Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.



246 posts

Master Geek
+1 received by user: 26

Subscriber

Topic # 114391 18-Feb-2013 16:07 Send private message

I would like to share my experience of the telecom / yahoo / xtra hack. This is designed as feed back to Xtra – letting you know what it is like for us. You need to improve your systems dramatically. There is a reason xtra ranks as one of the least liked companies and least trusted companies in NZ. This hasn’t helped your cause at all.
I look after home users and businesses so got caught both ways. Here are some short vignettes of the last week (and part of this week as the blows keep on coming).

 In short –
  1. Home user A – changed password and couldn’t get email working for 6 days owing to problems with authentication passing around badly.
  2.  Business B – New to telcom. Told to use third party Auth SMTP service. Had to go through process of setting up email accounts on yahoo, getting authentication emails then using the MASTER PASSWORD on ALL machines to get them working. Also cannot use admin, sales or other email addresses they have always used as banned by xtra.
  3.  Business User C – Changed passwords, did all that was required. All emails since Jan 2011 have now disappeared. Still trying to recover them.
 I’ve put in 16 hours plus on the phone waiting on tcom sorting out client issues caused be telecom and most of them have needed tier 2 resolution. Some cant be sorted such as xtra emails being black listed (by Telstra as one example).

Trying to run an IT business is tough but the xtra pressures and crud this type of carry on causes is insane. To make things worse xtra “improved” their security processes with out checking they work and had their servers unable to cope with the changes required.

My understanding is Australian Yahoo got hacked in a similar way, why weren’t changes made to stop it happening here?

Who pays for xtras mess? I’m suggesting to my clients to submit claims to xtra for the work I have had to do fixing their issues but the true cost of this debacle in $ terms must be horrendous in lost productivity, lost emails, missed opportunities and the costs to spam filters, slow systems etc.

My suggestions for change are at the end of this email.

 
Longer stories.

 Home User A:

Required to change password or at least encouraged to. Did so. Had to update password on iPad, iPhone, Samsung, Laptop and PC as he and his wife get their emails via phone while out, PC at home and laptop while away at Hanmer and other places.

 Changed the password. So far so good. This is a complex process for the average user going through all the xtra crud on the screen and figuring out where to go to change stuff but I’ve been here before so got through it quickly.

 Changed password on all the devices above.

Thunderbird on the Pc worked well, for receiving but wouldn’t send.

Changed send.xtra.co.nz to use port 587, 465, 25, use TLS, use auto, accept certs, use SSL and no encryption etc etc etc. All to no avail fixing the sending problem , but we could receive mail … until it stopped. The mail receiving stopped on Thunderbird – no changes to system, no password changes no nothing

 Now we cant send or receive.

 Changes to iPad, Samsung and iPhone all done. No sending or receiving.

 Phoned TCom , told we must have made a mistake. Told the young lady on the other end of the line I had been setting emails up since before she was born and please stop patronizing me. However I was still being polite.

 Long story cut short. Teir 2 escalation (80 minute wait on phone). No joy. Phoned again next day to progress it, 10:45pm at night and 2 hours on phone. Still no joy. Was told it wasn’t working as I wasn’t using a TCom network connection. Walked the guy through me connecting on a TCom network using ADSL and outlook 2010, using thunderbird on a Tcom stick and using other networks via cell phone.

 It finally came right today – 6 days later, with no changes from our end of things.

 Moral of story – don’t change your password as the authentication tokens aren’t flowing correctly. WE have seen these issues on a number of  password changed clients. Sometimes goin back to the old password works, sometimes trying to get through the system and rechanging works.  The new passwords work on the web mail but not smtp or pop. There are issues with backend authentication passing through the systems.

 Commercial client B

Had just moved onto Telecom as an ISP. Now wishes they hadn’t. Was told to use a third party ISP as their domain email was on a third party ISP and they shouldn’t be using Telecoms servers to send from.

I think I called TCom a limited ISP at that point and asked if they wanted me to walk their client away as provision of the ability to send email was part of their promise to my client. 3 hours later we kind of got there. To get there we

Set up an @xtra email account.

