Apparently they're also against criticism of their products, but not against forging network traffic, which is why you get fake 404's if you try to visit "The Best Page in the Universe" from an Apple Store. Interesting sense of morality they have...
That's probably just done via host file (or otherwise at the DNS level) for filtering undesirable sites. It's rather sensationalist to call that "forging network traffic". I don't even know if you can reasonably call it "censorship". What Apple does with the internet in their own stores is both inconsequential and also totally their own business.
In contrast, deleting email based on content is neither inconsequential nor their own business.
As trivial as it may be, I consider it censorship when they stop being transparent. Displaying "Blocked!" when someone tries to access the site is, as you said, totally their business. Implying a successful HTTP connection but a missing file? Still, as you said, inconsequential. The attitude that leads someone to make it look like a 404 instead of a blocked site? That's the same attitude that makes them block emails on the presence of a text string.
404 is an accurate statement by the browser when the distinct hosts file maps xmission.com to localhost. A 503 error would be a forged response. 404 is the expected type of response with two separate modularized/encapsulated systems where the browser merely reports that it found nothing from the typed in URL. Saying that the site is "blocked" would involve creating a special facility just for this purpose.
I don't think this is at all like the ISP redirection pages that were more clearly non compliant with IETF internet standards.
mistercow's response explains it better. If it redirected to localhost, and there was a certain filesharing service enabled, then it's possible a browser was listening but obviously didn't have the specific file requested.
I don't know how they have it set up, but the laziest way to block pages is to add them to /etc/hosts mapping them to 127.0.0.1 . If you do that in OS X and Web Sharing (apache) is enabled (and it might be on their machines, although I hear Mountain Lion got rid of it?), then navigating to http://blocksite.com/whatever.html will give a 404 unless the web sharing directory actually contains the file "whatever.html". So it's very likely a simple matter of a lazy configuration rather than a nefarious attempt to make you think that the blocked site doesn't exist (which, really, what would be the motivation there?).
Why are you inclined to believe this isn't the case? What possible reason would there be for Apple to care one whit about the email that goes to iCloud accounts? The only thing that makes any sense at all is virus/spam filtering.
No you didn't. They don't care what's on your phone. They care about two things:
1) What's on their store, and
2) How apps get on your phone, e.g. they must be codesigned by Apple.
The former is where they apply their content standards. The latter is a (very effective) security measure.
But, for example, Apple doesn't care in the slightest if I make a hardcore pornography app, sign it with my own developer cert, and install it on my phone. They only care if I try and submit it to their store. Similarly, they don't care if I open up Safari and visit some pornographic website, even if it uses HTML5 offline mode and gets added as an independent icon to my home screen.
You're acting like Apple has some vast conspiracy to eradicate objectionable material from the face of the planet. That's ridiculous.
Apple has been pretty open about the fact that they just care about what's on their storefront. The only reason that this effectively means they control what's on your phone is because most people can't install apps on their phone except via Apple's App Store. Although, as usual, everyone in the world is free to view whatever objectionable website they want.
The security implications of only allowing codesigned code to execute is completely divorced from the decision to control what content is allowed on Apple's storefront. The former limits what's on your phone, but does not make any judgement about the content. The latter makes a judgement about the content, but doesn't limit what you can run on your phone if you can find some other avenue to run stuff (e.g. self-signed with a dev cert, or web apps).