Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Censorship Your Rights Online

A Medireview Approach To Stopping E-Mail Attacks 267

dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.
This discussion has been archived. No new comments can be posted.

A Medireview Approach To Stopping E-Mail Attacks

Comments Filter:
  • My words not thiers (Score:3, Interesting)

    by wastedbrains ( 588579 ) on Monday July 15, 2002 @05:43PM (#3889868) Homepage Journal
    I think that Yahoo shouldn't be changing any words in e-mails unless the users specifically choose to turn that "feature on". I mean if i send anyone a e-mail i expect it to arrive as i sent it. What is the point of a global mail that picts what you can and can't write about.
  • I emailed my yahoo.ca account, cut and pasted the /. story text

    Nothing got changed, did anyone even verify this?
    • Yes, verified. It does do this. It has done this for months! I first heard about it from people at Sun.
    • Re:Verified? (Score:2, Informative)

      by Anonymous Coward
      It happens only if the E-Mail is MIMEd as text/html. If it has no MIME type, it dosen't get fiddled with.

      While I would commend Yahoo! for at least trying to protect their users, it would seem like doing this without some kind of notice or disclaimer kinda sucks ass.

    • Nothing got changed, did anyone even verify this?

      Yes, it does change it. Oddly enough, they apparently got smart enough to stop switching "evaluate" out though.
    • It modifies only HTML email, because it's intended to prevent scripting attacks. I trust you always use plain text. ;-)
  • Wow (Score:5, Funny)

    by Nept ( 21497 ) on Monday July 15, 2002 @05:45PM (#3889900) Journal
    I can't believe it...a slashdot editor actually spelled "medieval" correctly.

    • But some of us prefer the more traditional spelling [dictionary.com]...

      [from the Latin, medius middle + aevum age]
    • by jc42 ( 318812 )
      > ... actually spelled "medieval" correctly

      Also, there are a number of cases of "mediaeval" being converted to "mediareview". So it's not just the medical review people who are affected by this, but also anyone reviewing the media.

      I wonder if Senator Hollings or the RIAA have heard about this?

      Also, do you think we could get Yahoo classified as terrorists for hacking the contents of email messages with medical effects? Note that some of these effects will be long-term (chronic), due to the thousands of web pages that are already infected.

  • Enh? (Score:5, Interesting)

    by gregbaker ( 22648 ) on Monday July 15, 2002 @05:47PM (#3889919) Homepage
    Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

    Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing [microsoft.com] to parts of documents as well?

    • Re:Enh? (Score:4, Interesting)

      by ZxCv ( 6138 ) on Monday July 15, 2002 @06:11PM (#3890110) Homepage
      ...wouldn't it be easy to replace the word only if it appeared in a script?

      Having developed a filter for my last employer's web-based email system that does exactly that, the answer to that question is no. If every person and everything that produced HTML were to output strictly formatted HTML with little or no variation, then yes, it would be simple. The real problem lies in writing code that will catch every occurrence of your problem, whether its embedded in a URL, inside of a script block, or just referenced as a hyperlink. This obviously isn't to say it hasn't been done, and done successfully, its just to say that, in practice, its no simple task.
    • Re:Enh? (Score:3, Funny)

      by wdr1 ( 31310 )
      Forgive me if I'm being dense, but how does replacing the word "mocha" prevent cross-site scripting problems? Is mocha() a function in some language with semantics "format the hard drive"?

      No, nothing like that.

      "mocha" is what javascript was called before the big java hype. You'd want to replace "mocha" for the same reason you want to replace "javascript", as many browsers will still treat the two the same for backwards-compatiblity reasons.

      -Bill
  • Low Brow Solution (Score:2, Insightful)

    by anomie ( 125845 )
    This seems like a clumsy, low brow solution, not to mention the fact that they're causing their own kind of information corruption. So, if I'm search for medieval, now I have to sit and write down the variations on the them. The four letter combination eval pops up in thousands of words (my guess). It seems to me that this is creating one problem to try and solve another.
    • Re:Low Brow Solution (Score:2, Informative)

      by tps12 ( 105590 )
      The four letter combination eval pops up in thousands of words (my guess).

