I look after home users and businesses so got caught both ways. Here are some short vignettes of the last week (and part of this week as the blows keep on coming).
In short –
- Home user A – changed password and couldn’t get email working for 6 days owing to problems with authentication passing around badly.
- Business B – New to telcom. Told to use third party Auth SMTP service. Had to go through process of setting up email accounts on yahoo, getting authentication emails then using the MASTER PASSWORD on ALL machines to get them working. Also cannot use admin, sales or other email addresses they have always used as banned by xtra.
- Business User C – Changed passwords, did all that was required. All emails since Jan 2011 have now disappeared. Still trying to recover them.
Trying to run an IT business is tough but the xtra pressures and crud this type of carry on causes is insane. To make things worse xtra “improved” their security processes with out checking they work and had their servers unable to cope with the changes required.
My understanding is Australian Yahoo got hacked in a similar way, why weren’t changes made to stop it happening here?
Who pays for xtras mess? I’m suggesting to my clients to submit claims to xtra for the work I have had to do fixing their issues but the true cost of this debacle in $ terms must be horrendous in lost productivity, lost emails, missed opportunities and the costs to spam filters, slow systems etc.
My suggestions for change are at the end of this email.
Home User A:
Required to change password or at least encouraged to. Did so. Had to update password on iPad, iPhone, Samsung, Laptop and PC as he and his wife get their emails via phone while out, PC at home and laptop while away at Hanmer and other places.
Changed the password. So far so good. This is a complex process for the average user going through all the xtra crud on the screen and figuring out where to go to change stuff but I’ve been here before so got through it quickly.
Changed password on all the devices above.
Thunderbird on the Pc worked well, for receiving but wouldn’t send.
Changed send.xtra.co.nz to use port 587, 465, 25, use TLS, use auto, accept certs, use SSL and no encryption etc etc etc. All to no avail fixing the sending problem , but we could receive mail … until it stopped. The mail receiving stopped on Thunderbird – no changes to system, no password changes no nothing
Now we cant send or receive.
Changes to iPad, Samsung and iPhone all done. No sending or receiving.
Phoned TCom , told we must have made a mistake. Told the young lady on the other end of the line I had been setting emails up since before she was born and please stop patronizing me. However I was still being polite.
Long story cut short. Teir 2 escalation (80 minute wait on phone). No joy. Phoned again next day to progress it, 10:45pm at night and 2 hours on phone. Still no joy. Was told it wasn’t working as I wasn’t using a TCom network connection. Walked the guy through me connecting on a TCom network using ADSL and outlook 2010, using thunderbird on a Tcom stick and using other networks via cell phone.
It finally came right today – 6 days later, with no changes from our end of things.
Moral of story – don’t change your password as the authentication tokens aren’t flowing correctly. WE have seen these issues on a number of password changed clients. Sometimes goin back to the old password works, sometimes trying to get through the system and rechanging works. The new passwords work on the web mail but not smtp or pop. There are issues with backend authentication passing through the systems.
Commercial client B
Had just moved onto Telecom as an ISP. Now wishes they hadn’t. Was told to use a third party ISP as their domain email was on a third party ISP and they shouldn’t be using Telecoms servers to send from.
I think I called TCom a limited ISP at that point and asked if they wanted me to walk their client away as provision of the ability to send email was part of their promise to my client. 3 hours later we kind of got there. To get there we
Set up an @xtra email account.
Logged on via the xtra web portal.
Had to set up each email address being sent from manually via the web portal
Sent a verification email to each users email account..
Had to go to each PC, click on the confirmation email log into the xtra portal as the GOD LIKE USER and PASSWORD, and confirm it.
Admin, sales and a few other email addresses didn’t work no matter what we did. Finally found why admin@<client name> and sales@<clientname> wouldn’t authenticate- they are banned by telecom, along with a lit of other normally used words such as help, postmaster, abuse, spam etc etc. And it doesn’t stop there. Sales for instance is a phrase which if it occurs as part of a name is also banned so salesteam, wholesale, salesenquiry etc are also all illegal to use on Telecoms systems.
I am told the banning of these email addresses is a security measure – come on!!! If people using email@example.com get spammed that is their problem, it is not a security issue. It is their choice, or at least should be. To ban email addresses that have lnog been in use in a company is ludicrous. firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org are all longstanding used names. Banning them from your customers is ludicrous. What about email that will bounce when existing customers send to their normal email addresses and they bounce? Its our choice xtra – stop banning email addresses.
Lastly – Business User C. long standing xtra customer. Changed their passwords. Passwords reverted back to the old password 24 hours later. Their emails also disappeared – all emails from 2011 onwards have gone. Escalated to tier 2. Still no answers.
What is going on? If xtra and yahoo etc want us to go cloud we need a better experience than this. My client was looking to go cloud based as it was suitable for his business. Now I think I am about to sell him his own server.
Xtra – not a good week for you. A very bad week for me in terms of stress. Other jobs are now late, clients have lost business and I am billing over 30 hours of time last week ( and another 5 hours today) just dealing with problems you have caused. Don’t even ask how many unbilled hours I wont submit to clients.
Why did I write this. Here is what I hope you will do.
1 – Stop messing with fancy authentication processes and just do the straight forward ones properly. Google does it brilliantly as do other providers. Instead of massive complexity and ever increasing password lists, do the simple things correctly and the rest will fall into place. The average jo cant deal with your systems. You need to simplify and make the straight forward stuff work.
2 – Get rid of yahoo and get back to having the Nz public be able to contact the people who run their email so we can get issues resolved without having to have you guys fill in forms, send them to faceless entities and then have them lost in cyber space until yahoo finally bins them without resolving them/
3 – Change your password verification process so that when you click on a verification link it doesn’t require the domain / mail admin’s password to be entered on each and every pc to get verification completed. That’s just plain stupid.
4 - Get rid of your kill list of banned emnail addresses - at least the sensible ones. I agree goFlattenYourself @abuse.org (or similar) is not an ideal address to let loose in a g rated environment but sales, help,admin, purchases etc are.
From wiki - another eample. My friend will be pleased her name isnt banned nad offensive any more.
Username bansOn February 20, 2006, it was revealed that Yahoo! Mail was banning the word "Allah" in email usernames, both separate and as part of a user name such as linda.callahan. Shortly after the news of the "Allah" ban became widespread in media, it was lifted on February 23, 2006. Along with this action, Yahoo! also made the following statement:
We continuously evaluate abuse patterns in registration usernames to help prevent spam, fraud and other inappropriate behavior. A small number of people registered for IDs using specific terms with the sole purpose of promoting hate, and then used those IDs to post content that was harmful or threatening to others, thus violating Yahoo!'s Terms of Service. 'Allah' was one word being used for these purposes, with instances tied to defamatory language. We took steps to help protect our users by prohibiting use of the term in Yahoo! usernames. We recently re-evaluated the term 'Allah' and users can now register for IDs with this word because it is no longer a significant target for abuse. We regularly evaluate this type of activity and will continue to make adjustments to our registration process to help foster a positive customer experience.