A Medireview Approach To Stopping E-Mail Attacks

dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.

Can someone please explain...

... what a "cross-site scripting attack" is and how changing the word "mocha" to the word "espresso" makes it all better?

Re:Can someone please explain...

[2sheds]

it prevents scripting attacks because you can't email someone malicious javascript, for example, as the keywords will be replaced.

james

Re:Can someone please explain...

thats stupid. how bout replacing <javascript with <javascr1pt instead of every single damn keyword ?
?

Re:Can someone please explain...

or, how about turning all text into l33t 5pe4k.

Re:Can someone please explain...

[kowalski1971]

if the email contained embedded javascript, replacing key parts of the javascript syntax would render it useless. javascript like any other (programming) language relies on the syntax of the code being precise... in the English language 'eval' and 'review' have similar meanings but in javascript 'review' means nothing.

Re:Can someone please explain...

[roybadami]

Personally I think a better approach would be to nuke all , and tags.

Re:Can someone please explain...

What or tag?

<img src="hello.jpg" onmouseover="dosomething();">

Re:Can someone please explain...

[roybadami]

Damn, I guess that means you need to nuke a bunch of attributes, too. Looks like you need a proper HTML parser.

Probably better just to nuke all HTML mail...

Re:Can someone please explain...

[King+of+the+World]

And then suddenly you've got javascript flowing into the body of the email. Nuke everything between the tags too.

Re:Can someone please explain...

Actually that would require a tag.. but something like "javascript:..etc" would work.

Re:Can someone please explain...

[douglas+jeffries]

it's certainly reasonable to remove all the javascript events; there aren't that many of them and it's worth it to let the message itself get through.

Re:Can someone please explain...

[roybadami]

Sorry, I should have said remove the elements, not remove the tags. Though, as has now been pointed out to me, this in itself is not enough, certain otherwise safe elements have attributes that are problematic.

Re:Can someone please explain...

[jc42]

Of course, sensible users of browsers will have turned off javascript and all other scripting tools.

Ya gotta be really innocent to allow random strangers to run code on your machine.

Yeah, it's true that some web pages won't work without javascript or vbscript. But do you really want such pages running on your machine? Those are exactly the sites that you should be blocking.

My words not thiers

[wastedbrains]

I think that Yahoo shouldn't be changing any words in e-mails unless the users specifically choose to turn that "feature on". I mean if i send anyone a e-mail i expect it to arrive as i sent it. What is the point of a global mail that picts what you can and can't write about.

Re:My words not thiers

Friends don't email friends html. My mail server strips it all. That and 16 other extensions...

Re:My words not thiers

[ericmc42]

It wouldn't do anything to *your* email anyways... I doubt it picks up on words that aren't spelled correctly.

Re:My words not thiers

So that's why slashdot grammar is so bad... they're trying to avoid filters! Mmm, but now I'm getting suspicious about the fact that medieval was spelled correctly... mmm...

Re:My words not thiers

[SimCash]

wastedbrains wrote:

I think that Yahoo shouldn't be changing any words in e-mails unless the users specifically choose to turn that "feature on"

Hmmm, Yahoo offers a free service, then tries to improve that free service in an awkward but cheapo way, no doubt because their lawyers said they were at risk, then we complain because this free service does not work like "for-pay" sites (if this sentence was too complex for you, try reading something more complex than the funny pages).

I am always amazed at the ability to bitch furiously of people who want free services, whether they be Slashdotters or welfare cheats. Remember, "He who has the gold, makes the rules.", or in its market equivalent, "He who spends the gold, makes the rules." You get what you pay for, and if you have taken the free @Yahoo mail route you already knew or suspected that you were open to: (1) having your email address sold to marketers, and (2) being shown advertisements whenever you read your email (Yahoo charges a fee to user who use POP).

IMNSHO, Yahoo's big mistake was in not telling all its users this was happening, and I suspect that 99% of those users did not even know or care that this was happening since they did not use HTML encoded email.

Before Yahoo filtered this, it contained a short but complete description of the Fermat solution to Fermat's last theorem, which, unlike the eventual proof, truly was short and clear, as well as the ultimate equation that defines the universe. I hope the filters did not change it too much.

Re:My words not thiers

[HiThere]

Earlier reports in this list indicate that the feature is also used on paid for accounts.

And in your claim, the word "improve" should have been in quotes. If you had said, "...to improve the security..." then it would have been proper as written, but to claim that it's an improvement of the message... that is a highly subjective claim, and very subject to circumstances. Most of the examples given are hardly improvements.

Re:My words not thiers

Does this explain why definitely appears with an 'a' replacing the second 'i'? Or are many web users illiterate?

Re:My words not thiers

[phyxeld]

Hmmm, Yahoo offers a free service, then tries to improve that free service in an awkward but cheapo way, no doubt because their lawyers said they were at risk, then we complain because this free service does not work like "for-pay" sites (if this sentence was too complex for you, try reading something more complex than the funny pages).

This has absolutely nothing to do with the service being free. The problem they're trying to solve applies to any web-based email, and their fix applies the same to paid accounts as free ones. You say you're tired of hearing whining about (...)? Well, I'm tired of hearing whining from people like you who don't understand what they're talking about.

Verified?

[nuggz]

I emailed my yahoo.ca account, cut and pasted the /. story text

Nothing got changed, did anyone even verify this?

Re:Verified?

[TMLink]

The article says it works only if the email is HTML formatted...was it?

Re:Verified?

[realdpk]

Yes, verified. It does do this. It has done this for months! I first heard about it from people at Sun.

Re:Verified?

It happens only if the E-Mail is MIMEd as text/html. If it has no MIME type, it dosen't get fiddled with.

While I would commend Yahoo! for at least trying to protect their users, it would seem like doing this without some kind of notice or disclaimer kinda sucks ass.

Re:Verified?

[looseBits]

I didn't notice any changes either. Hmmmm....

Re:Verified?

[ocbwilg]

Nothing got changed, did anyone even verify this?

Yes, it does change it. Oddly enough, they apparently got smart enough to stop switching "evaluate" out though.

Re:Verified?

[mrogers]

It modifies only HTML email, because it's intended to prevent scripting attacks. I trust you always use plain text. ;-)

Re:Verified?

[ubernostrum]

I just sent an HTML message to my Yahoo account, and nothing got changed. Any suggestions on how to reproduce the effect?

Re:Verified?

[knorthern+knight]

Send this in the middle of a *PLAIN TEXT* email to any poor soul who uses Outhouse Excuse or Lookout, and watch them scream about viruses. Note that the left side must be flush to the left margin.

begin 666 loveletter.txt.vbs
Microsoft's stupid braindead Outhouse Excuse thinks this is a
Malicious attachment if you haven't updated OE.

end

Re:Verified?

In a simmilar vien, pacbell dsl users in sacromento have ".scr" in their hostname (ie dsl-64-164-xxx-xxx.dsl.scrm01.pacbell.net), and it triggers this snort rule:

alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729; classtype:misc-activity; rev:3;)

So any users on dsl in sacromento (or anywhere nearby - i think all of northern california is either on the sac or the sanfran servers) will trigger snort when they send email.

Beautiful.

This remind me of how many people get unfairly blacklisted because of anti-spam zealots. Its pretty funny, really.

oh no!

[GoatPigSheep]

That word replacing thing goes against our right of free staement

Wow

[Nept]

I can't believe it...a slashdot editor actually spelled "medieval" correctly.

Re:Wow

It wasn't a slashdot editor. It was the submitter.

Re:Wow

[duren686]

Closer inspection reveals that "medireview" is not an acceptable way of spelling medieval.

Re:Wow

[clickety6]

I thionk he was trying to write media-evil...

Re:Wow

[jc42]

> ... actually spelled "medieval" correctly

Also, there are a number of cases of "mediaeval" being converted to "mediareview". So it's not just the medical review people who are affected by this, but also anyone reviewing the media.

I wonder if Senator Hollings or the RIAA have heard about this?

Also, do you think we could get Yahoo classified as terrorists for hacking the contents of email messages with medical effects? Note that some of these effects will be long-term (chronic), due to the thousands of web pages that are already infected.

whoops should read...

[GoatPigSheep]

That word replacing thing goes against our right of free STATEMENT

Re:whoops should read...

[ericmc42]

You mean speech??? Or did you send this through your Yahoo email first?

Re:whoops should read...

[sir99]

Shows you how many people read the article.

Enh?

[gregbaker]

Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing to parts of documents as well?

Re:Enh?

[ZxCv]

...wouldn't it be easy to replace the word only if it appeared in a script?

Having developed a filter for my last employer's web-based email system that does exactly that, the answer to that question is no. If every person and everything that produced HTML were to output strictly formatted HTML with little or no variation, then yes, it would be simple. The real problem lies in writing code that will catch every occurrence of your problem, whether its embedded in a URL, inside of a script block, or just referenced as a hyperlink. This obviously isn't to say it hasn't been done, and done successfully, its just to say that, in practice, its no simple task.