Logged on via the xtra web portal.

Had to set up each email address being sent from manually via the web portal

Sent a verification email to each users email account..

Had to go to each PC, click on the confirmation email log into the xtra portal as the GOD LIKE USER and PASSWORD, and confirm it.

 Admin, sales and a few other email addresses didn’t work no matter what we did. Finally found why admin@<client name> and sales@<clientname> wouldn’t authenticate- they are banned by telecom, along with a lit of other normally used words such as help, postmaster, abuse, spam etc etc. And it doesn’t stop there. Sales for instance is a phrase which if it occurs as part of a name is also banned so salesteam, wholesale, salesenquiry etc are also all illegal to use on Telecoms systems.

 I am told the banning of these email addresses is a security measure – come on!!! If people using [email protected] get spammed that is their problem, it is not a security issue. It is their choice, or at least should be. To ban email addresses that have lnog been in use in a company is ludicrous. [email protected], [email protected], [email protected], [email protected], [email protected]  are all longstanding used names. Banning them from your customers is ludicrous. What about email that will bounce when existing customers send to their normal email addresses and they bounce?  Its our choice xtra – stop banning email addresses.

 Lastly – Business User C. long standing xtra customer. Changed their passwords. Passwords reverted back to the old password 24 hours later. Their emails also disappeared – all emails from 2011 onwards have gone. Escalated to tier 2. Still no answers.

 What is going on? If xtra and yahoo etc want us to go cloud we need a better experience than this. My client was looking to go cloud based as it was suitable for his business. Now I think I am about to sell him his own server.

 CONCLUSION
Xtra – not a good week for you. A very bad week for me in terms of stress. Other jobs are now late, clients have lost business and I am billing over 30 hours of time last week ( and another 5 hours today) just dealing with problems you have caused. Don’t even ask how many unbilled hours I wont submit to clients.

 Why did I write this. Here is what I hope you will do.

 1 – Stop messing with fancy authentication processes and just do the straight forward ones properly. Google does it brilliantly as do other providers. Instead of massive complexity and ever increasing password lists, do the simple things correctly and the rest will fall into place. The average jo cant deal with your systems. You need to simplify and make the straight forward stuff work.

2 – Get rid of yahoo and get back to having the Nz public be able to contact the people who run their email so we can get issues resolved without having to have you guys fill in forms, send them to faceless entities and then have them lost in cyber space until yahoo finally bins them without resolving them/

3 – Change your password verification process so that when you click on a verification link it doesn’t require the domain / mail admin’s password to be entered on each and every pc to get verification completed. That’s just plain stupid.
4 - Get rid of your kill list of banned emnail addresses - at least the sensible ones. I agree goFlattenYourself @abuse.org (or similar) is not an ideal address to let loose in a g rated environment but sales, help,admin, purchases etc are.

From wiki - another eample. My friend will be pleased her name isnt banned nad offensive any more.
Username bansOn February 20, 2006, it was revealed that Yahoo! Mail was banning the word "Allah" in email usernames, both separate and as part of a user name such as linda.callahan.[54] Shortly after the news of the "Allah" ban became widespread in media, it was lifted on February 23, 2006. Along with this action, Yahoo! also made the following statement:[55]
We continuously evaluate abuse patterns in registration usernames to help prevent spam, fraud and other inappropriate behavior. A small number of people registered for IDs using specific terms with the sole purpose of promoting hate, and then used those IDs to post content that was harmful or threatening to others, thus violating Yahoo!'s Terms of Service. 'Allah' was one word being used for these purposes, with instances tied to defamatory language. We took steps to help protect our users by prohibiting use of the term in Yahoo! usernames. We recently re-evaluated the term 'Allah' and users can now register for IDs with this word because it is no longer a significant target for abuse. We regularly evaluate this type of activity and will continue to make adjustments to our registration process to help foster a positive customer experience.




nunz

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Awesome
3852 posts

Uber Geek
+1 received by user: 367

Trusted
Subscriber

  Reply # 765240 18-Feb-2013 16:16 Send private message

I never had any issue using 3rd party mail servers on my Xtra connection a couple of years back. There is an opt out of their port blocking somewhere that once done, you can use whatever mail provider you like.




