Telecom's Xtra - Doomed to be an Email Failure?

If you're a Kiwi you'd have to have been hiding under a rock to have missed the fact that Xtra's email service has been under siege lately.

In February, a significant number of email addresses - hosted by Yahoo in Sydney - were compromised. It appears that an organised botnet was able to access the mailboxes of many thousand subscribers, and use those mailboxes to generate spam emails (pointing at malicious web content) to email addresses found in those mailboxes - pulled from address books, sent items or similar.

The root cause has not been publicly announced by Yahoo, as far as I know, but I recall reading about a Cross Site Scripting issue involving Wordpress that sounds plausible in some respects. That said, I know that several of the accounts compromised (including one of mine!) have not been used in a long time - or at least, hadn't been, until this issue came to light... which makes one wonder how long this has been parked, waiting - or whether there is some _other_ vulnerability at work.

Anycase, there was a public outcry, and lots of 'change your password' advice being given out to account holders, and the rest of us got to suffer under a deluge of spam originating from Yahoo's servers - let's make it clear, it's not just the account holders that've suffered here, it's the folks they've corresponded with! - and in the aftermath Telecom had to announce a review of their email arrangement with Yahoo (to whom email has been outsourced for some years). NBR has a good article with the background, and their public announcement to stay with Yahoo on the grounds of a promise from Yahoo to 'do better'.

Less than a fortnight later, we're being clobbered again. The spam itself is basically identical - an email sent to 5-10 recipients, containing no more than a few words and a URL - and being relayed by Yahoo, thus actually coming from the compromised accounts. Discussion on Geekzone - a technical-user web forum - was amongst the first public discussion on the recurrance, with little public acknowledgement on Telecom's part for almost 24 hours. Then, more 'active minimisation' of the problem, with Telecom pointing out that it's a smaller number of accounts (1,000 or so) and talking up the 'here's how to change your password' approach that Journo's seem to be happy to accept.

What no-one is seeming to flag, is that this approach is simply ridiculous. I don't have much hard data myself (my two Yahoo-hosted email addresses seem to have been skipped in the most recent compromise[1]) but some points to consider:

  • Enforced password changes happened last time, didn't they??
  • If passwords were changed last time, and the account has been re-compromised - HOW?
  • If the account is re-compromised, and the root cause hasn't actually been fixed, aren't we just going around in circles?

I don't have the words to express how truly exasperating this situation is, and I fear this blog entry isn't as coherent as I wish it would be, but this needs to be said.

The move to outsource Xtra's email platform to Yahoo was greeted with much animosity when it happened in the first place - the 'Bubble' escapades were fraught with cockups - and Yahoo's reputation as an email service provider is not great in the security space (plenty of spam originates from Yahoo and as an outsider, it doesn't appear that they're very pro-active in dealing with this). On the other hand they can leverage their large marketshare and impose restrictions on the email they receive, placing other players at their mercy (mail administrators who're sick of the spam, can't get away with blocking Yahoo - they're too big, so the collateral damage is too high. And this is before you consider that NZ's largest residential and small business ISP, with more than 400,000 email addresses, is someone that other NZ mail servers need to be able to talk to.

At a business level, they 'reviewed' the situation, and opted to stick with the status quo - and got pwned, yet again. And yet I expect that they'll remain where they are, due to the complete lack of interest in providing a reliable email platform for their customers. In the back of my mind I suspect that they don't tie much of their revenue to email - lets face it, these days email service is a tack-on to internet access agreements, and it's the latter that's deemed to make the ISP money (as plenty of folks stick with free email services and don't use the ISP supplied email accounts anyway).

Which brings me back to this. The rest of us are at the mercy of Yahoo/Xtra because we need to correspond with them, because we need to correspond with our friends and family who use them.
The answer then? Vote with your feet!. People need to find alternatives. There are plenty. Even Hotmail (shudder) are more effective than Yahoo at the moment. And if you're one of those small businesses who still truck along with '' as your email address (and sign written on your vehicles!) - Welcome to the 21st Century. You can get your own domain name for $30 per year, and you can host it anywhere. Seriously. Telecom have demonstrated no commitment to looking after your needs. Why would you accept such poor service?


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

As an aside...

... if you need a clear indication of how little they really care about their mail platform, consider this:
- The address that I retain, was tied to the broadband connection I had with Xtra back in the mid 2000's.
- I _think_ (memory fades) that I opted to retain it as a $2.50/month account.
- At some point it 'fell off' my bill but remained in place.
- I didn't use it for a LONG time. I think I checked it once or twice when I fell into my current job (at an Email Security company) and mainly use it to test end-to-end comms and such - but mainly coz it's still there, and i'm not paying for it!
- In February I checked on the account after news of the Yahoo exploit and it was still there. In it I found a couple of 'system' emails from Xtra, notifying me that my account was amongst those that was identified as being 'orphaned' and unless they heard back from me, they'd cancel my account. In November.

November. But I checked it in February!!
I checked in April, it's still there. So they can't even deliver on their own committment to remove an old account, that should've gone years ago, and that they'd actually specifically said they'd remove nearly 6 months ago now.