Yahoo searches HTML e-mails for words that are used in scripting attacks and replaces them with similar words that aren't part of the code. For example, if you tell someone at a Yahoo address you like -mocha", your word preference will be changed to -espresso".
-To ensure the highest level of security for our users, we employ automated software to protect them from potential cross-scripting violations," a Yahoo spokesperson told ZDNet Australia. -We're always reviewing and updating our filtering and security systems as part of our ongoing efforts to continually enhance our service."
David Banes, regional manager, Symantec security response, told ZDNet Australia the technique would work but warned of its drawbacks. -If you're a hacker and you deliberately craft an e-mail to use an exploit on your machine and then send it out to hundreds of people through lists, if it goes through Yahoo it won't work," Banes said.
-It's quite a good way to combat it, but it's not without its pitfalls," he added. -You could reduce the functionality of e-mails."
In addition to mocha, word changes include -expression" to -statement" and -eval" to -review". The system does not differentiate word fragments, so -medieval" becomes -medireview".
The process has been going on for so long that a search for -medireview" on Google gives over a thousand results.
Yahoo's Web site makes no mention of such filtering, but the Terms of Service states the company has the right to refuse content.
-You acknowledge that Yahoo does not pre-screen Content, but that Yahoo and its designees shall have the right (but not the obligation) in their sole discretion to refuse or move any Content that is available via the Service," it states. Yahoo's Terms of Service goes on to say that content may undergo changes to conform or adapt to the technical requirements of different networks.
According to the office of the Federal Privacy Commissioner this practice does not violate any Australian laws.