      Guess again:

      $ grep -c eval /usr/share/dict/words
      22
      • Re:Low Brow Solution (Score:4, Interesting)

        by Jerf ( 17166 ) on Monday July 15, 2002 @07:09PM (#3890553) Journal
        I get 85:
        antimedi
        eval, cheval, chevalier, chevaline, coeval, coevality, coevally, crevalle, devall, devaloka, devalorize, devaluate, devaluation, devalue, equaeval, evaluable, evaluate, evaluation, evaluative, evalue, forevalue, grandeval, kevalin, longeval, Masdevallia, mediaevalize, mediaevally, Medieval, medieval, medievalism, medievalist, medievalistic, medievalize, medievally, neomedievalism, nonprevalence, nonprevalent, nonrevaluation, omniprevalence, omniprevalent, Perceval, premedieval, premedievalism, prevalence, prevalency, prevalent, prevalently, prevalentness, prevalescence, prevalescent, prevalid, prevalidity, prevalidly, prevaluation, prevalue, primeval, primevalism, primevally, pseudomedieval, quinquevalence, quinquevalency, quinquevalent, quinquevalve, quinquevalvous, quinquevalvular, reprieval, retrieval, revalenta, revalescence, revalescent, revalidate, revalidation, revalorization, revalorize, revaluate, revaluation, revalue, rounceval, shrieval, shrievalty, trevally, undershrievalty, unevaluated, unmediaeval, unprevalent
        Ain't UNIX fun?
    • Re:Low Brow Solution (Score:2, Interesting)

      by nrmrvrk ( 89299 )
      I believe the word you're looking for is "Kludge". This definitely applies. Replace all the words you want but it's the wrong path to take. It's like filtering all of your EMail for certain words and then just adding onto the list of words/phrases you look for. Doing this without running something that either checks for valid domains or looks at a blacklist is not a good solution. Let's hope Yahoo! does more than just replace "Mocha" with "latte" or "Cafe Au Lait". I wonder if they can somehow translate to h4x0r language maybe using Google.

      Don't forget to change:
      Mocha
      M0ch4
      ^^0[h4

      etc...

      absurd
  • HTML E-mail Only (Score:5, Informative)

    by akiy ( 56302 ) on Monday July 15, 2002 @05:49PM (#3889933) Homepage
    What the original poster of this article failed to mention was that this affects HTML-encoded mail only. Plain vanilla ASCII e-mail is not affected.
  • by zulux ( 112259 ) on Monday July 15, 2002 @05:50PM (#3889944) Homepage Journal
    ...than the CmdrTaco speling and gramer filterer that keeps Slashdot free of all 'dose cross syte scripting bugs that plauge windozw lusers. It werks espeshilayy well of page wisening posts the effect Internet Exploder useres as well.

  • Yes, this is real. I sent a short HTML message to my Yahoo account that included the words medieval, mocha, and expression. All three were changed just like the article. You can do this too, just make sure you send an HTML mail.
  • by joebp ( 528430 ) on Monday July 15, 2002 @05:52PM (#3889963) Homepage
    eval => review

    Eval is a commonly used javascript command (duh).

    mocha => espresso

    An interesting one. Mocha is the old name for what became Javascript.

    expression => statement

    Obvious

    javascript => java-script

    Breaks most javascript embedded in HTML email.

    jscript => j-script

    As above.

    vbscript => vb-script

    Breaks most vbscript embedded in HTML email.

    livescript => live-script

    Another old name for Javascript.

    However, this seems the most retarded possible way of cutting out scripts in HTML emails.

    Better, would be a regexp something like .*? and targetted removal of a few other tags.

    • by gusnz ( 455113 )
      Actually, "expression" is not so obvious.

      IE4+ allow you to embed JavaScript in CSS statements using the "expression" parameter to evaluate it, and return a value to a CSS class. It's obscure, but the syntax is:

      <span style="margin-top: expression(JavaScript code here)">

      (Hopefully this doesn't get munged by Slashdot's own filtering code). So it's a potentially serious security breach for anyone considering parsing HTML documents and allowing STYLE="" attributes to persist (most mail clients do), especially because it is not well known amongst most coders. Further info is available from MSDN [microsoft.com] for anyone interested. Seriously, filtering out scripts is a good idea -- anyone else remember when the trolls here managed to insert onMouseOver code into paragraph tags using a Cross-Site Scripting attack [slashcode.com], resulting in many goat-themed redirects?

