Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Medireview Approach To Stopping E-Mail Attacks

Posted by timothy on from the can-neither-confirm-nor-deny dept.

dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.

7 of 260 comments (clear)

  1. Enh? by gregbaker · · Score: 5, Interesting
    Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

    Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing to parts of documents as well?

    1. Re:Enh? by ZxCv · · Score: 4, Interesting

      ...wouldn't it be easy to replace the word only if it appeared in a script?

      Having developed a filter for my last employer's web-based email system that does exactly that, the answer to that question is no. If every person and everything that produced HTML were to output strictly formatted HTML with little or no variation, then yes, it would be simple. The real problem lies in writing code that will catch every occurrence of your problem, whether its embedded in a URL, inside of a script block, or just referenced as a hyperlink. This obviously isn't to say it hasn't been done, and done successfully, its just to say that, in practice, its no simple task.

      --

      Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
  2. Reason for changes... by joebp · · Score: 5, Interesting
    eval => review

    Eval is a commonly used javascript command (duh).

    mocha => espresso

    An interesting one. Mocha is the old name for what became Javascript.

    expression => statement

    Obvious

    javascript => java-script

    Breaks most javascript embedded in HTML email.

    jscript => j-script

    As above.

    vbscript => vb-script

    Breaks most vbscript embedded in HTML email.

    livescript => live-script

    Another old name for Javascript.

    However, this seems the most retarded possible way of cutting out scripts in HTML emails.

    Better, would be a regexp something like .*? and targetted removal of a few other tags.

  3. Other amusing mangled words floating around by nd · · Score: 5, Interesting

    The use of these words have also been catching on due to this behavior:

    "retrireview" (retrieval): 333 matches at google.
    "prreviewent" (prevalent): 41 matches at google.

    I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?

    1. Re:Other amusing mangled words floating around by suwain_2 · · Score: 4, Interesting
      I believe you meant "Lorem Ipsum"

      A search for "Lorm Ipsum" returns 6 results, but suggests "Lorem Ipsum" instead. That brings up "about" 38,100 results.

      As I curiously searched for the meaning on this phrase, I stumbled across this explanation here. Essentially, it's an adaptation of some classic quote, but, it seems, no longer really makes any sense at all.

      --
      ________________________________________________
      suwain_2 :: quality slashdot p
  4. Re:Low Brow Solution by Jerf · · Score: 4, Interesting
    I get 85:
    antimedi eval, cheval, chevalier, chevaline, coeval, coevality, coevally, crevalle, devall, devaloka, devalorize, devaluate, devaluation, devalue, equaeval, evaluable, evaluate, evaluation, evaluative, evalue, forevalue, grandeval, kevalin, longeval, Masdevallia, mediaevalize, mediaevally, Medieval, medieval, medievalism, medievalist, medievalistic, medievalize, medievally, neomedievalism, nonprevalence, nonprevalent, nonrevaluation, omniprevalence, omniprevalent, Perceval, premedieval, premedievalism, prevalence, prevalency, prevalent, prevalently, prevalentness, prevalescence, prevalescent, prevalid, prevalidity, prevalidly, prevaluation, prevalue, primeval, primevalism, primevally, pseudomedieval, quinquevalence, quinquevalency, quinquevalent, quinquevalve, quinquevalvous, quinquevalvular, reprieval, retrieval, revalenta, revalescence, revalescent, revalidate, revalidation, revalorization, revalorize, revaluate, revaluation, revalue, rounceval, shrieval, shrievalty, trevally, undershrievalty, unevaluated, unmediaeval, unprevalent
    Ain't UNIX fun?
  5. MediReview is a trademark! by cgleba · · Score: 4, Interesting

    From http://www.multum.com/SubscribeRx.htm

    "MediReview: is our comprehensive, patient-specific drug summary that includes dosing recommendations, drug interaction and allergy alerts, side effects, and pregnancy and lactation warnings. Providers and patients can use MediReview to tailor a patient's medications to their specific medical history--and proactively reduce ADEs."

    This is so amusing!