Twitter: ajobbins



246 posts

Master Geek
+1 received by user: 26

Subscriber

  Reply # 765253 18-Feb-2013 16:27 Send private message

THe client hosts their mail with discountdomains / digiweb and pops from there.
They had always used smtp.cleasr.net.nz as a clear client but moved to TCom.

They needed to change their outlook clients to point at send.xtra.co.nz as they cant use clears smtp anymore.

Xtra wouldnt give them an authentication to use send.xtra.co.nz adn you can no longer use smtp.xtra.co.nz without authentication.

We got an addres made <clientname>@xtra.co.nz and used that to authenticate logins to send.xtra.co.nz

We then had to register every name at the client under that account.
   [email protected]
   [email protected]
    [email protected] 
  admin@@clientname.co.nz
   sales@@clientname.co.nz

authenrtication emails went out for mary, john nad bob. admin and sales were flatly refused authentication.

I then had to vist mary, bob and johns pcs / outlook clients as the verification email takes you to the xtra / yahoo email login page and makes you login using <clientname>@xtra.co.nz and password to verify. This means all users in the company either have to know the password for the admin login for the xtra account <clientname>@xtra.co.nz a / password or I have tovisit each and every pc. THat's not straight forward when they are all over the country and in and out of internet range .

Hope this explains my process and what we had to face.

My ponit is - banning admin@<clientname> and sales@<clientname> is just plain stupid and the verification emails should not require a log in to complete verification process. They should contain a one off authentication token in the URL just like many other verifiaction processes.

shane

  




nunz

741 posts

Ultimate Geek
+1 received by user: 230


  Reply # 765260 18-Feb-2013 16:37 Send private message

ugh. I feel sorry for you. Small Businesses using POP/IMAP and ISP's servers for SMTP were a nightmare I was glad to leave behind.

It's a shame Google Apps is getting rid of their free tier - they offer a fantastic service for very little money. Best situation in my experience is ISP provides IP connectivity only, no domains, mail, web hosting. But that isn't always possible.

Anyone who had to try and get internal MX records removed after moving domains away from xtra and email from xtra users still going to the old mx - will agree.

670 posts

Ultimate Geek
+1 received by user: 11

Subscriber

  Reply # 765264 18-Feb-2013 16:39 Send private message

I've got Port 25 unblocked for both my personal connection (even although I now no longer have a mail server at home) and also for a charity that I support using the form at https://www.telecom.co.nz/form/1,6849,5664,00.html

Unless it's changed, this does not require authentication to use smtp.xtra.co.nz

Awesome
3852 posts

Uber Geek
+1 received by user: 367

Trusted
Subscriber

  Reply # 765265 18-Feb-2013 16:39 Send private message

why not just use the pop.yourdomainname.whatever and smtp.yourdomainname.whatever that your mail provider more than likely provides?

Using another SMTP server (such as Xtra's) just means it's more likely you will get on spam blacklists.




Twitter: ajobbins



246 posts

Master Geek
+1 received by user: 26

Subscriber

  Reply # 765282 18-Feb-2013 16:49 Send private message

ajobbins: why not just use the pop.yourdomainname.whatever and smtp.yourdomainname.whatever that your mail provider more than likely provides?

Using another SMTP server (such as Xtra's) just means it's more likely you will get on spam blacklists.


My provider does supply authenticated smtp (at a price) but  as most of the pcs have been using clear for years with no issues so the client assumed doing the same with xtra ......

Also we have found that some black lists are twitchy about some settings but do have more toelerance for clear as NZs largest ISP .Conversely some ban xtra as they are so regullarly used for spam - a bit of a tooss up really.