      Anyway, a while ago I used Yahoo Mail as my main account and sent quite a few JavaScripts back and forward related to my website, and noticed "onmouseover" was changed to "onfilterchange" and similar replacements in the body of the mail. This was about 6 months back at least, so it's nothing new. Personally, I think they could probably come up with better filtering methods, but then again stealing a Yahoo! account's details using JS could be a lot more dangerous (finance sections etc) than your average Slashdot trollery -- so perhaps the extra caution is warranted.

      Perhaps the original JavaScript designers should have included a META tag to disable all scripting in the current document, so you could include that in all your static CGI documents and not have to worry about the details. It would certainly improve the security of many sites if it was adopted by most browsers even now.
  • by naoursla ( 99850 ) on Monday July 15, 2002 @05:53PM (#3889979) Homepage Journal
    When questioned about the filter, Yahoo claimed the filter was "double plus good".
  • Verified (Score:3, Informative)

    by jhunsake ( 81920 ) on Monday July 15, 2002 @05:53PM (#3889984) Journal
    Source Message:
    <html>
    <body>
    m o c h a: mocha <mocha>
    free e x p r e s s i o n: free expression <free expression>
    m e d i e v a l : medieval <medieval>
    </body>
    </html>

    Result:
    m o c h a : espresso, free e x p r e s s i o n : free statement m e d i e v a l : medireview
  • by Eric Seppanen ( 79060 ) on Monday July 15, 2002 @05:55PM (#3890001)
    Various politech readers tested [politechbot.com] yahoo mail for the problem and it appears that this problem is already fixed. So don't everybody go rushing off and start mailing yourself- you probably won't find anything.

    Oh, and since NTK is slashdotted already, you might want to read the original politech message [politechbot.com] to see what we're talking about.

    • seems like the regex is flawed to me...

      would evaluation become reviewuation... probably not. i think they need a special case when there isn't a whitespace character in the front of eval.

      hotmail has this problem too, but they just try to stop all of the ways a script could start... the problem though: IE is so fux0ered up that you can sometimes create iframes in malformed tags, and then just run the script in the iframe.

      yahoo must have the same problems.
    • by realdpk ( 116490 ) on Monday July 15, 2002 @06:00PM (#3890041) Homepage Journal
      Sorry, Politechbot is wrong - it is still happening, I just tried it a few seconds ago.
    • I just tried it. I sent the list from NTK [ntk.net] to my Yahoo account in HTML format and what I sent was NOT what I got.

      What I sent:

      eval => review
      mocha => espresso
      expression => statement
      javascript => java-script
      jscript => j-script
      vbscript => vb-script
      livescript => live-script

      And what I got

      review => review
      espresso => espresso
      statement => statement
      java-script=> java-script
      j-script => j-script
      vb-script => vb-script
      live-script => live-script

      This is not cool. Whats next? *'s when I tell someone to goe F*** themseleves?
    • Yes, it's nice that Yahoo infringes on the copyrights of writers everywhere, and it takes a slashdot to make public these unauthorized changes.
    • _Originally_ from comp.risks 21.27 in 2001
      (google for it - I can't be bothered to translate all the lts and gts by hand, so the followig will be munged a bit, this is the explisit mention of medireview from comp.risks 21.34)

      Date: Mon, 2 Apr 2001 22:00:13 -0400
      From: Kirrily Skud Robert
      Subject: More on Yahoo mail's anti-virus attachment translation Further to "Yahoo! Mail translates attachments" in RISKS-21.27, I saw
      the following e-mail on a mailing list which discusses medieval cookery: From:
      Subject: (OT) "Medireview" ???

      Does anyone know why certain Web sites and mail servers change the word
      "medieval" to "medireview" without any warning? Have I missed something? ...

      So the 'original' story is only a few days less stale than the NTK one.

      Early 2001, come one, get a grip. News should be _new_.