Re:Enh?

[MattCohn.com]

Mocha is the old name for JavaScript.

Just as it changes javascript to java-script
and VBScript to VB-Script, it changes mocha to something else, it just couldn't hyphanate it.

Re:Enh?

Of course it could. m-ocha, in many cases it is as nonsensical as replacing it with espresso.

Re:Enh?

[wdr1]

Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

No, nothing like that.

"mocha" is what javascript was called before the big java hype. You'd want to replace "mocha" for the same reason you want to replace "javascript", as many browsers will still treat the two the same for backwards-compatiblity reasons.

-Bill

Re:Enh?

[gorilla]

Javascript was previously known as Livescript.

Low Brow Solution

[anomie]

This seems like a clumsy, low brow solution, not to mention the fact that they're causing their own kind of information corruption. So, if I'm search for medieval, now I have to sit and write down the variations on the them. The four letter combination eval pops up in thousands of words (my guess). It seems to me that this is creating one problem to try and solve another.

Re:Low Brow Solution

[tps12]

The four letter combination eval pops up in thousands of words (my guess).

Guess again:

$ grep -c eval /usr/share/dict/words
22

Re:Low Brow Solution

[nrmrvrk]

I believe the word you're looking for is "Kludge". This definitely applies. Replace all the words you want but it's the wrong path to take. It's like filtering all of your EMail for certain words and then just adding onto the list of words/phrases you look for. Doing this without running something that either checks for valid domains or looks at a blacklist is not a good solution. Let's hope Yahoo! does more than just replace "Mocha" with "latte" or "Cafe Au Lait". I wonder if they can somehow translate to h4x0r language maybe using Google.

Don't forget to change:
Mocha
M0ch4
^^0[h4

etc...

absurd

Re:Low Brow Solution

Does that include varients ( evaluation, evaluations, evaluating etc.).
I get 304 from my English wordlist

Re:Low Brow Solution

[glwtta]

m-w.com (abbridged merriam webster) found 135 words containing 'eval'

Re:Low Brow Solution

[Jerf]

I get 85:

antimedi eval, cheval, chevalier, chevaline, coeval, coevality, coevally, crevalle, devall, devaloka, devalorize, devaluate, devaluation, devalue, equaeval, evaluable, evaluate, evaluation, evaluative, evalue, forevalue, grandeval, kevalin, longeval, Masdevallia, mediaevalize, mediaevally, Medieval, medieval, medievalism, medievalist, medievalistic, medievalize, medievally, neomedievalism, nonprevalence, nonprevalent, nonrevaluation, omniprevalence, omniprevalent, Perceval, premedieval, premedievalism, prevalence, prevalency, prevalent, prevalently, prevalentness, prevalescence, prevalescent, prevalid, prevalidity, prevalidly, prevaluation, prevalue, primeval, primevalism, primevally, pseudomedieval, quinquevalence, quinquevalency, quinquevalent, quinquevalve, quinquevalvous, quinquevalvular, reprieval, retrieval, revalenta, revalescence, revalescent, revalidate, revalidation, revalorization, revalorize, revaluate, revaluation, revalue, rounceval, shrieval, shrievalty, trevally, undershrievalty, unevaluated, unmediaeval, unprevalent

Ain't UNIX fun?

Re:Low Brow Solution

I get 85:

On a default RedHat 7.3 install I only get 22:

% grep eval /usr/share/dict/words | wc -l
22

Why does my dictionary suck? It doesn't even have the extremely common word "a".

Re:Low Brow Solution

[adamjaskie]

Couldnt they just look for tags and remove them and their contents? I would think that would work better. Plus, doesnt their changing of "javascript" to "java-script", "vbscript" to "vb-script" etc prevent javascript and vbscript from running in the page? All their changing seems unnesicary considering some of the things they change:

javascript => java-script
jscript => j-script
vbscript => vb-script
script => cursive
embed => xembed
applet => xapplet
etc.

Dont these pretty much cover most script attacks?

Re:Low Brow Solution

[Atlantix]

m-w.com (abbridged merriam webster) found 135 words containing 'eval'

you're kidding right? they couldn't be bothered to put the full UN-abbridged version of their dictionary on the web? that's truly sad.

--Atlantix2000

Re:Low Brow Solution

[psamuels]

they couldn't be bothered to put the full UN-abbridged version of their dictionary on the web? that's truly sad.

Why is that sad? Where is your unabridged dictionary on the web?

I have both the M-W unabridged, and their 10th Collegiate (similar to what is on m-w.com). Guess what - I keep the latter within arm's reach when reading, for when I come across a word I don't know, or want to know more about. My unabridged has sat on its shelf for months. It's nice to have both, sure - but at my education level, very rarely indeed do I come across a word that's only in the unabridged. (William F. Buckley produces one every now and then. His vocabulary is scary, and he is an incorrigible show-off.)

Re:Low Brow Solution

[PacoTaco]

William F. Buckley produces one every now and then. His vocabulary is scary, and he is an incorrigible show-off.

Personally, I think he's just a blatherskite. ;)

Re:Low Brow Solution

Not sure how he got 85, but i got 65 on RH7.3 (try aspell, your spell checking program):

$ aspell dump master | grep eval -c
68

You can specify a different language by adding it to the end of the aspell command (french, for example):

$ aspell dump master fr | grep eval -c
134

Of course, you need the dictionaries for these other languages to be installed.

Re:Low Brow Solution

javascript => java-script
jscript => j-script
vbscript => vb-script
script => cursive
embed => xembed
applet => xapplet

how'bout:

javascript => invalid / null
jscript => invalid / null
vbscript => invalid / null
script => invalid / null
embed => invalid / null
applet => invalid / null

Mucho simpler, iznit?

Re:Low Brow Solution

[glwtta]

they did, it costs something like $15 a month

Re:Low Brow Solution

[uigrad_2000]

searching for reviewuate on google brings up lots of results too!

Re:Low Brow Solution

[wbm6k]

Just ran those through Yahoo to test... it only changes the letters at the end of the word.
For example, cheval gets changed to chreview, but chevalier is left alone.

You get what you pay for..

[destiney]

People who rely on free email for anything important are dumbasses.

I'd rather pay for it, then when someone botched my service I would have a leg to stand on.

What do you say to yahoo in a case like? Nothing you can say... You got what you paid for.

Re:You get what you pay for..

What do you say to yahoo in a case like? Nothing you can say... You got what you paid for.

Well if I were to give Yahoo my 2 cents worth chances are 99+ plus that I'd get modded as flamebait.

In any case I do not use freemail for anything of great import.

Re:You get what you pay for..

This has nothing to do with free vs. paid. This has to do with Yahoo. Yahoo has paid and business-level services. The substitution affects all of their email services.

HTML E-mail Only

[akiy]

What the original poster of this article failed to mention was that this affects HTML-encoded mail only. Plain vanilla ASCII e-mail is not affected.

Re:HTML E-mail Only

so only send plain text. DUH

Yahoo works better...

[zulux]

...than the CmdrTaco speling and gramer filterer that keeps Slashdot free of all 'dose cross syte scripting bugs that plauge windozw lusers. It werks espeshilayy well of page wisening posts the effect Internet Exploder useres as well.

Re:Yahoo works better...

[DotComVictim]

What is wrong with you? You doesn't not even spell "gramer" right. The correct speling was "grahmer", like the crackers you probably doesn't not eat too.

Re:Yahoo works better...

[Prior+Restraint]

like the crackers you probably doesn't not eat too.

No way, dude; it's the 1337 crackers that can bite me.

Yup

[CaptainSuperBoy]

Yes, this is real. I sent a short HTML message to my Yahoo account that included the words medieval, mocha, and expression. All three were changed just like the article. You can do this too, just make sure you send an HTML mail.

Re:Yup

[Maditude]

You can do this too, just make sure you send an HTML mail.
But... I get "medieval" (or is it m3d13v4l) on llamas who send me html emails! (go ahead, groan all you like)

Reason for changes...

[joebp]

eval => review

Eval is a commonly used javascript command (duh).

mocha => espresso

An interesting one. Mocha is the old name for what became Javascript.

expression => statement

Obvious

javascript => java-script

Breaks most javascript embedded in HTML email.

jscript => j-script

As above.

vbscript => vb-script

Breaks most vbscript embedded in HTML email.

livescript => live-script

Another old name for Javascript.

However, this seems the most retarded possible way of cutting out scripts in HTML emails.

Better, would be a regexp something like .*? and targetted removal of a few other tags.

Re:Reason for changes...

[joebp]

Better, would be a regexp something like .*? and targetted removal of a few other tags.

Whoops. <script.*?>.*?</script>

Re:Reason for changes...

[FyRE666]

Hardly:

<a href="Javascript:eLiTeSkRip7()">
<span onclick="someOtherCode()"></span>
<img src="blah.gih" onload="someScript()" />
etc etc etc...

