![[Politech logo]](http://www.politechbot.com/image/logo.gif){kind=logo}
Politech is the oldest Internet resource devoted to politics and technology. Launched in 1994 by Declan McCullagh, the mailing list has chronicled the growing intersection of culture, technology, politics, and law. Since 2000, so has the Politech web site.
[Nobody believes Yahoo is acting maliciously, as I should have made clear. At worst it would be some regexps going awry. But Yahoo may have stopped the practice or tuned their regexps, as also noted by Paul Hoffman. --Declan] --- Date: Mon, 15 Jul 2002 06:18:27 -0400 (EDT) To: Declan McCullagh <declan@well.com> Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags In-Reply-To: <5.1.1.6.0.20020714223313.01b13dd0@mail.well.com> From: John Adams <jna@retina.net> This just sounds like a set of bugs in their javascript protection parser (i.e. to stop people from sending other people malicious javascript) and I don't think they would do something like this in a malicious manner. As a programmmer, I've made similiar mistakes and can see how this would seriously bother people who send email using their service. Politech has always been a bastion of good news, and little of your work has been subject to sensationalism. Don't give into it in the same way slashdot has. They have a tendancy to take small bugs like this and turn them into major political events. -john --- From: "Ben Serebin" <ben@serebin.com> To: "Declan McCullagh" <declan@well.com> Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags Date: Mon, 15 Jul 2002 12:53:18 -0400 Hey Declan, HTML.... I re-did the test below to insure it used html tages. Note the <p> and <b> tags. Fancy HTML. -Ben ---------- Received: from web10104.mail.yahoo.com ([]) by mail.operationemail.com (Merak 5.0.0) with SMTP id JGA36956 for <<mailto:benny@serebin.com>benny@serebin.com>; Mon, 15 Jul 2002 12:48:40 -0400 Message-ID: <<mailto:20020715164839.54396.qmail@web10104.mail.yahoo.com>20020715164839.54396.qmail@web10104.mail.yahoo.com> Received: from [216.89.86.242] by web10104.mail.yahoo.com via HTTP; Mon, 15 Jul 2002 09:48:39 PDT Date: Mon, 15 Jul 2002 09:48:39 -0700 (PDT) From: Ben <<mailto:ben2300@yahoo.com>ben2300@yahoo.com> Subject: Testing Yahoo..... To: <mailto:benny@serebin.com>benny@serebin.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-902498927-1026751719=:53936" --0-902498927-1026751719=:53936 Content-Type: text/plain; charset=us-ascii Is this anal bullshit real.... oh, are we fucked. Evaluation, my penis. Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over free e-mail. -Ben --------------------------------- Do You Yahoo!? Yahoo! Autos - Get free new car price quotes --0-902498927-1026751719=:53936 Content-Type: text/html; charset=us-ascii <p><b>Is this anal bullshit real.... oh, are we fucked. Evaluation, my penis. Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over free e-mail. -Ben</b></p> <p><br><hr size=1><b>Do You Yahoo!?</b><br> <a href="! Autos</a> - Get free new car price quotes --0-902498927-1026751719=:53936-- ---------- ----- Original Message ----- From: "Declan McCullagh" <<mailto:declan@well.com>declan@well.com> To: "Ben Serebin" <<mailto:ben@serebin.com>ben@serebin.com> Sent: Monday, July 15, 2002 10:54 AM Subject: Re: FC: Do y*u Y*h**? Yahoo bans HTML email text with Javascript tags > Did you send HTML email to yourself (see Subject: line) or text email? > > -Declan > > At 09:47 AM 7/15/2002 -0400, you wrote: > >Hey Declan, > > > > Did you test it, because I did, and it's not the case the word > > replacement. Below is what I sent to myself. > > > >-Ben > > > >--------------------- > > > >Received: from web10103.mail.yahoo.com ([]) > > by