      FatPhil

  • Appears to have been /.'ed, here's the relevant bit:

    Nice to see, in the midst of all these scandals, Yahoo turning a healthy profit. But as other companies fiddle the figures, Yahoo's been busy instead with fiddling its own users' private correspondence. In a fantastically clumsy attempt to prevent cross-site scripting attacks, the free e-mail wing of the sprawling giant has long been replacing complete English words in the text of HTML mail sent to its users. Mention "mocha" in an HTML mail to a friend with a @yahoo.com account, and your choice in coffee will be silently switched to "espresso". Talk about "free expression", and your recipient will think you said "free statement". Here's the full list of swaperoos:
    http://www.ntk.net/2002/07/12/yahoo.txt
    - try not to mail it to your friends

    This fiddling has been going on now for over a year year (the ever vigilant RISKS digest noted it back in March 2001). But because of Yahoo's underhand methods, very few people have spotted the turnabout - certainly far fewer than if Yahoo had done the sensible thing and, say, "**"'ed out the vowels in the word, or, God forbid, written a smarter parser. But the sneakier you are, the wider the damage spreads. The word "medieval" (since it contains the javascript command "eval") is converted in Yahoo mail to "medireview". Google now shows over 640 sites (and 1,150 separate instances) of the word "medireview" being used as a synonym for medieval. University papers, bibliographies and book reviews, Indian newspaper columnists, and endless enthusiast sites drop it unseen into texts. People have begun to ask where it originally came from, and does it have a subtler meaning beyond "medieval"? Is Yahoo ever going to fix its filters? Or is it time we pushed to get the first regexp-obfuscated word into the Oxford English Dictionary? http://catless.ncl.ac.uk/Risks/21.34.html - does anyone still at Yahoo even know how to turn it off?
    http://www.google.com/search?q=medireview
    - NTK now entirely filled with google links
  • by BoVLB ( 552171 )

    Of course, the next hack will be to produce e-mail that becomes a cross-site scripting attack (or criminal/tortious in some other way) after passing through Yahoo's filter. Who's going to bear the liability for that?

  • by nd ( 20186 ) <nacase AT gmail DOT com> on Monday July 15, 2002 @06:02PM (#3890053) Homepage
    The use of these words have also been catching on due to this behavior:

    "retrireview" (retrieval): 333 matches at google.
    "prreviewent" (prevalent): 41 matches at google.

    I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?
  • This sounds like the kind of thing a journalist would make up on April 1st. Or it's the kind of kludge a somewhat irresponsible sysadmin might put in place as a joke. It is not a serious or useful approach to security, however.

    Still, it would be enormously funny if one of the largest E-mail providers would actually do such a thing, as well as the consequences. "Medireview" indeed. Apparently, Yahoo! programmers don't even know about /\beval\b/. It's under "perldoc perlre".

  • I find it's often a error between the keyboard and the chair. I would surmise that someone has a Spell Checker set to 'Don't ask, Don't tell' Perhaps we are attributing a program glitch in the sender's client to Evil Intentions. Gee, like that's the first time its happened here.
  • Arrgh (Score:3, Insightful)

    by sulli ( 195030 ) on Monday July 15, 2002 @06:08PM (#3890093) Journal
    Why not just give the user the option to STRIP OUT ALL THE FUCKING HTML IN EVERY EMAIL? I for one HATE html email - hate it with a passion - hate the slow loading and the crashing browsers and the cookies/images loaded without my permission. Add that feature and this problem goes away.
    • I actually like HTML email--especially when sending it to AOL users.
    • Amen brother!!!

      I just sent my mom a little response to one of her emails that took 17.9K to say "How are you?". It was produced using an abomination called IncrediMail. un-fucking-beleivable!

      Together with the invisible 1X1 goddam bitmaps in every piece of unforgiveable-by-god-even piece of spam in my inbox it's enough to make one go on a rampage.
  • In the early 90's, Yahoo was awesome. It was the first search engine I was introduced to. After the big "portal" craze that ruined Lycos and others, Yahoo hasn't been worth the time to load in my browser.

    Instead of being good at anyone thing, it's horrible at all things it does. Want tosearch? Go to Google. Want to see stock quotes? Hit Etrade. Want weather? Go to weather.com. Want nice categories? Hit dmoz.org.

    Why anyone continues to care about Yahoo these days is simply beyond me.

  • Instead, I say they should improve it!
    They should also correct all of the mail sent by script kiddies, tHoz tHat tYp LiKe Thiz, to something more logical.
  • original message:

    Have a mocha, or perhaps medieval is enough for you...

    rec'd message:

    Have a espresso, or perhaps medireview is enough for you...
  • It's not just Yahoo (Score:3, Interesting)

    by Jonathunder ( 105885 ) on Monday July 15, 2002 @06:26PM (#3890194) Homepage
    This strange neologism "midireview" has crept into many serious, even scholarly websites.