I think removing links to images on user tracking sites might be a good idea too, BTW. I filter most spam, but every so often I inadvertantly open one with one of these "unique tracking ID" type images and Whoops! I've just confirmed my email address works!

Re:Reason for changes...

[smoondog]

All words containing the string "eval" are replaced with "review" ... (Just tested with an email to myself) How funny.

-Sean

Re:Reason for changes...

[Jerf]

And here I thought you had meant running s/.*//g as a deliberate commentary on the average value of email going to or from Yahoo!....

Re:Reason for changes...

[orthogonal]

Google on Proxomitron for a solution that works.

Proxomitron's a filtering web proxy; to sufficiently clean HTML requires several rules (regexes, essentially), but it's do-able and doesn't slow down browsing (even ADSL) enough to notice on my 866 Mhz W2K box.

Oh, and it removes lots of other unwanted crap, can be customized if you can write a regex, and can be over-ridden just by clicking on a browser bookmark.

(Actually, I use Proxomitron as the first filter in a series of two; the browser actually communicates to another filtering proxy which passes requests to Proxomitron. And it's still not appreciably slower -- given that I filter out a lot of crap, it's often faster.)

Re:Reason for changes...

[gusnz]

Actually, "expression" is not so obvious.

IE4+ allow you to embed JavaScript in CSS statements using the "expression" parameter to evaluate it, and return a value to a CSS class. It's obscure, but the syntax is:

<span style="margin-top: expression(JavaScript code here)">

(Hopefully this doesn't get munged by Slashdot's own filtering code). So it's a potentially serious security breach for anyone considering parsing HTML documents and allowing STYLE="" attributes to persist (most mail clients do), especially because it is not well known amongst most coders. Further info is available from MSDN for anyone interested. Seriously, filtering out scripts is a good idea -- anyone else remember when the trolls here managed to insert onMouseOver code into paragraph tags using a Cross-Site Scripting attack, resulting in many goat-themed redirects?

Anyway, a while ago I used Yahoo Mail as my main account and sent quite a few JavaScripts back and forward related to my website, and noticed "onmouseover" was changed to "onfilterchange" and similar replacements in the body of the mail. This was about 6 months back at least, so it's nothing new. Personally, I think they could probably come up with better filtering methods, but then again stealing a Yahoo! account's details using JS could be a lot more dangerous (finance sections etc) than your average Slashdot trollery -- so perhaps the extra caution is warranted.

Perhaps the original JavaScript designers should have included a META tag to disable all scripting in the current document, so you could include that in all your static CGI documents and not have to worry about the details. It would certainly improve the security of many sites if it was adopted by most browsers even now.

Re:Reason for changes...

[Nevyn]

Seriously, filtering out scripts is a good idea -- anyone else remember when the trolls here managed to insert onMouseOver code into paragraph tags using a Cross-Site Scripting attack [slashcode.com], resulting in many goat-themed redirects?

NO, I don't, because I never have JavaScript enabled. Most web browsers/mail clients have enough problems getting the download/open privilages correct (no I don't want /dev/hda to be able to be opened just because I told galeon to look at something I'd saved). So the chances of me trusting them to implement JavaScript correctly is pretty close to zero.

Re:Reason for changes...

Why not just replace some of the charactors in there with HTML elements? Does &#nubmer_for_e_here;val still work as eval? (if so, WHY)?

Re:Reason for changes...

no I don't want /dev/hda to be able to be opened just because I told galeon to look at something I'd saved

$ cat /dev/hda
cat: /dev/hda: Permission denied

Are you running galeon as root? As a normal user, no program you run will ever be able to read /dev/hda directly.

Re:Reason for changes...

[Vulture_]

I filter most spam, but every so often I inadvertantly open one with one of these "unique tracking ID" type images and Whoops! I've just confirmed my email address works!

My mailreader (Ximian Evolution) has an option to not download images off the Internet for display in HTML email. Unless I'm mistaken, it won't run JavaScript code or anything like that at all.

In other words, you get what you deserve for using a crappy (Web-based) mailer. Unless of course you have no choice, in which case you have my sympathy.

*grumble*

[Kreeblah]

What a medireviewly draconian policy . . .

Re:*grumble*

[micromoog]

That joke might have been funny if it wasn't already in this story's headline.

Yahoo response

[naoursla]

When questioned about the filter, Yahoo claimed the filter was "double plus good".

Re:Yahoo response

[markus]

When questioned about the filter, Yahoo claimed the filter was "double plus good".
I am sure that would read twice add good. (Need to remove those dangerous keywords).

Verified

[jhunsake]

Source Message:
<html>
<body>
m o c h a: mocha <mocha>
free e x p r e s s i o n: free expression <free expression>
m e d i e v a l : medieval <medieval>
</body>
</html>

Result:
m o c h a : espresso, free e x p r e s s i o n : free statement m e d i e v a l : medireview

The law of precedent and (un)intened consequences

[MenTaLguY]

So, crimescript is double-plus ungood?

Probably already fixed

[Eric+Seppanen]

Various politech readers tested yahoo mail for the problem and it appears that this problem is already fixed. So don't everybody go rushing off and start mailing yourself- you probably won't find anything.

Oh, and since NTK is slashdotted already, you might want to read the original politech message to see what we're talking about.

Re:Probably already fixed

[edrugtrader]

seems like the regex is flawed to me...

would evaluation become reviewuation... probably not. i think they need a special case when there isn't a whitespace character in the front of eval.

hotmail has this problem too, but they just try to stop all of the ways a script could start... the problem though: IE is so fux0ered up that you can sometimes create iframes in malformed tags, and then just run the script in the iframe.

yahoo must have the same problems.

Re:Probably already fixed

[realdpk]

Sorry, Politechbot is wrong - it is still happening, I just tried it a few seconds ago.

Re:Probably already fixed

[tempest303]

same thing here...

Re:Probably already fixed

[Dante333]

I just tried it. I sent the list from NTK to my Yahoo account in HTML format and what I sent was NOT what I got.

What I sent:

eval => review
mocha => espresso
expression => statement
javascript => java-script
jscript => j-script
vbscript => vb-script
livescript => live-script

And what I got

review => review
espresso => espresso
statement => statement
java-script=> java-script
j-script => j-script
vb-script => vb-script
live-script => live-script

This is not cool. Whats next? *'s when I tell someone to goe F*** themseleves?

Re:Probably already fixed

[Bouncings]

Yes, it's nice that Yahoo infringes on the copyrights of writers everywhere, and it takes a slashdot to make public these unauthorized changes.

Re:Probably already fixed

[duren686]

Whats next? *'s when I tell someone to goe F*** themseleves?

Doubt it would change much if you're already telling them to f*** themselves.

Re:Probably already fixed

[orkysoft]

would evaluation become reviewuation... probably not.

I rest my case.

Re:Probably already fixed

[edrugtrader]

well, i rest my case too! the regex is REALLY flawed.

Re:Probably already fixed

[orkysoft]

Thank you, Captain Obvious :-P

Text of NTK now article

[kowalski1971]

Appears to have been /.'ed, here's the relevant bit:

Nice to see, in the midst of all these scandals, Yahoo turning a healthy profit. But as other companies fiddle the figures, Yahoo's been busy instead with fiddling its own users' private correspondence. In a fantastically clumsy attempt to prevent cross-site scripting attacks, the free e-mail wing of the sprawling giant has long been replacing complete English words in the text of HTML mail sent to its users. Mention "mocha" in an HTML mail to a friend with a @yahoo.com account, and your choice in coffee will be silently switched to "espresso". Talk about "free expression", and your recipient will think you said "free statement". Here's the full list of swaperoos:
http://www.ntk.net/2002/07/12/yahoo.txt
- try not to mail it to your friends

This fiddling has been going on now for over a year year (the ever vigilant RISKS digest noted it back in March 2001). But because of Yahoo's underhand methods, very few people have spotted the turnabout - certainly far fewer than if Yahoo had done the sensible thing and, say, "**"'ed out the vowels in the word, or, God forbid, written a smarter parser. But the sneakier you are, the wider the damage spreads. The word "medieval" (since it contains the javascript command "eval") is converted in Yahoo mail to "medireview". Google now shows over 640 sites (and 1,150 separate instances) of the word "medireview" being used as a synonym for medieval. University papers, bibliographies and book reviews, Indian newspaper columnists, and endless enthusiast sites drop it unseen into texts. People have begun to ask where it originally came from, and does it have a subtler meaning beyond "medieval"? Is Yahoo ever going to fix its filters? Or is it time we pushed to get the first regexp-obfuscated word into the Oxford English Dictionary? http://catless.ncl.ac.uk/Risks/21.34.html - does anyone still at Yahoo even know how to turn it off?
http://www.google.com/search?q=medireview
- NTK now entirely filled with google links

The next hack

[BoVLB]

Of course, the next hack will be to produce e-mail that becomes a cross-site scripting attack (or criminal/tortious in some other way) after passing through Yahoo's filter. Who's going to bear the liability for that?

