailto:monty () roscom com>monty () roscom com> > > >Subject: Do y*u Y*h**? > > > > > >http://www.ntk.net/2002/07/12/ > > > > > > > > > >> HARD NEWS << > > > in powers of two > > > > > > Nice to see, in the midst of all these scandals, Yahoo > > > turning a healthy profit. But as other companies fiddle the > > > figures, Yahoo's been busy instead with fiddling its own > > > users' private correspondence. In a fantastically clumsy > > > attempt to prevent cross-site scripting attacks, the free > > > e-mail wing of the sprawling giant has long been replacing > > > complete English words in the text of HTML mail sent to its > > > users. Mention "mocha" in an HTML mail to a friend with a > > > @yahoo.com account, and your choice in coffee will be > > > silently switched to "espresso". Talk about "free > > > expression", and your recipient will think you said "free > > > statement". Here's the full list of swaperoos:> > > <http://www.ntk.net/2002/07/12/yahoo.txt>http://www.ntk.net/2002/07/12/yahoo.txt
> > > - try not to mail it to your friends > > > > > > This fiddling has been going on now for over a year year > > > (the ever vigilant RISKS digest noted it back in March > > > 2001). But because of Yahoo's underhand methods, very few > > > people have spotted the turnabout - certainly far fewer than > > > if Yahoo had done the sensible thing and, say, "**"'ed out > > > the vowels in the word, or, God forbid, written a smarter > > > parser. But the sneakier you are, the wider the damage > > > spreads. The word "medieval" (since it contains the > > > javascript command "eval") is converted in Yahoo mail to > > > "medireview". Google now shows over 640 sites (and 1,150 > > > separate instances) of the word "medireview" being used as a > > > synonym for medieval. University papers, bibliographies and > > > book reviews, Indian newspaper columnists, and endless > > > enthusiast sites drop it unseen into texts. People have > > > begun to ask where it originally came from, and does it have > > > a subtler meaning beyond "medieval"? Is Yahoo ever going to > > > fix its filters? Or is it time we pushed to get the first > > > regexp-obfuscated word into the Oxford English Dictionary?> > > <http://catless.ncl.ac.uk/Risks/21.34.html>http://catless.ncl.ac.uk/Risks/21.34.html
> > > - does anyone still at Yahoo even know how to turn it off?> > > <http://www.google.com/search?q=medireview>http://www.google.com/search?q=medireview
> > > - NTK now entirely filled with google links > > > > > >>
------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
Current thread:
- FC: Does Yahoo currently ban HTML email text with Javascript tags? Declan McCullagh (Jul 15)