    "It was the great Barbara Tuchman who pointed out the capital difficulties of writing about the Middle Ages: that medireview chronology is very hard to pin down, that contradictory facts are perpetually turning up in the sources ..." (book review [st-francis-lutheran.org]).

    "The medireview/Renaissance theme must be adhered to at all times to ensure the success of our event." (Renaissance fair rules [staffordshire-events.com]

    "Lectures on the Crusades and medireview society." (college course sylabus [ucf.edu]

    It makes one long for the Dark Ages.
  • Bah (Score:4, Funny)

    by SuiteSisterMary ( 123932 ) <{slebrun} {at} {gmail.com}> on Monday July 15, 2002 @06:28PM (#3890204) Journal

    When they're replacing random (or not so random...) words with either 'smurf' or 'fnord,' THEN it's time to worry.

    • Hmm, I see the "smurf", but your second example is just an empty pair of quotes... it seems like there should fnord be a word there, but I just can't see it...
  • Come on Yahoo. When parsing a block of text how hard is it to strip white spaces and evaluate each token individually?

    Replacing a key phrase even though it is part of another word seems like an amateur mistake don't ya think.

    • Actually it's not that hard. But the problem is, they do not have same "computational complexity".

      They're already doing too much processing on email, and increasing this will mean increasing hardware and support costs.

  • The way this should have been done is to coerce the HTML into w3c-valid HTML4, and then only pass whitelisted tags, attributes, and URL schemes.

    It might distort non-well-formed HTML, but if the HTML isn't well-formed to begin with all bets are off anyway.

    I realize that would require quite a few more server resources to implement. Too bad. As it is this ill-thought-out scheme appears to stand a real chance of permanently distorting the English language.

    One does wonder if the Chinese government (or any government, really ... but they're the ones Yahoo!'s been making deals with lately) will see the potential here for interfering with dissident speech.
  • by molo ( 94384 ) on Monday July 15, 2002 @06:33PM (#3890244) Journal
    This would not be as much of an issue if everyone used PGP signatures on email. It will tell you if the message has been modified in transit.

    More info in the PGP faq [pgp.net]

    Also, for an excellent GPLed implementation of OpenPGP, use GnuPG [gnupg.org].
  • by FyRE666 ( 263011 ) on Monday July 15, 2002 @06:42PM (#3890286) Homepage
    If it's in an html formatted email then the words could be left in with the special <-- --> tags put between letters in the offending words. These will not be visible in the message, but will break any scripts that relied upon them.
    • actually they'd be better of replacing the words or individual letters by their ISO equivalents.
      A technique used for displaying your email adress without the risk of dumb email harvesters plucking it from your website.

      example: the letter 'a' becomes & #97;
      basically 'medieval' would become & #109;& #101;& #100;& #105;& #101;& #118;& #97;& #108;

      Any browser would display the text like it was intended but no script will run!

      Try it at:
      http://www.hivelogic.com/safeaddress/
      More info on:
      http://www.alistapart.com/stories/spam/

      If i am wrong, don't blame me, it's my first registered post!
  • My favorite is this guy:

    Robert E Lerner [fordham.edu]

    He's got medireview all over his own CV!

    -Sean
  • One of the favorites on the WWII Online bulletin board is the replacing of "cum" with "body fluid".

    Under some cirbody fluidstances, it's quite amusing. :)
    • There was a stink about this on Prodigy back before this newfangled internet thing. The classical music fans were pissed because discussions about the song "Cum Sancto Spiritu" (roughly "with the holy spirit") were being banned.
  • It's a good thing. Perhaps this will push people away from yahoo mail.

    I'll admit, when I first signed up, it was a pretty good system. Unfortunately many bad changes have been made... pop & smtp are fee-based. Javascript is now required (this really pisses me off!). You can still only send 3 attachments! Their interface is rather lacking... And you are limited to a small number of filters. Now that e-mails are getting screwed-up, it's the last straw for me, and hopefully for many others as well.

    The next step... Does anyone know of a free service that provides secure IMAP? I'll sign-up right away.
    • However, you must look at it's good points:

      I have had the same email address for 7 years. Other addresses I've maintained have come and gone, but this address, I've kept unchanged - and I never once had to send out a mass mailing to all my friends telling them my email address was changing.