If the client had contacted me firt I would have not gone this way, got them sorted with snap or similar - but the telecom man came and sold them a picture of bliss and they took it. ouch!!







nunz

Awesome
3852 posts

Uber Geek
+1 received by user: 367

Trusted
Subscriber

  Reply # 765283 18-Feb-2013 16:49 Send private message

Just looked at the discountdomains email product, and it does look like they don't give you an SMTP server to use. How stupid.

What I would do:
Request port 25 unblock from Xtra
Sign up for a cheap and reliable hosting provider. I use 1c.co.nz. $5 a month gets you 5 mailboxes, 250MB of storage and 1GB traffic.
Here you can host a website on your domain, as well as use their mail server for both sending and receiving email - cutting Xtra out of the picture all together.

Using Xtra's SMTP you mail also probably goes out as '[email protected] ON BEHALF of [email protected]'. This looks amateur and unprofessional IMHO.

The other downside of discountdomains lack of SMTP is what if you have your mail setup on a mobile device or a laptop, and you then send mail while off the Xtra network. Don't Xtra block that?




Twitter: ajobbins



246 posts

Master Geek
+1 received by user: 26

Subscriber

  Reply # 765285 18-Feb-2013 16:51 Send private message

allan: I've got Port 25 unblocked for both my personal connection (even although I now no longer have a mail server at home) and also for a charity that I support using the form at https://www.telecom.co.nz/form/1,6849,5664,00.html

Unless it's changed, this does not require authentication to use smtp.xtra.co.nz


I've used port 25 on cliwents before but it invariably has changed and gone to custard within a few weeks. AuthSMTP is the most solid way with xtra . I am seriously considering starting a mail only smtp authenticated service for my clients. It just might be easier.







nunz

Awesome
3852 posts

Uber Geek
+1 received by user: 367

Trusted
Subscriber

  Reply # 765288 18-Feb-2013 16:53 Send private message

nunz: I've used port 25 on cliwents before but it invariably has changed and gone to custard within a few weeks. AuthSMTP is the most solid way with xtra . I am seriously considering starting a mail only smtp authenticated service for my clients. It just might be easier.


Use a host as I suggested about and you get a) authenticated SMTP and b) mail originating from an IP address you can validate with SPF records and the like in DNS. Receiving mail servers will be MUCH more trusting of mail sent directly this way, as opposed to using the middle man approach you need to with Xtra's SMTP.




Twitter: ajobbins



246 posts

Master Geek
+1 received by user: 26

Subscriber

  Reply # 765291 18-Feb-2013 16:56 Send private message

ajobbins: Just looked at the discountdomains email product, and it does look like they don't give you an SMTP server to use. How stupid.

What I would do:
Request port 25 unblock from Xtra
Sign up for a cheap and reliable hosting provider. I use 1c.co.nz. $5 a month gets you 5 mailboxes, 250MB of storage and 1GB traffic.
Here you can host a website on your domain, as well as use their mail server for both sending and receiving email - cutting Xtra out of the picture all together.

Using Xtra's SMTP you mail also probably goes out as '[email protected] ON BEHALF of [email protected]'. This looks amateur and unprofessional IMHO.

The other downside of discountdomains lack of SMTP is what if you have your mail setup on a mobile device or a laptop, and you then send mail while off the Xtra network. Don't Xtra block that?


Discount domains are part of digiweb who do excellent authenticated smtp smtp servers.Rock solid, and we have clients using them. This client got the jump in me when the tcom guy called so I had to fix up a mess.

THe onbehalf of doesnt show os we are ok.

My clients use the authsmtp service on their cell phones , at home etc. More and more clients are on multiple networks, travelling with laptops and cell phones between home, work, cellular, motels, friends, cafes etc etc. Auth SMTP is the best way to go.

We have acutally been migrating a few to google apps which works supurbly with android (adn ios), imap, pop, smtp etc etc.  At $5/month / user they are a good option.

However, again - an NZ based auhenticated smtp service might do well for the road warriors. One email set up on all devices and all networks and all systems, no matter where in the world you are nad with the dat ain NZ under NZ laws and NZ search / seisure systems. Also no Ads and no watching your mail to see what you are writing to server you ads. There is an opportunity to make a new hotmail (I mean the original php one before MS got hold of it) or similar.

