First, I tried to figure out what sorts of messages will trigger the filter; I logged in to an old Yahoo account that I've had for a while, and began sending myself test messages. Each one went both to the Yahoo account and to an external account to see if Yahoo was filtering both incoming and outgoing messages, or only incoming.
This space intentionally left blank
...because it's waiting for your ad. So why are you still reading this? Come on, get going. Read the story, and then get an ad. Alright stop it. I'm not going to say anything else. Now you're just being silly. STOP LOOKING AT ME! I'm done!
active | buy ad
The filter didn't require that HTML tags be present in the message; simply checking the "Allow HTML tags" box on the Yahoo mail composer page was enough to cause Yahoo to filter. A message containing the simple text "medieval expression mocha" was received as "medireview statement espresso". However, simply sending a message with HTML markup in it would not trigger the filter - Yahoo apparently only recognizes the HTML if the message is explicitly sent as such, and renders tags as plain text otherwise.
<font face="Verdana" color="#336699" size="-1">
The message was, as previously mentioned, sent to both the Yahoo account and to an account in another domain, and the version sent to Yahoo was the only one altered. It appeared as the following (altered words in bold):
evaluate evaluated evaluates evaluating evaluation evaluations evaluative evaluator evaluators medireview prevalence prevalent prevalently primreview reevaluate reevaluated reevaluates reevaluating reevaluation retrireview retrievals unevaluated espresso statement expressions substatement subexpressions java-script java-script j-script vb-script live-script
<font face="Verdana" color="#336699" size="-1">m e d i e v a l m o c h a e x p r e s s i o n</font>
The message was unaltered; thus, spacing changes can get around the filter if you really need to use a particular word in an HTML email. However, substituting HTML character entities (such as #&97; in place of the letter "a") for letters did not fool the filter; it still changed the strings, regardless of whether they contained letters or HTML entities.
I then tested the list of HTML tags supposedly filtered; I composed a message consisting of all of them (the list of tags was obtained from the same source as list of filtered words):
<link rel="stylesheet" href="nonexistent.css">
Again, this message was sent unaltered to the external account (and in fact caused Mozilla's mail client to barf rather unpleasantly all over the place; I had to use Pine to check the integrity of the message), but was filtered when received by the Yahoo account. The altered message had all of the tags changed just as NTK predicted except for the image (located inside the "object" element") and the form, which, instead of changing to "xform" as the NTK article predicted, had the attribute target="_blank" added to it. The final message rendered in the Yahoo inbox with this text:
<script>document.write("Will print text if the script works"); //Testing</script>
<object data="nonexistent.mov" type="video/quicktime" alt="Test" title="Test"><img src="nothere.gif"></object>
<embed src="nonexistent.wav" autostart="false" loop="false"></embed>
<body bgcolor="#ffffff">Test test test</body>
<meta http-equiv="refresh" content="5">
<form method="post" action="nonexistent.cgi">
<option selected="selected">Option 1
document.write("Will print text if the script works"); //Testing Test test test
Yahoo's filter changed all the tags except the two mentioned (the image, being nonexistent, showed up as a broken box), and rendered the text within the filtered elements. It also rendered the form properly, giving me a drop-down selection box with two options. Interestingly, though, a look at the source of the message as viewed on Yahoo revealed that only the opening tags were changed; closing tags were left alone.
Finally, while it's obvious that the filter is applied upon viewing a received message and never when sending (the unaltered copies received by the alternate address prove this), the filter applies to messages viewed in the "Sent" folder and to viewed attachments (I tried each message both as an attachment and as the message itself) as well as to those in the Inbox and other folders, but isn't applied to unfinished messages saved to the "Drafts" folder, or to the preview of an HTML message before sending.
These tests covered every case I could imagine save one, which was beyond my ability; I wasn't able to download and view messages from a Yahoo account via POP3, as that is now a "premium" service and I haven't subscribed to it. If anyone who does have a premium subscription to Yahoo's mail service would like to try, I'll leave it to them to find out whether the filtering applies to messages downloaded via POP3.
So to summarize, Yahoo's filter operates as follows:
- It only changes strings in messages explicitly marked as HTML; plain-text messages are unaffected and rendered normally.
- It only applies when viewing the message and only after the message has been received by a Yahoo account; messages simply sent out from Yahoo are not subjected to the filter.
- It applies to both message body and attachments.
- The word filter is case-insensitive, but only changes words when one of the strings is found at the end of a word or in isolation.
- The word filter can be evaded if necessary by tbe use of unconventional spacing.
- The tag filter doesn't stop forms from rendering, but adds an attribute to them.
- The tag filter only changes opening tags, leaving closing tags alone.
- I don't know if filtering is applied to messages retrieved via POP3; someone with premium access can test if anyone's interested.
While the spacing trick will evade the word filter, I couldn't come up with a quick and easy way to evade the tag filter. So if you merely want to send pretty HTML-formatted emails, this shouldn't hamper you too much as long as you know what you're doing. If you're a h4x0r who wants to send scripts to people's inboxes for some reason, or a regular user who just feels a need to send Java applets or feature films embedded in emails, though, you're out of luck.