      Also, I'm a multi-platform kind of guy. I'm always certain that no matter where I am, what machine I'm on, if it's internet connected and has a reasonable browser, I can get my email. Hell, two years ago, when I was on vacation in Tahiti, and I was also waiting for an estimate to come through on some home repairs, I went into an internet cafe, and zing! Got my mail, and by the time I was back home, the repairs were done. I didn't have to have any special software installed, didn't have to remember the mail server's name, or protocol type, or configure where I wanted my messages to be stored, etc. etc. etc.

      There's something to be said for browser-based mail. I wouldn't want to do ALL of my email commmunication through it - but I'm sure as hell happy I have it as a personal back up.
      • telnet mailserver.example.com 110

        +OK InterMail POP3 server ready.
        user exampleuser
        +OK please send PASS command
        pass examplepass
        +OK exampleuser is welcome here
        list
        +OK 1 messages
        1 719
        .
        retr 1
        +OK 719 octets

        I send you this message in order to have your advice.

        .
        dele 1
        +OK
        quit
        +OK exampleuser InterMail POP3 server signing off.

        Tim
      • You seem confused. My complaint is with yahoo mail... Not with every web-based e-mail system! I've listed some of my complaints.
  • by jafac ( 1449 )
    If it's a FREE service, then why, oh, why do we need HTML mail anyway? Plain text is perfectly adequate!

    Frankly, the only HTML mail I ever get is spam anyway. They should just not render html period.
    • Well, you do realize that yahoo is web based, and not rendering HTML would require stripping out all html from the message? When you're talking billions of messages, it takes a while. Thier solution sucks, they need to at least mark words they've changed at the very least...
  • You'd think the folks at Dominican would be smart enough to catch something like that... or maybe medireview is a real word?

    • > ... maybe medireview is a real word?

      Maybe not, but MediReview is a real trademark.

      I wonder what they think of all the free advertising they're getting?

  • Do a search on these too:

    reviewuation (evaluation)
    dreviewuation (devaluation)
    dreviewue (devalue)
  • I just verified it. (Score:5, Informative)

    by rc5-ray ( 224544 ) on Monday July 15, 2002 @07:04PM (#3890508)
    I just sent the following words through my yahoo account (as HTML mail).

    "eval mocha expression javascript jscript vbscript livescript evaluate retrieval link script object embed body iframe layer applet meta form"

    This is what arrived in my inbox.

    "review espresso statement java-scriptj-script vb-script live-script evaluate retrireview link script object embed body iframe layer applet meta form "

    I paid the $30 to get POP3 access for a year, so it isn't just the free(beer) accounts.

    It's curious that only some of the words were changed, but not all the ones listed in the article.

    • I paid the $30 to get POP3 access [from Yahoo, I presume] for a year, so it isn't just the free(beer) accounts.

      I paid $35 to get my-domain-name.tld hosted by Yahoo! This included: five addresses @mydomain.tld, Yahoo! advertising on every outgoing mail, and Geocities web space with ads and whatever absurd bandwidth limit a free Geocities site has. Then Yahoo! told me I'd have to pay $30 to continue having POP3 access.

      So I transferred my domain to hostica.com, and for $25 bucks got: another year of registration, as many email addresses as I want (albeit forwarded to one POP3 account), 5MB of space, and 10GB/month of bandwidth, with the option to add services from an a la carte pricing menu. And did I mention? No ads!

      (I have no financial interest in hostica, I get no referral fee, no consideration of any sort for this post. This ain't no ad, and it's not even that I don't think you could do as well somewhere else. It's more than you can do a lot better than Yahoo, for not much money. It's just a matter of doing the math -- $65/annum for less, or $25/annum for much more -- and preferring better service.)
  • I sent an HTML email to my yahoo account and the words were changed as described. However, when I forwarded the changed email back to my work address, the changes disappeared and I had the original email back, "eval" and all.
  • Medireview ? :(
  • "Medireview" has even made it into someone's resume [fordham.edu] (PDF); that must seriously reduce his chances of getting hired. Other references seem to have gotten into scholarly works. This is just the latest in a long string of stories about automatic (or semi-automatic) computer correction having serious consequences.