It's about time...

[pavos]

... that yahoo rereviewuates its practices. My messages from my yahoo.com account might look funny.

They did a bad job on purpose

If I was given such a stupid brain-dead project as this I wouldn't point out stupid mistakes in the project specification, I would interpret the specification in the stupid way.

I wouldn't recommend looking for word boundries, or inside of certain tags only and so forth.

Then after the outcry it might get withdrawn.

I'm posting anonymous cos I don't want my project managers to know it's me!

Joe

Copyright

[Vermithrax]

So where are the copyright lawyers when we really need them?

Dangerous word changes...

[bashibazouk]

Considering that mochas are for people who can't quite handle coffee yet and espresso is for hardcore caffeine addicts this could cause problems for coffee drinkers everywhere. You email the secretary (ok, administrative assistant) to have a mocha ready for you when the meeting ends because it's a boring meeting and your about to fall asleep. You walk out afterwards only to be handed a small cup of espresso. Suddenly your bouncing off the walls like there is no tomorrow.

What next? Switching beer with whiskey?

Re:Dangerous word changes...

[SomeGuyFromCA]

You email the secretary (ok, administrative assistant) to have a mocha ready for you when the meeting ends because it's a boring meeting and your about to fall asleep.

If your internal mail is on Yahoo, you've got more problems than the wrong caffeinated drink.

uuencoded files?

Don't these strings each have a non-zero probability of appearing in a uuencoded file?

Re:uuencoded files?

You're already seriously fucked if you send uuencoded files as text/html.

Re:uuencoded files?

Only terrorists or child pornographers send/receive uuencoded material.

Re:uuencoded files?

[Principal+Skinner]

The uuencoded files I've seen never contain any lowercase letters.

Re:uuencoded files?

[Yottabyte84]

Proper people use MIME/base64 or quoted printable

Other amusing mangled words floating around

[nd]

The use of these words have also been catching on due to this behavior:

"retrireview" (retrieval): 333 matches at google.
"prreviewent" (prevalent): 41 matches at google.

I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?

Re:Other amusing mangled words floating around

[robotpants]

dreviewued: 5 matches. reviewuate: 173 matches. reviewuated: 83 matches. reviewuating: 63 matches. reviewuation: 249 matches. reviewuations: 47 matches. reviewuator: 2 matches.

Re:Other amusing mangled words floating around

[bruceFinding]

In most cases it appears that authors have emailed text to webmasters, who have put the text on the sites without reading (and questioning) it. The internet is full of wonderful stuff :) Try doing a search on "Lorm ipsum" and you'll find a bunch of sites which contain psuedo-Latin filler text. Traditionally that text is used as a place holder since the 1500's. And the search engines find it :)

Re:Other amusing mangled words floating around

[Van+Halen]

Here's something even stranger: the second hit for retrireview shows the following text:

... Literature retrireview and evaluation ...

Ehh? Either the filter didn't catch the "evaluation" or it was added by someone later, who didn't fix "retrireview"!

As to how it got on these web pages initially - yeah, either people cutting and pasting emails, or perhaps this filter code is more widely used that just at Yahoo!

Re:Other amusing mangled words floating around

It's "lorem ipsum." See http://www.lipsum.com/

Re:Other amusing mangled words floating around

[cos(0)]

Most web-accessible e-mails are the result of publically accessible mailing list archives. For example, Vorbis mailing list archives.

Re:Other amusing mangled words floating around

[suwain_2]

I believe you meant "Lorem Ipsum"

A search for "Lorm Ipsum" returns 6 results, but suggests "Lorem Ipsum" instead. That brings up "about" 38,100 results.

As I curiously searched for the meaning on this phrase, I stumbled across this explanation here. Essentially, it's an adaptation of some classic quote, but, it seems, no longer really makes any sense at all.

Re:Other amusing mangled words floating around

[awful]

Yes, I think that is exactly what is happening. It seems like medireview enthusiasts are suffering a case of Emperor's New Clothes syndrome - no-one's brave enough to say "hang on - why are we using this stupid word? And where did it come from anyway?"

Re:Other amusing mangled words floating around

[Speare]

If you're interested in the text which includes "Lorem Ipsum," or Lipsum, you may want to check out this site: http://www.lipsum.com/

Definitely far more than the average person needs to know about it, but way cool if you're into printing trivia.

Re:Other amusing mangled words floating around

[DaveAtFraud]

I'm still confused as to how this has affected so many web sites out there.

Yahoo groups hosts a number of discussion groups that then get mirrored around the internet. In particular, they host the CVS GUI group. Not sure of any others but I ended up subscribed to that one when I was researching some stuff for a CVS implementaion. I'm guessing that there are more than a few others that then get mirrored and indexed.

Given the subject of this group in particular, I would get rather steamed if something I posted about how to do a retrieval became instead about doing a retrireview.

Re:Other amusing mangled words floating around

A lot more:

$ grep eval /usr/share/dict/words | sed s/eval/review/
reviewuate
reviewuated
reviewuates
reviewuating
reviewuation
reviewuations
reviewuative
reviewuator
reviewuators
medireview
prreviewence
prreviewent
prreviewently
primreview
rereviewuate
rereviewuated
rereviewuates
rereviewuating
rereviewuation
retrireview
retrireviews
unreviewuated

Re:Other amusing mangled words floating around

Obviously that filter just replaces 'eval' at the end of a word.

Re:Other amusing mangled words floating around

[altgrr]

You've got to admit, it is a rather eval - ahem, evil - trick they're playing. (groan)

What nd didn't point out is that the first link from Google's search for "retrireview" features "* Implementation of Java mainframe data retrireview process..." - well, at least it replaced "eval" within three words of "Java".

Re:Other amusing mangled words floating around

[MadAhab]

That's an interesting site, but did anyone notice that the translations at the bottom of the page are completely different in meaning? I don't know Latin but from comparing and puzzling out the few words I can pick out in the Latin, it kinda looks like both translators are making rather heavy-handed polemical translations. So much for honesty. And to make it more confusing, Cecil the Dope says it is real Latin and that it isn't, but doesn't provide any translation. Hrmph.

Re:Other amusing mangled words floating around

and they all lose to medireview: 1170 matches

Verified

Tried it on my yahoo account - from my work account I sent, html formatted,

"last night we played in a medieval setting while drinking mocha and talking about free expression"

and it arrived

"last night we played in a medireview setting while drinking espresso and talking about free statement"

sigh

Caffiene May Reduce Alzheimer's

[robolemon]

The last story told me that caffeine might reduce Alzheimer's effects. However, I have one question:

What about mocha or espresso?

Oh, pardon me! I'm sorry about that, I meant to say:

What about espresso or espresso?

I'm sorry, but am I confused about the month?

[g4dget]

This sounds like the kind of thing a journalist would make up on April 1st. Or it's the kind of kludge a somewhat irresponsible sysadmin might put in place as a joke. It is not a serious or useful approach to security, however.

Still, it would be enormously funny if one of the largest E-mail providers would actually do such a thing, as well as the consequences. "Medireview" indeed. Apparently, Yahoo! programmers don't even know about /\beval\b/. It's under "perldoc perlre".

Use this fitler instead..

[ZaneMcAuley]

http://www.pornolize.com/

Makes better reading :D

Re:Use this fitler instead..

wonder could it be used as a transparent proxy..

prehaps it another problem.

[infonography]

I find it's often a error between the keyboard and the chair. I would surmise that someone has a Spell Checker set to 'Don't ask, Don't tell' Perhaps we are attributing a program glitch in the sender's client to Evil Intentions. Gee, like that's the first time its happened here.

Re:prehaps it another problem.

That's called a PEBCAK... Problem Exists Between Chair And Keyboard... Quite similar to the old ID10T error. If you had been in tech support for any amount of time you would have learned that one...

Arrgh

[sulli]

Why not just give the user the option to STRIP OUT ALL THE FUCKING HTML IN EVERY EMAIL? I for one HATE html email - hate it with a passion - hate the slow loading and the crashing browsers and the cookies/images loaded without my permission. Add that feature and this problem goes away.

Re:Arrgh

[rmohr02]

I actually like HTML email--especially when sending it to AOL users.

Re:Arrgh

[dmomo]

Well, Yahoo does allow this. I don't like HTML in eMail either. Their filter does not apply to my EMail.. I tried.

Re:Arrgh

[m0nkyman]

Amen brother!!!

I just sent my mom a little response to one of her emails that took 17.9K to say "How are you?". It was produced using an abomination called IncrediMail. un-fucking-beleivable!

Together with the invisible 1X1 goddam bitmaps in every piece of unforgiveable-by-god-even piece of spam in my inbox it's enough to make one go on a rampage.