mail.operationemail.com (Merak 5.0.0) with SMTP id JGA36956 > > for <<mailto:ben@serebin.com>ben@serebin.com>; Mon, 15 Jul 2002 09:44:58 -0400 > >Message-ID: <<mailto:20020715134457.8328.qmail@web10103.mail.yahoo.com>20020715134457.8328.qmail@web10103.mail.yahoo.com> > >Received: from [66.114.69.91] by web10103.mail.yahoo.com via HTTP; Mon, 15 > >Jul 2002 06:44:57 PDT > >Date: Mon, 15 Jul 2002 06:44:57 -0700 (PDT) > >From: Ben <<mailto:ben2300@yahoo.com>ben2300@yahoo.com> > >Subject: Fucking Shit... > >To: Ben <<mailto:ben@serebin.com>ben@serebin.com> > >MIME-Version: 1.0 > >Content-Type: multipart/alternative; boundary="0-1666993424-1026740697=:8233" > > > >Is this anal bullshit real.... oh, are we fucked. Evaluation, my penis. > >Coffee sure tests good. medieval Man I am.... Yahoo blows... time to over > >free e-mail. -Ben > > > > > > > >Do You Yahoo!? > ><<http://autos.yahoo.com/>Yahoo>http://autos.yahoo.com/>Yahoo! Autos - Get free new car price quotes > >--------------------- > > > > >--- > > > > > >Date: Sun, 14 Jul 2002 11:03:19 -0400 > > >To: Declan McCullagh <<mailto:declan@well.com>declan@well.com> > > >From: Monty Solomon <<mailto:monty@roscom.com>monty@roscom.com> > > >Subject: Do y*u Y*h**? > > > > > >http://www.ntk.net/2002/07/12/ > > > > > > > > > >> HARD NEWS << > > > in powers of two > > > > > > Nice to see, in the midst of all these scandals, Yahoo > > > turning a healthy profit. But as other companies fiddle the > > > figures, Yahoo's been busy instead with fiddling its own > > > users' private correspondence. In a fantastically clumsy > > > attempt to prevent cross-site scripting attacks, the free > > > e-mail wing of the sprawling giant has long been replacing > > > complete English words in the text of HTML mail sent to its > > > users. Mention "mocha" in an HTML mail to a friend with a > > > @yahoo.com account, and your choice in coffee will be > > > silently switched to "espresso". Talk about "free > > > expression", and your recipient will think you said "free > > > statement". Here's the full list of swaperoos: > > > <http://www.ntk.net/2002/07/12/yahoo.txt>http://www.ntk.net/2002/07/12/yahoo.txt > > > - try not to mail it to your friends > > > > > > This fiddling has been going on now for over a year year > > > (the ever vigilant RISKS digest noted it back in March > > > 2001). But because of Yahoo's underhand methods, very few > > > people have spotted the turnabout - certainly far fewer than > > > if Yahoo had done the sensible thing and, say, "**"'ed out > > > the vowels in the word, or, God forbid, written a smarter > > > parser. But the sneakier you are, the wider the damage > > > spreads. The word "medieval" (since it contains the > > > javascript command "eval") is converted in Yahoo mail to > > > "medireview". Google now shows over 640 sites (and 1,150 > > > separate instances) of the word "medireview" being used as a > > > synonym for medieval. University papers, bibliographies and > > > book reviews, Indian newspaper columnists, and endless > > > enthusiast sites drop it unseen into texts. People have > > > begun to ask where it originally came from, and does it have > > > a subtler meaning beyond "medieval"? Is Yahoo ever going to > > > fix its filters? Or is it time we pushed to get the first > > > regexp-obfuscated word into the Oxford English Dictionary? > > > <http://catless.ncl.ac.uk/Risks/21.34.html>http://catless.ncl.ac.uk/Risks/21.34.html > > > - does anyone still at Yahoo even know how to turn it off? > > > <http://www.google.com/search?q=medireview>http://www.google.com/search?q=medireview > > > - NTK now entirely filled with google links > > > > > > > ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------