    When I was at college, one student ran his doctoral thesis through the spellchecker one last time before submitting it to the binders, and thence to the Board of Graduate Studies. Unfortunately, he inadvertantly selected the "silently accept all suggestions" option, and failed to check the results. The manuscript he submitted was almost incomprehensible. After that, the University added a one-page warning to the spellchecker output (yes, it was in the days of mainframes).

    Unfortunately, it appears that the well-known story [urbanlegends.com] about "in the black" becoming "in the African American" is only partly true; it was a deliberate practical joke in the newsroom.

  • So does 'reevaluate' become 'rereviewuate'? What a good word!
  • by slyfox ( 100931 ) on Monday July 15, 2002 @09:30PM (#3891382)
    When viewing an HTML mail in Yahoo, it does the translation before it displays the mail for you. However, if you 'export' or download the message, it still looks fine. Thus, it looks as if the messages are not being changed when sent or received, they are only modified when being displayed through Yahoo's HTML webmail. Granted, based on the google searches, it is still causing lots of problems for users.
  • Instead of this "medireview" stupidity, and the even worse monstrosity "reviewuate", why couldn't they have simply changed a letter to a digit? Then they'd get medieva1 [google.com].
  • by cgleba ( 521624 ) on Monday July 15, 2002 @09:57PM (#3891487)
    From http://www.multum.com/SubscribeRx.htm

    "MediReview: is our comprehensive, patient-specific drug summary that includes dosing recommendations, drug interaction and allergy alerts, side effects, and pregnancy and lactation warnings. Providers and patients can use MediReview to tailor a patient's medications to their specific medical history--and proactively reduce ADEs."

    This is so amusing!
  • This poor academic dude tryed to cite his paper "Vagabonds and Little Women: The Medieval Netherlandish Dramatic Fragment De Truwanten," Modern Philology, 65 (1968), 301-306" in his curriculum vitae [fordham.edu] (i.e. academic resume) and it shows up instead as "Medireview Netherlandish..."! There are a couple other instances of the word in the same CV--so much for the slick (heh) PDF presentation. Poor shmoe. Somebody ought to email him. I can't bring myself to.
  • This is really old news. I first noticed this last year when my wife complained about it. (She used medieval in a sentence, and someone asked her what "mediereview" meant. Mediereview?) I mentioned it here once and people didn't even believe me.

    Steps to reproduce:

    1. Open a Yahoo mail account if you don't have one, and log on to it.
    1a. Uncheck the checkboxes on the privacy policy page.
    2. Click on "Compose", to compose a message.
    3. Look for a link on the "compose" screen that says "Add Color and Graphics", and click on it.
    4. Your screen should now have a link (in the same place) that says "Switch to Plain Version". You will also see a pretend MS-Word-type toolbar for bold, italic, background color, etc.
    5. Type a one-line email to yourself (meaning send it to your same Yahoo account). Type in something with "medieval" and "expression", e.g.

    Her expression was medieval

    6. Go back to your inbox, and click on "Check Mail".
    7. Read the email. The above sentence becomes

    Her statement was medireview

    8. Optionally, forward it from there to a real email account. The message will have no body, and it will come with an attachment. Open the attachment, and you will see it back in its original form:

    Her expression was medieval

  • What if your name is Chevalier? Check out the 4th link from the Google search for Chreviewier [google.com]. It looks like somebody's geneological search is going to be that much harder.

  • Hmm.. if thier coding is this sloppy, any bets on the probability of being able to send an email that executes arbitrary code on thier email servers?

    Does anyone know of any documented cases of servers being exploited through specially formatted emails? (besides buffer overflows)

  • by Jonny 290 ( 260890 ) <brojames&ductape,net> on Tuesday July 16, 2002 @01:15AM (#3892154) Homepage
    I'm going to laugh when Starbucks sues the shit out of Yahoo when they order 100,000 units of mocha and get shipped 100,000 units of espresso.

    Fucking idiotic.
  • Yahoo has been doing this for a really long time. (Over a year, I believe.) I find it hard to believe that no one else has noticed it before. My mom did and she (1) doesn't use Yahoo mail and (2) wouldn't know Javascript from Assembly.
  • I just cut-and-pasted this story and sent it to my Yahoo account. No words were changed. You know why? Because I use text for email. Can someone explain why on earth you would use HTML for email anyway? I have never understood that.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...