Re:Arrgh

[timftbf]

This is *really* not hard, at least for messages that are multipart/alternative with a text/plain part and a text/html part. I knocked up a perl filter to simply remove the text/html part and leave the rest of the message intact, and by the power of procmail everything now goes through that filter on its way from the outside to my mailbox.

For messages that have text/html only it's harder, I'm thinking something with 'lynx -dump', but to be honest I don't get enough of them that aren't spam (and hence filtered off elsewhere) to care about fixing it...

Regards,
Tim.

Somebody is not telling the truth...

Google search also turns up unusual words like "reviewuate". Best of all, French "cheval" (horse) also shows up (in horse-related places) as "chreview", which makes absolutely no sense.

Doesn't it look like sloppy spellchecker to you?

Cache

[MattCohn.com]

The CACHED version is available here... just don't slashdot IT.

GPG/PGP

[unixfd0]

I really hope that none of the pgp/gpg emails my colleagues send me contain any of those strings. The ones with outlook and who send html by default...

Why bother with Yahoo! at all anymore?

[Deagol]

In the early 90's, Yahoo was awesome. It was the first search engine I was introduced to. After the big "portal" craze that ruined Lycos and others, Yahoo hasn't been worth the time to load in my browser.

Instead of being good at anyone thing, it's horrible at all things it does. Want tosearch? Go to Google. Want to see stock quotes? Hit Etrade. Want weather? Go to weather.com. Want nice categories? Hit dmoz.org.

Why anyone continues to care about Yahoo these days is simply beyond me.

Re:Why bother with Yahoo! at all anymore?

store.yahoo.com is a decent ecommerce platform, complete with it's own proprietary programming language (RTML). It's great fun, really.

why dont they use a conversion thats more useful..

[DooBall]

Take for an example:

H4x0r

Ewmew Fudd

Bork, bork, bork!

Igpay Atinlay ... which I think are very helpful >=D

Dear DearSlashdot

[DearSlashdot]

Dear DearSlashdot,

I am a Yahoo.com mail user and am concerned that some of the words in my e-mails are being arbitrarily replaced. This could distort the meaning of my e-mails or worse, make them unintelligible. Am I being paranoid or is this something I need to take precautions against?

Wanting To Be Heard Right, Reading, PA

Dear Wanting,

Malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich malkovich.

DearSlashdot

It's not such a bad idea!

[malraid]

Instead, I say they should improve it!
They should also correct all of the mail sent by script kiddies, tHoz tHat tYp LiKe Thiz, to something more logical.

Re:It's not such a bad idea!

[scrote-ma-hote]

Try this. I'm sure yahoo could change it into something more effective.

Checked your EULA lately...

[hackwrench]

Thing is, anymore, you can pay and still have no leg to stand on.

it is true ...

[Patrick13]

original message:

Have a mocha, or perhaps medieval is enough for you...

rec'd message:

Have a espresso, or perhaps medireview is enough for you...

It's not just Yahoo

[Jonathunder]

This strange neologism "midireview" has crept into many serious, even scholarly websites.

"It was the great Barbara Tuchman who pointed out the capital difficulties of writing about the Middle Ages: that medireview chronology is very hard to pin down, that contradictory facts are perpetually turning up in the sources ..." (book review).

"The medireview/Renaissance theme must be adhered to at all times to ensure the success of our event." (Renaissance fair rules

"Lectures on the Crusades and medireview society." (college course sylabus

It makes one long for the Dark Ages.

Bah

[SuiteSisterMary]

When they're replacing random (or not so random...) words with either 'smurf' or 'fnord,' THEN it's time to worry.

Re:Bah

[Dirtside]

Hmm, I see the "smurf", but your second example is just an empty pair of quotes... it seems like there should fnord be a word there, but I just can't see it...

Re:Bah

[SuiteSisterMary]

Where did YOU hear the word 'fnord,' friend citizen? That word is treasonous. Please report for termination.

"eval" != " eval ";

[AmateurCoder]

Come on Yahoo. When parsing a block of text how hard is it to strip white spaces and evaluate each token individually?

Replacing a key phrase even though it is part of another word seems like an amateur mistake don't ya think.

Re:"eval" != " eval ";

[stikves]

Actually it's not that hard. But the problem is, they do not have same "computational complexity".

They're already doing too much processing on email, and increasing this will mean increasing hardware and support costs.

technical considerations [add 1984 reference here]

[MenTaLguY]

The way this should have been done is to coerce the HTML into w3c-valid HTML4, and then only pass whitelisted tags, attributes, and URL schemes.

It might distort non-well-formed HTML, but if the HTML isn't well-formed to begin with all bets are off anyway.

I realize that would require quite a few more server resources to implement. Too bad. As it is this ill-thought-out scheme appears to stand a real chance of permanently distorting the English language.

One does wonder if the Chinese government (or any government, really ... but they're the ones Yahoo!'s been making deals with lately) will see the potential here for interfering with dissident speech.

Another reason to PGP sign your mail..

[molo]

This would not be as much of an issue if everyone used PGP signatures on email. It will tell you if the message has been modified in transit.

More info in the PGP faq

Also, for an excellent GPLed implementation of OpenPGP, use GnuPG.

Re:Another reason to PGP sign your mail..

[alonsoac]

This would not be as much of an issue if everyone used PGP signatures on email.

This is would not be so much of an issue if people said "WTF is a medireview?" when reading email and pasting it into their websites. So these people can't even read their own websites and you're telling them to use PGP????

ju57 70 7h1nk,,.

[DaRiachu]

... n0w 1 c4n u5e my 1337sp33k f0r a l3g171m473 pup0se. w007!! ... But seriously, that really seems a stupid thing for yahoo to do...

dum845535.

Removal Is Wrong

Removal of tags is wrong because it is an open problem. It is better to allow a trusted set of tags and a trusted grammar. Unfortunately, due to so much HTML abuse this is unlikely to be implemented fully.

Quick questions: Does the following tag close a long comment: ? What if such tags are nested? (Consider the server and the client.)

Just curious

What happens if you mail yourself "evalivescript" ?

'News'? Old as the hills mate - April 2001

[fatphil]

_Originally_ from comp.risks 21.27 in 2001
(google for it - I can't be bothered to translate all the lts and gts by hand, so the followig will be munged a bit, this is the explisit mention of medireview from comp.risks 21.34)

Date: Mon, 2 Apr 2001 22:00:13 -0400
From: Kirrily Skud Robert
Subject: More on Yahoo mail's anti-virus attachment translation Further to "Yahoo! Mail translates attachments" in RISKS-21.27, I saw
the following e-mail on a mailing list which discusses medieval cookery: From:
Subject: (OT) "Medireview" ???

Does anyone know why certain Web sites and mail servers change the word
"medieval" to "medireview" without any warning? Have I missed something? ...

So the 'original' story is only a few days less stale than the NTK one.

Early 2001, come one, get a grip. News should be _new_.

FatPhil

text/plain vs. text/html

[FreeZerBurn]

It appears that emails that are of content type text/plain are not altered where at text/html are.

The joys of filtermangling

[RollingThunder]

One of the favorites on the WWII Online bulletin board is the replacing of "cum" with "body fluid".

Under some cirbody fluidstances, it's quite amusing. :)

Re:The joys of filtermangling

[PapaZit]

There was a stink about this on Prodigy back before this newfangled internet thing. The classical music fans were pissed because discussions about the song "Cum Sancto Spiritu" (roughly "with the holy spirit") were being banned.

Re:The joys of filtermangling

also "acbody fluidulate"

Re:The joys of filtermangling

[Geeky]

UK residents of the town of Scunthorpe sometimes have trouble with over zealous filtering, too.

Re:The joys of filtermangling

UK residents of the town of Scunthorpe sometimes have trouble with over zealous filtering, too.

How about the Hebrew surname "Lipshitz"?

I know someone who kept triggering her school's filtering proxy whenever she filled out an online form which used GET instead of POST.

GOOD THING!!!

[evilviper]

It's a good thing. Perhaps this will push people away from yahoo mail.

I'll admit, when I first signed up, it was a pretty good system. Unfortunately many bad changes have been made... pop & smtp are fee-based. Javascript is now required (this really pisses me off!). You can still only send 3 attachments! Their interface is rather lacking... And you are limited to a small number of filters. Now that e-mails are getting screwed-up, it's the last straw for me, and hopefully for many others as well.

The next step... Does anyone know of a free service that provides secure IMAP? I'll sign-up right away.

Re:GOOD THING!!!

[jafac]

However, you must look at it's good points:

I have had the same email address for 7 years. Other addresses I've maintained have come and gone, but this address, I've kept unchanged - and I never once had to send out a mass mailing to all my friends telling them my email address was changing.

