Yahoo! E-mail Filter Under Scrutiny

Yahoo!'s decision to use a word-altering e-mail filter to guard against the execution of malicious Web code has experts predicting that ISPs will follow the company's lead to implement aggressive forms of virus protection.

by Ryan Naraine of internetnews.com [July 19, 2002]

To protect against hidden code in e-mail written in HTML or other cross-scripting techniques, Yahoo! has admitted to using a security filter that automatically deletes potentially harmful Web code and replaces that text with strange words.

According to published reports, Yahoo! was replacing the word "eval" with "review." By blacklisting "eval," Yahoo!'s filter made words like "evaluate" appear as "reviewuate." The site said "mocha" was being changed to "espresso" and "expression" was replaced with "statement" even if the phrase appears within a word, all aimed at blocking words that can be used to launch malicious JavaScript codes.

Those words were not blacklisted during tests by internetnews.com on Thursday but a Yahoo! spokesperson confirmed some words were altered within the software as "an extra security measure for our millions of users."

The Yahoo! spokesperson said the aggressive filtering was necessary to combat the numerous viruses that have suddenly emerged over the last 12 months, adding the technology was a "necessary security step."

Security experts gave the Yahoo! move a half-hearted thumbs-up, noting that blocking, deleting or even altering some text was useful in the virus-protection battle. Some text can be used embed harmful code into an e-mail message written in HTML, causing a sticky issue for Web-based mail providers because code could trick a system or network into sharing sensitive information, including usernames and passwords.

Paris Trudeau, marketing manager at U.K.-based e-mail security firm SurfControl, said the extra layer of protection offered in text-filtering software was "absolutely necessary."

"In the past 12 months, we've seen a huge increase in the release of viruses. This is a huge issue for organizations because there is a period of time between when the virus is detected and when a fix is issued. In between, the down time is costing companies millions of dollars," Trudeau said, arguing that any extra security should be applauded.

"In the past, ISPs and e-mail providers have centered their e-mail filtering around the spam problem but I think that virus protection is so important these days that any attempt to add another layer of protection is critical," she added.

Moving forward, Trudeau suggested that ISPs and e-mail providers might want to include an opt-in feature for customers to agree to have text changed within e-mails since it could be problematic.

She said SurfControl, which sells Web and e-mail filtering technology that includes tools to automate content recognition, supported the use of text filtering to handle certain words within messages. "A filter can be used to manage all kinds of cases to isolate words and phrases. But, it's important that the consumer or the enterprise using the software actually sets the permission."

"The filter is a tool to give an enterprise client the ability to deploy and apply it in a way that is specific and acceptable to them. They can decide how they want that e-mail handled. They may want to change text, isolate it or even delete it entirely. It's up to the companies," Trudeau added.

Bernie Sheinberg, a spokesman for Postendo (formerly Vanguard Security Technologies) said the decision to alter text was not the best way to block the spread of harmful code. "Software can block offending code without having to alter important e-mails," Sheinberg said.

"Technically, from an enterprise point of view. Content filtering ensures more productivity by the employees. Filters have been limited to blocking what goes in or comes out of a network and there are big holes to plug on the security end," he added.

While Yahoo's filter is being criticized for altering text, other e-mail providers say filters should be embraced to block potentially dangerous code execution.

Microsoft also filters out JavaScript tags and commands within its Web-based HTML e-mail service but words are never changed.

— End