You may be able to access the TDR (as opposed to going through the DT).

@DrDoug Good luck you are going require it as I don't think you have a leg to stand on

I do wonder what action can be taken against an organisation providing a free service. I have also been affected by Spam Titan but have been able to ameliorate that by changing settings. I have whitelisted every site and moved any filtering off line. It seems to be working okay for me.

Thanks for the good questions and suggestions fellow geekzoners.

On the service being free: the email address wasn't a standalone free service like Gmail. It was provided as part of a paid Orcon internet subscription, with the specific commitment of 'email address for life.' I had a paid internet account with Orcon for around 15 years. The CGA applies to services provided as part of a paid relationship regardless of how they're later recharacterised.

On quantifiable loss: documented examples include a tertiary enrolment offer email verified as delivered to Orcon by the sender's own email system but never received, causing two weeks of uncertainty; bank notifications quarantined sporadically over multiple years; correspondence from family members silently deleted, and an unknown amount of other silent deletions which potentially represent the last email someone sent because it wasn't replied to, and therefore that relationship was harmed and may remain harmed, unbeknownst to both parties.

This self-erasing nature of SpamTitan actually makes the issue worse for Orcon because the absence of recoverable evidence doesn't diminish the claim — it strengthens it, as it demonstrates the system was designed in a way that made harm both inevitable and unverifiable. Therefore, Orcon cannot produce evidence that the deleted emails were actually spam, and the burden of proof shifts accordingly.

The TDR is also worth considering as a parallel avenue given the telecommunications context. I'll investigate what they can do as a first step before the DT.

Ultimately, this customer group has been documented as being let down because the supplier has a known and admitted faulty product, has arbitrarily changed their terms without notice, all of which falls under the DT's framework.

A public statement alerting customers to the issue would be the minimum acceptable response — particularly given that SpamTitan affects all current Orcon email customers, not just legacy email holders.

The silent document shredder is still running ... 

Further update: Orcon/2degrees issued a deadlock letter to me and also suggested lodging any further complaint with TDR so, my TDR complaint has now been formally submitted and received.

Header analysis revealed something worth sharing with anyone still on Orcon email: SpamTitan's own Bayesian classifier rated a Netflix phishing email at 99.9% spam probability yet delivered it to the inbox, while simultaneously quarantining an authenticated email sent from my own Orcon address to itself. Both a spoofed Mercury energy bill and the Netflix phishing email originated from the same Moroccan IP address — the same spam campaign — and both were delivered as Clean.

Also worth noting: on the day I submitted the TDR complaint, TDR's own confirmation email was blocked by SpamTitan twice before eventually arriving nearly two and a half hours later. The silent document shredder blocked the notification from the service investigating the silent document shredder.

I'll update the thread when TDR responds. For anyone else affected, the process is straightforward — ideally you need a deadlock letter from Orcon/2degrees first, then it's a one page web form at tdr.org.nz and it's free.

@DrDoug They will just shutdown the email service - Issue fixed everyone using it go get a free Gmail, Outlook etc email address!

This does not make them any money! This is why other ISP's have killed free email service

Linux:

 

@DrDoug They will just shutdown the email service - Issue fixed everyone using it go get a free Gmail, Outlook etc email address!

 

This does not make them any money! This is why other ISP's have killed free email service

 

I hope they don't kill it. Moving everything to Gmail is a pain I would rather avoid. I don't really understand going to war over this. I have found a workable solution by just disabling everything in Spam Titan that I could, whitelisting all my links and doing my own filtering off-line. It works. That is all that matters.

For anyone still on Orcon email wondering whether to stay or go, the short answer is go.

Staying comes down to — is anyone with the authority going to choose to make the rubber meet the road. Will they choose to drive outwards towards a stable solution or keep silently circling the problem until it gets flushed? The silent document shredder doesn't have to stay silent or stay a shredder.

The difference is between the current system that was set up, forgotten, obfuscated when customers report related issues, and a fit-for-purpose system that is actively maintained toward optimal.

Here is my plain-language root cause analysis of what's actually broken and how most of it could be fixed — a roadmap out of the problem.

Retiring the service or manually whitelisting everything are both understandable responses to the situation. But for customers who can't whitelist their way out — because their bank, IRD, and other institutions use dynamically generated sending addresses that change with every email — and for elderly customers who don't know SpamTitan exists, let alone how to navigate it, those options aren't available. 

The underlying problems are worth naming clearly.

The core issue isn't that SpamTitan exists. It's that it's misconfigured against its own platform, outdated by three years, and operating without the basic transparency features that would make it manageable.

Specifically:
Orcon's own email domain is missing DMARC records — a standard email authentication mechanism. SpamTitan penalises their absence as a spam indicator. This means SpamTitan is penalising Orcon customers' legitimate emails for an infrastructure omission that Orcon itself is responsible for. Adding DMARC records to orcon.net.nz is a DNS configuration change that could be implemented in under an hour and would immediately reduce false positive rates.

The spam scoring threshold is miscalibrated relative to the rules in use. During this complaint process, a Netflix phishing email was scored 4.791 and delivered as Clean — despite SpamTitan's own Bayesian classifier assessing it at 99.9% spam probability and its cryptographic signature being invalid. Meanwhile, an authenticated email from my own Orcon address to itself was quarantined at 5.199. A scoring rule override — if the classifier's own confidence is 99%+, quarantine regardless of total score — would address this directly.

The greylisting timer is configured tightly enough to reject Amazon SES — one of the world's largest legitimate email delivery services, used by banks, government agencies, and as I discovered on the day of filing my TDR complaint, the TDR itself. Adjusting the retry window or pre-whitelisting major known-legitimate sending infrastructure at the platform level would resolve this without affecting spam protection.

A fourth failure mode was also observed: a PayPal phishing email was correctly scored above the spam threshold (6.166) and flagged YES by SpamTitan's own scoring engine, its subject was pre-pended with [ ** SPAM ** ] — then delivered to the inbox anyway, with no record in SpamTitan's Reporting tab. The system's assessment and its action are disconnected.

SpamTitan has quarantine digest notifications as a built-in feature. Enabling daily digests at the platform level would mean customers are notified when emails are held — solving the core transparency problem without requiring any development work.

The platform is running version 7.13.67 from April 2022. The current release is 8.02 from September 2025. Three years of security updates, rule refinements, and bug fixes are sitting unused on a product whose entire purpose is security.

Finally, Orcon's own help page states quarantined emails are retained for 21 days. Direct observation confirmed deletion occurs within approximately six days.

Published documentation and actual system behaviour need to match, walk needs to match talk — customers making decisions based on inaccurate specifications are being materially misled, and correcting this is a documentation edit, not a development project.

@DrDoug they want customers to walk as the cost to run the mail platform far exceeds returns I 100% don't blame them!

Customers leave it gets shutdown $$$ saved

Fetchmail has been fetching a lot of spam from my old Orcon account over recent days, so it looks like the filtering may have been relaxed - good.

Well it appears to now be blocking emails from IRD and Beamafilm so personally it is getting worse.

I’m getting slammed now with spam