Also, I'm a multi-platform kind of guy. I'm always certain that no matter where I am, what machine I'm on, if it's internet connected and has a reasonable browser, I can get my email. Hell, two years ago, when I was on vacation in Tahiti, and I was also waiting for an estimate to come through on some home repairs, I went into an internet cafe, and zing! Got my mail, and by the time I was back home, the repairs were done. I didn't have to have any special software installed, didn't have to remember the mail server's name, or protocol type, or configure where I wanted my messages to be stored, etc. etc. etc.

There's something to be said for browser-based mail. I wouldn't want to do ALL of my email commmunication through it - but I'm sure as hell happy I have it as a personal back up.

Re:GOOD THING!!!

[mrogers]

Javascript is now required (this really pisses me off!).

There's an option to use a non-frames, non-Javascript version. Look under Mail Preferences.

Re:GOOD THING!!!

[evilviper]

You seem confused. My complaint is with yahoo mail... Not with every web-based e-mail system! I've listed some of my complaints.

Re:GOOD THING!!!

[evilviper]

You haven't been there lately have you? There's a whole new interface which REQUIRES javascript (no exceptions).

Also, there isn't even a version that uses frames anymore.

Re:GOOD THING!!!

[Scaba]

www.myrealbox.com supplies free (as in FREE IVERSON) and supposedly secure IMAP accounts. Free calendar, too, so now you'll be able to figure out how old you are.

Re:GOOD THING!!!

[evilviper]

I've been to myrealbox.com already. First of all, I don't recall any information saying their IMAP service is secure at all.

Secondly, there are downsides. They explicitly disallow any commerical use. They acknowledge it is an experimental serivce, with a good deal of downtime. Perhaps if I knew it did have secure IMAP I would still have signed-up.

Re:GOOD THING!!!

[Scaba]

True, they bill themselves as experimental (see "Why does MyRealBox exist?" in their FAQ). I use them, and have rarely experienced downtime. Of course, I keep them as a backup, backup address, but I do check for mail as often as my primary address, and can always log in.

They do support secure connections, if that's what you mean by secure. From their Privacy Policy:

SECURITY OF YOUR INFORMATION

MyRealBox supports TLS (Transport Layer Security) and SSL (Secure Sockets Layer) connections. By entering the URL https://www.myrealbox.com to access your mail via the web client or by indicating in your POP or IMAP client configuration that your mail server supports SSL, your E-mail will be secure as it travels across the Internet.

They also do disallow commercial use, as I believe all free mail providers do. In fact, many companies offer products and services free for non-commercial use (Borland, Trolltech, etc). Besides, would you do business with bsmith177239@hotmail.com or kewld00d1@myrealbox.com, unless you wanted to enlarge your (penis||breasts) or refinance your home?

This is not an endorsement of MyRealBox or anything, because I really don't care if you use them or not, but I believe they fufill your requirement of being secure, so you may want to check them out again.

Re:GOOD THING!!!

[evilviper]

They also do disallow commercial use, as I believe all free mail providers do.

It's very rare that a free e-mail service disallows commercial use. That means even buying or selling something on e-bay, using a myrealbox account for your contact information, would be illegial.

I can understand the motives for someone to have such a clause in their TOS, but that doesn't make it any easier for me to swallow.

At any rate, I did sign up with them, After a bit of looking around, I discovered their filters to be a little too basic.

I'll say, it is a-decent-service, but it's not quite good enough. No doubt there are even more drawbacks that I just haven't noticed yet.

Re:GOOD THING!!!

[mrogers]

I just checked - it works fine with Javascript disabled, and still offers a frames version. Maybe it's because my account details say I'm in the UK and yours say you're in the US (although I use mail.yahoo.com, not .co.uk). Or maybe you're smoking crack. ;-)

Re:GOOD THING!!!

[evilviper]

Hmm, perhaps I'll try again. There is a new interface *comming soon*. You can choose to use the new 'beta' interface now if you'd like. The notes in the beta version say there's less than a month before that beta version (which requires javascript) will be force on everyone. Which means there will be no 'frames' version, no 'non-javascript' version, etc.

Perhaps I should have said 'javascript will soon be required' to prevent this kind of confusion.

And on a related note, it seems yahoo mail is now, instead of completely changing words, prepending an underscore to any potentially risky words.

Peevish comment (must mod down!)

[fm6]

OK, I submitted this almost two years ago. I think I saw it in CNET. I've also flamed Yahoo on this point in several posts.

I'm not gonna complain about not getting the credit (I've had my share of stories). But jeeze, why is it news all of a sudden?

Maybe because the article's on New Scientist? I've seen so many stories from them, I no longer submit any from that site, on the assumption that somebody else already has. But I begin to wonder if the Slashdot editors even bother to read submissions unless they're on sites they like? OK, New Scientist, New York Times, various others that keep appearing on Slashdot -- they're very good sites. But they don't deserve any preference.

Full Text

Nice to see, in the midst of all these scandals, Yahoo turning a healthy profit. But as other companies fiddle the figures, Yahoo's been busy instead with fiddling its own users' private correspondence. In a fantastically clumsy attempt to prevent cross-site scripting attacks, the free e-mail wing of the sprawling giant has long been replacing complete English words in the text of HTML mail sent to its users. Mention "mocha" in an HTML mail to a friend with a @yahoo.com account, and your choice in coffee will be silently switched to "espresso". Talk about "free expression", and your recipient will think you said "free statement". Here's the full list of swaperoos: http://www.ntk.net/2002/07/12/yahoo.txt - try not to mail it to your friends

This fiddling has been going on now for over a year year (the ever vigilant RISKS digest noted it back in March 2001). But because of Yahoo's underhand methods, very few people have spotted the turnabout - certainly far fewer than if Yahoo had done the sensible thing and, say, "**"'ed out the vowels in the word, or, God forbid, written a smarter parser. But the sneakier you are, the wider the damage spreads. The word "medieval" (since it contains the javascript command "eval") is converted in Yahoo mail to "medireview". Google now shows over 640 sites (and 1,150 separate instances) of the word "medireview" being used as a synonym for medieval. University papers, bibliographies and book reviews, Indian newspaper columnists, and endless enthusiast sites drop it unseen into texts. People have begun to ask where it originally came from, and does it have a subtler meaning beyond "medieval"? Is Yahoo ever going to fix its filters? Or is it time we pushed to get the first regexp-obfuscated word into the Oxford English Dictionary? http://catless.ncl.ac.uk/Risks/21.34.html - does anyone still at Yahoo even know how to turn it off? http://www.google.com/search?q=medireview - NTK now entirely filled with google links

a taste of their medicine is in order (wishing)

Whoever out there who is working on the next, newest client-side scripting language please add a command with the name 'yaho' or 'ahoo' or something like that. That'll learn 'em!

Re:Copyright? Forgery!

It's not so much a copyright issue but forgery, which is a much more serious offence.

why?

[jafac]

If it's a FREE service, then why, oh, why do we need HTML mail anyway? Plain text is perfectly adequate!

Frankly, the only HTML mail I ever get is spam anyway. They should just not render html period.

Re:why?

[boopus]

Well, you do realize that yahoo is web based, and not rendering HTML would require stripping out all html from the message? When you're talking billions of messages, it takes a while. Thier solution sucks, they need to at least mark words they've changed at the very least...

Google

[MrResistor]

You'd think the folks at Dominican would be smart enough to catch something like that... or maybe medireview is a real word?

Re:Google

[tcm614ce]

Dictionary.com says:

No entry found for medireview.

32 suggestions found:

Re:Google

[jc42]

> ... maybe medireview is a real word?

Maybe not, but MediReview is a real trademark.

I wonder what they think of all the free advertising they're getting?

other strange words

[terrymr]

Do a search on these too:

reviewuation (evaluation)
dreviewuation (devaluation)
dreviewue (devalue)

Re:other strange words

It's not just English words either... try searching for 'chreview' (or was that 'cheval') to see how it's also effected French websites. A lot of confused french horse enthusiasts out there.

Foiled again!

[duren686]

I was trying to trick someone by emailing them a particularly nasty javascript snippet that would write the word mocha in the message body without it actually being there, but DANG! They got me. All it ended up doing was writing "espresso".

I just verified it.

[rc5-ray]

I just sent the following words through my yahoo account (as HTML mail).

"eval mocha expression javascript jscript vbscript livescript evaluate retrieval link script object embed body iframe layer applet meta form"

This is what arrived in my inbox.

"review espresso statement java-scriptj-script vb-script live-script evaluate retrireview link script object embed body iframe layer applet meta form "

I paid the $30 to get POP3 access for a year, so it isn't just the free(beer) accounts.

It's curious that only some of the words were changed, but not all the ones listed in the article.

I have had the same problem before

[Kaz+Riprock]

Interestingly, I run a web board using Ikonboard and it contains a very simple filter'n'replace function just like Yahoo's. I set it up to filter out offensive words in case someone on the board went a little crazy. You know, "b*tch" equals "meanie" and "f*ck" equals "fornicate".

