RealTime IT News

Yahoo E-mail Filter Under Scrutiny

The decision by Yahoo to use a word-altering e-mail filter to guard against the execution of malicious Web code is generating buzz in the Internet security space and experts predict ISPs will follow the company's lead to implement aggressive forms of virus protection.

To protect against hidden code in e-mail written in HTML or other cross-scripting techniques, Yahoo has admitted to using a security filter that automatically deletes potentially harmful Web code and replace that text with strange words.

According to published reports, Yahoo was replacing the word "eval" with "review." By blacklisting "eval," Yahoo's filter made words like "evaluate" appear as "ereviewuate." The site said "mocha" was being changed to "espresso" and "expression" was replaced with "statement" even if the phrase appears within a word, all aimed at blocking words that can be used to launch malicious JavaScript codes.

Those words were not blacklisted during tests by internetnews.com on Thursday but a Yahoo spokesperson confirmed some words were altered within the software as "an extra security measure for our millions of users."

The Yahoo spokesperson said the aggressive filtering was necessary to combat the numerous viruses that have suddenly emerged over the last 12 months, adding the technology was a "necessary security step."

Security experts gave the Yahoo move a half-hearted thumbs-up, noting that blocking, deleting or even altering some text was useful in the virus-protection battle. Some text can be used embed harmful code into an e-mail message written in HTML, causing a sticky issue for Web-based mail providers because code could trick a system or network into sharing sensitive information, including usernames and passwords.

Paris Trudeau, marketing manager at U.K.-based e-mail security firm SurfControl, said the extra layer of protection offered in text-filtering software was "absolutely necessary."

"In the past 12 months, we've seen a huge increase in the release of viruses. This is a huge issue for organizations because there is a period of time between when the virus is detected and when a fix is issued. In between, the down time is costing companies millions of dollars," Trudeau said, arguing that any extra security should be applauded.

"In the past, ISPs and e-mail providers have centered their e-mail filtering around the spam problem but I think that virus protection is so important these days that any attempt to add another layer of protection is critical," she added.

Moving forward, Trudeau suggested ISPs and e-mail providers might want to include an opt-in feature for customers to agree to have text changed within e-mails since it could be problematic when the software creates innocuous words, as in the case of Yahoo.

She said SurfControl, which sells Web and e-mail filtering technology that includes tools to automate content recognition, supported the use of text filtering to handle certain words within messages. "A filter can be used to manage all kinds of cases to isolate words and phrases. But, it's important that the consumer or the enterprise using the software actually sets the permission."

"The filter is a tool to give an enterprise client the ability to deploy and apply it in a way that is specific and acceptable to them. They can decide how they want that e-mail handled. They may want to change text, isolate it or even delete it entirely. It's up to the companies," Trudeau added.

Bernie Sheinberg, a spokesman for Postendo (formerly Vanguard Security Technologies) said the decision to alter text was not the best way to block the spread of harmful code. "Software can block offending code without having to alter important e-mails," Sheinberg said.

"Technically, from an enterprise point of view. Content filtering ensures more productivity by the employees. Filters have been limited to blocking what goes in or comes out of a network and there are big holes to plug on the security end," he added.

While Yahoo's filter is being criticized for altering text, other e-mail providers say filters to block potentially dangerous code execution should be embraced.

Microsoft's also filters out JavaScript tags and commands within its Web-based HTML e-mail service but words are never changed.