Just for NZ.







nunz

Awesome
3852 posts

Uber Geek
+1 received by user: 367

Trusted
Subscriber

  Reply # 765299 18-Feb-2013 17:10 Send private message

I'm not for a moment suggesting you don't use Auth SMTP.

What I am suggesting is DO NOT USE XTRA's. In the case of Xtra, they are not just letting you use their server, they are making you use an @xtra address as a pass through - that has been validated as in your control. The real sending address is the @xtra address and this would be evident in the mail headers I suspect.




Twitter: ajobbins

396 posts

Ultimate Geek
+1 received by user: 37


  Reply # 765385 18-Feb-2013 20:40 Send private message

I know its easy to get jaded, as this can be a tankless task, and you might already have enough on your plate but its issues like this that keep you with work though. Count your blessings that people respect your skill enough to hire you, and make sure you charge them for all your time. If everything worked perfectly then you wouldn't be needed anymore.

7644 posts

Uber Geek
+1 received by user: 254

Trusted
Subscriber

  Reply # 765488 18-Feb-2013 22:33 Send private message

Sign up as a Google Apps and Microsoft 365 reseller and start up selling your clients on better email service imo.

133 posts

Master Geek
+1 received by user: 51


  Reply # 765551 19-Feb-2013 08:09 Send private message

Yep. This would be my advice too. And another end result is the lack of headache for the reseller too.



246 posts

Master Geek
+1 received by user: 26

Subscriber

  Reply # 765557 19-Feb-2013 08:16 Send private message

DaveDog: Yep. This would be my advice too. And another end result is the lack of headache for the reseller too.


We already have clients going this way, its just not able to be done for everyone. E.G. accounting or specialist packages with smtp integration dont always support smtpauth or ssl. There are a number of other cases.

Anyway, thanks for the advice one and all. As I said, my goal in writing this is not to get answer, it is to let Xtra know about the havoc they are causing and offer some suggestions on how to go forward (as if they would listen to me )

Again my advice or suggestion to them is:
1 - Simplify processes as it is end user unfriendly.
2 - Simplify security processes and do them well. Strapping on complexity doesnt make up for lack of basic process failure - do the simple thing right the rest will follow.
3 - Reverse that dumb decision to ban certain common email addresses. It doesnt help security to ban sales, admin etc as email addresses.
4 - Bring contorl of NZ emails back to NZ - Give us access to people dealing with our emails directly so we can resolve stuff in a timely fashion - your current process is not working, is slow and opaque.

Shane (the tired, blessing counting and still some how hopeful )








nunz

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Does acupuncture work?
Created by timmmay, last reply by geekiegeek on 30-Jul-2014 13:48 (27 replies)
Pages... 2


New Mobile plans coming?
Created by nunasdream, last reply by Quibbler on 30-Jul-2014 23:10 (24 replies)
Pages... 2


2 x PS4s to give away. Geekzone members only.
Created by BigPipeNZ, last reply by rphenix on 30-Jul-2014 23:18 (66 replies)
Pages... 3 4 5


2010 Honda Jazz, Suzuki Swift - which has higher maintenance cost?
Created by joker97, last reply by joker97 on 30-Jul-2014 17:40 (65 replies)
Pages... 3 4 5


Checking UHF aerial is working
Created by OnceBitten, last reply by B1GGLZ on 28-Jul-2014 21:49 (21 replies)
Pages... 2


VF, why you lie to me?
Created by kenkeniff, last reply by MadEngineer on 30-Jul-2014 22:05 (55 replies)
Pages... 2 3 4


Hierarchy of a mistake: Gerry Brownlee
Created by joker97, last reply by DonGould on 29-Jul-2014 21:57 (93 replies)
Pages... 5 6 7


"keyless" keys - questions
Created by joker97, last reply by MadEngineer on 30-Jul-2014 22:02 (35 replies)
Pages... 2 3



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.