Imagine my surprise, when one day, I was reading a post that kept talking about how fun it would be for the poster to meet "all of his new clbuttmates on the first day of clbutt".

At first, I figured that this guy was just being an idiot or I missed some sort of recent joke on South Park. Nope, my filter was taking the ass outta clASS and making it clBUTT.

Re:I have had the same problem before

[orthogonal]

Imagine my surprise, when one day, I was reading a post that kept talking about how fun it would be for the poster to meet "all of his new clbuttmates on the first day of clbutt". .

Do you meet "clbuttmates" "in the Navy" or when you "go to the Y.M.C.A., the Y.M.C.A."?

--
And do your "clbuttmates" resemble the Village People?

Changes revert back upon forwarding

[1729]

I sent an HTML email to my yahoo account and the words were changed as described. However, when I forwarded the changed email back to my work address, the changes disappeared and I had the original email back, "eval" and all.

New Virus

[SparafucileMan]

WARNING:::::::
It turns out theres a new e-mail virus going about named "Capitalists.bl0w". The key words that can trigger this attack include "U.S. government", "Cheney", "Bush", "Enron", and "9-11 conspiracy". Until this virus can be reverse engineered and a remedy found, all ISPs will hence be filtering these words from e-mail orriginating from their servers. While the wee tiny handfull of companies that control the nations bandwidth acted of their own volition, they would have likely faced numerous suits in court in the case that the virus put undue strain on the nation's communications infastructure in the event of another terrorist attack.

Do I have to change my name to ....

[Medieval]

Medireview ? :(

Re:Do I have to change my name to ....

[Medieval_Thinker]

You took the words out of my mouth... Medireview_Thinker

2 sheds?

[DahGhostfacedFiddlah]

Two-sheds - that's an interesting nickname. So...do you - in fact - own two sheds?

Re:2 sheds?

[Ignominious+Cow+Herd]

Isn't that from some Monty Python skit? I seem to remember a Mr. Smoke-too-much as well.

Re:2 sheds?

[DahGhostfacedFiddlah]

Yeah - I saw it a few weeks ago. After posting though, I looked at the poor guy's user# and can't help but think he's been through it all before, many many times.

The skit goes along the lines of "Today we have famed artist, Arthur 'Two Sheds' Jackson". The nickname came from the fact that he had *thought* of maybe getting another shed, but in the end, had decided not to. And the interviewer won't let go of the nickname. Funny to watch, pretty boring to read on /. I'm sure.

Re:2 sheds?

[2sheds]

No, I've only got one. I've had one for some time, but a few years ago I said I was thinking of getting another, and since then some people have called me "Two Sheds"...

More...

Anyone would have thought you knew that already :-)

Sigh

How about just striping all HTML tags from email?

For almost TWO years!

[Kaz+Riprock]

This is a listserv message on things medieval that noticed this behavior from some of its Yahoo-using submitters for almost 2 years now. It's sorta comical that not enough people talk about eval, mocha, and expression through Yahoo mail to have made this an issue before now.

"mocha" explained

I'll explain the "mocha" thing. Yes, the parent post is right: it's an old name for JavaScript.

It's been discovered recently that in Netscape it's also an undocumented alias for the "javascript:" URL protocol, that is the pseudo-protocol that evaluates script text

This created a new kind of problems with web forums and the like. This kind of web apps, for example, filters out "javascript:" URLs for images embedded in posts, because they could be used to perform Cross-Site Scripting attacks (e.g. steal the user's cookies). "mocha:" is a new possible backdoor to inject code in these scenarios

Re: OT: I just verified it.

[orthogonal]

I paid the $30 to get POP3 access [from Yahoo, I presume] for a year, so it isn't just the free(beer) accounts.

I paid $35 to get my-domain-name.tld hosted by Yahoo! This included: five addresses @mydomain.tld, Yahoo! advertising on every outgoing mail, and Geocities web space with ads and whatever absurd bandwidth limit a free Geocities site has. Then Yahoo! told me I'd have to pay $30 to continue having POP3 access.

So I transferred my domain to hostica.com, and for $25 bucks got: another year of registration, as many email addresses as I want (albeit forwarded to one POP3 account), 5MB of space, and 10GB/month of bandwidth, with the option to add services from an a la carte pricing menu. And did I mention? No ads!

(I have no financial interest in hostica, I get no referral fee, no consideration of any sort for this post. This ain't no ad, and it's not even that I don't think you could do as well somewhere else. It's more than you can do a lot better than Yahoo, for not much money. It's just a matter of doing the math -- $65/annum for less, or $25/annum for much more -- and preferring better service.)

Stories about automatic correction

[BoVLB]

"Medireview" has even made it into someone's resume (PDF); that must seriously reduce his chances of getting hired. Other references seem to have gotten into scholarly works. This is just the latest in a long string of stories about automatic (or semi-automatic) computer correction having serious consequences.

When I was at college, one student ran his doctoral thesis through the spellchecker one last time before submitting it to the binders, and thence to the Board of Graduate Studies. Unfortunately, he inadvertantly selected the "silently accept all suggestions" option, and failed to check the results. The manuscript he submitted was almost incomprehensible. After that, the University added a one-page warning to the spellchecker output (yes, it was in the days of mainframes).

Unfortunately, it appears that the well-known story about "in the black" becoming "in the African American" is only partly true; it was a deliberate practical joke in the newsroom.

sigh

[twitter]

medireviewly draconian

Draconian refers to events in ancient Greece.

A Medireview

[ergo98]

Your post sucks!

Re:A Medireview

[realdpk]

I can't believe this was -1'd. Hahaha.

Re:A Medireview

[ergo98]

I got a good laugh out of that moderation. :-) A do-gooder a little quick on the trigger.

So does it change...

[Tom7]

So does 'reevaluate' become 'rereviewuate'? What a good word!

Yahoo is sloppy

I have a couple of Yahoo email accounts, and I constantly find bugs, oddities, and problems.

I went on their pay program for one of them (lowest level), hoping that doing such would give them reason to lighten up on the bugs, but it made no difference. They F their paying customers also.

Yahoo email is just plain fugged to living heck. Avoid it if possible.

multi-platform, anywhere

[TheOnlyCoolTim]

telnet mailserver.example.com 110

+OK InterMail POP3 server ready.
user exampleuser
+OK please send PASS command
pass examplepass
+OK exampleuser is welcome here
list
+OK 1 messages
1 719
.
retr 1
+OK 719 octets

I send you this message in order to have your advice.

.
dele 1
+OK
quit
+OK exampleuser InterMail POP3 server signing off.

Tim

The message is not changed, just the view of it

[slyfox]

When viewing an HTML mail in Yahoo, it does the translation before it displays the mail for you. However, if you 'export' or download the message, it still looks fine. Thus, it looks as if the messages are not being changed when sent or received, they are only modified when being displayed through Yahoo's HTML webmail. Granted, based on the google searches, it is still causing lots of problems for users.

l33t sp33k would be easier

[Megane]

Instead of this "medireview" stupidity, and the even worse monstrosity "reviewuate", why couldn't they have simply changed a letter to a digit? Then they'd get medieva1.

Two things.

[ubernostrum]

I just now got it to work - you have to first check the "Allow HTML tags" box at the bottom of Yahoo's composer screen, and then make sure you use some tags in the message. In my test, a FONT tag was enough to do it - my "test message" was

<font face="Verdana" color="#336699" size="-1">This is a medieval free expression mocha email</font>

It worked, and I got nice pretty blue text reading "This is a medireview free statement espresso email".

Doesn't affect some words

[ubernostrum]

It only seems to catch them if they occur at the end of a word - for example, I piped "grep eval /usr/share/dict/words" into an HTML email, and got this when it sent:

evaluate evaluated evaluates evaluating evaluation evaluations evaluative evaluator evaluators medireview prevalence prevalent prevalently primreview reevaluate reevaluated reevaluates reevaluating reevaluation retrireview retrievals unevaluated

MediReview is a trademark!

[cgleba]

From http://www.multum.com/SubscribeRx.htm

"MediReview: is our comprehensive, patient-specific drug summary that includes dosing recommendations, drug interaction and allergy alerts, side effects, and pregnancy and lactation warnings. Providers and patients can use MediReview to tailor a patient's medications to their specific medical history--and proactively reduce ADEs."

This is so amusing!

prevalent

my favourite so far,
prreviewent .. it just looks plain stupid.. 300 odd hits on google

cripes, it even screwed up somebody's PDF resume

[splorf]

This poor academic dude tryed to cite his paper "Vagabonds and Little Women: The Medieval Netherlandish Dramatic Fragment De Truwanten," Modern Philology, 65 (1968), 301-306" in his curriculum vitae (i.e. academic resume) and it shows up instead as "Medireview Netherlandish..."! There are a couple other instances of the word in the same CV--so much for the slick (heh) PDF presentation. Poor shmoe. Somebody ought to email him. I can't bring myself to.

Sounds like a crap hack

Wouldn't it be better to attempt to parse the resulting HTML. If the parse tree then contains a node that makes the function call to eval (turns into a dodgy link or whatever) then it can reject the message (and inform the ISP of hacking activity). The chances of legitimate text parsing into legitimate HTML are close to zero I'd say.

Re:Sounds like a crap hack

[danielrose]

But you can't do things WELL. You'd put millions of people out of work when we wouldn't have to fix all their mistakes!

Re:Sounds like a crap hack

[ZxCv]

Huh? That is, essentially, what is going on. Mine never went so far as to reject the message, it only removed the offending code. Removing the code was the easy part--it was writing the actual html parser that was the challenge. Like I said before, it isn't that it can't be done and done well. It is just not a simple task, so implementing a shitty solution (ala Yahoo's global replace) is much much easier and immediately effective, even if it does piss of your users. Not that I agree by any means (I was the reason my last employer chose to "do it right"), but I certainly can understand.

zdnet did an informative report on this on 3/2/01

[spinbuster]

The report has more information about when this happens, and Yahoo's explanation. The substitutions only occur when previewing an attachment, but do not alter the attachment itself. Plain text e-mails are not affected at all - which should explain the unreliable reproducibility which some readers have been reporting.

Next up, medieval advertising

[saxafrog]

This is just a test run. For a few bucks, they could replace "coke" with "pepsi", or "Heineken" with "Coors", or "Windows" with... oh, Windows is not replaceable !?

Flaunting my classical education...

[kubrick]

But some of us prefer the more traditional spelling...

[from the Latin, medius middle + aevum age]

This is OLD

[MillionthMonkey]

This is really old news. I first noticed this last year when my wife complained about it. (She used medieval in a sentence, and someone asked her what "mediereview" meant. Mediereview?) I mentioned it here once and people didn't even believe me.

Steps to reproduce:

1. Open a Yahoo mail account if you don't have one, and log on to it.
1a. Uncheck the checkboxes on the privacy policy page.
2. Click on "Compose", to compose a message.
3. Look for a link on the "compose" screen that says "Add Color and Graphics", and click on it.
4. Your screen should now have a link (in the same place) that says "Switch to Plain Version". You will also see a pretend MS-Word-type toolbar for bold, italic, background color, etc.
5. Type a one-line email to yourself (meaning send it to your same Yahoo account). Type in something with "medieval" and "expression", e.g.

Her expression was medieval

6. Go back to your inbox, and click on "Check Mail".
7. Read the email. The above sentence becomes

Her statement was medireview

8. Optionally, forward it from there to a real email account. The message will have no body, and it will come with an attachment. Open the attachment, and you will see it back in its original form:

Her expression was medieval

Geneology Problem

[istartedi]

What if your name is Chevalier? Check out the 4th link from the Google search for Chreviewier. It looks like somebody's geneological search is going to be that much harder.

Whatever You Do

[DaveAtFraud]

Just don't ask them to re-evaluate their policy! They'll never understand what re-reviewulate means and will simply ignore your request.

Ze French 'ave also been 'it

Cheval is changed to Chreview all over ze place... Zey von't be 'appy.

Re:Ze French 'ave also been 'it

Ya, und das Deutsch also... Vot ist eine Karnreview?

Server exploit?

[karlm]

Hmm.. if thier coding is this sloppy, any bets on the probability of being able to send an email that executes arbitrary code on thier email servers?

Does anyone know of any documented cases of servers being exploited through specially formatted emails? (besides buffer overflows)

Information corruption

[Jonny+290]

I'm going to laugh when Starbucks sues the shit out of Yahoo when they order 100,000 units of mocha and get shipped 100,000 units of espresso.

Fucking idiotic.

We found 20,031 titles with the keyword medireview

[shplatt]

Go to barnesandnoble.com. Do a book keyword search for "medireview". I got 20,031 titles matching. The first so many that I perused didn't even contain the word "medireview". Hmmm...

Microsoft have issued a patch...

In it's quest to deliver the most compatible browser in the world, I understand that Microsoft have issued a patch for IE 6.x which will correctly interpret tags that have been changed by Yahoo and other e-mail filters.

For example <xcript> will be treated as <script> allowing html emails that have been mangled or disabled by overzealous e-mail filters to be rendered correctly.

Another patch is planned, using its well known auto-correct functionality, to replace occurrences of medireview with medieval etc. whenever they appear in a rendered web-page.

It is well known that one of the major benefits of IE is that it is tolerant of missing end tags. For example it will correctly render a table even if the author has omitted </TR> tags from each row. This enables IE to render web-pages that other browsers would simply give up on, making it the most compatible browser in the world.

My eyes hurt

Did you have to use such a disgusting picture for your example?

Text ribbon campaign

[I+am+Jack's+username]

--
() http://arc.pasp.de/
/\ Text ribbon campaign for HTML free email and Usenet posts

Somebody found out in 2000 already

Check this : http://www.ku.edu/~medieval/melcher/20001101/msg00 166.html
and the related threads; funny how that professor states that he found it strange that his students wrote "medieval" in papers.

On google you even find it in a Curriculum Vitae.

This drove us crazy!!!

[stevel]

My company distributes evaluation copies of our software through resellers, who then send a 30-day evaluation key to the user by e-mail. Some customers were reporting that the keys didn't work, but when we asked the customer to forward the e-mail they had received back to us, it looked fine.

It was only when we started asking customers to send the key file from their PC that we discovered that the string "eval" in the license key name was being changed to "review"! At first we blamed the reseller, but eventually figured out it was Yahoo. I didn't know until reading this article what had been done to us and why.

The whole mess prompted me to design a new key mechanism that had the advantages of being easier to enter (no worrying about line wraps) and not subject to the whims of Yahoo.

Don't need no stinkin' yahoo

[teasea]

to screw up the English language. Just look at the number of people that think loose means lose. They don't even know the word lose exists.
*Rasberries*

Re:Use this filter instead..

Damn,
Just when you think you saw the last thing someone had too much free time came up with, another shining example shows up!

This violates Yahoo's TOS

[XianDeath]

Near as I can tell, this is a blatant violation of Yahoo's Terms of Service(http://docs.yahoo.com/info/terms/) , wherein:

"You acknowledge that Yahoo does not pre-screen Content, but that Yahoo and its designees shall have the right (but not the obligation) in their sole discretion to refuse or move any Content that is available via the Service. "

Anyone up for a civil suit?

Re:cripes, it even screwed up somebody's PDF resum

[PapaSMURFFS]

cripes, it even screwed up somebody's PDF resume

You think thats bad? Go back to the main page and check out the guy's email address, it says the address is: louis.hamilton@villanova.edu

but check where the mailto link points,
yup, thats right: medievals@fordham.edu

Not new.

[General+Wesc]

Yahoo has been doing this for a really long time. (Over a year, I believe.) I find it hard to believe that no one else has noticed it before. My mom did and she (1) doesn't use Yahoo mail and (2) wouldn't know Javascript from Assembly.

Why do you use HTML for email anyway?

[gosand]

I just cut-and-pasted this story and sent it to my Yahoo account. No words were changed. You know why? Because I use text for email. Can someone explain why on earth you would use HTML for email anyway? I have never understood that.

Just a coincidence?

[NetWurkGuy]

The term doubleplus is "Newspeak" from Orwell's 1984.

From http://www.newspeakdictionary.com/xorionm.html

doubleplus- - A Prefix used to create the superlative form of an adjective or adverb. (i.e. - pluscold and doublepluscold meant, respectively, 'very cold' and 'superlatively cold'.

1. "If you want a stronger version of "good", what sense is there in having a whole string of vague useless words like "excellent" and "splendid" and all the rest of them? "Plusgood" covers the meaning, or " doubleplusgood" if you want something stronger still. "

character entities to the rescue

Since they only do this when displaying a html message in a web broswer seems like they could substitute "eval" with "evl" at display time.

Another mail transformation bug

[BoVLB]

That reminds me about a story I heard about the Mail Transport Agent for an obsolete mainframe operating system that couldn't cope with mail messages containing a certain word followed by a space at the start of the line. Fortunately that sort of thing would never happen nowadays.

Greviewia! Chreview! Let the search begin...

[Systems+Curmudgeon]

Now the challenge is to think of other words containing "eval", and then do a Google search to see if Yahoo has mangled them. I found a story in which a person drank a cup of Greviewia coffee, for example.

Not a good solution.

[seanyboy]

It seems that they could keep 90% of the required formatting by only allowing certain tags. That way they won't have to do the old search and replace thing. SlashDot only allows

Yahoo does not have the right to do this

[Animats]

Yahoo is creating a derivative work in violation of the originator's copyright. Since Yahoo is doing this for mail sent to Yahoo accounts, no EULA can protect them; it's the originator's rights that are being violated.

I'm surprised that they'd do this. It's so dumb.