Where to from Here?
New Zealand Open Source Society
New Zealand Linux Users Group
Auckland Linux Users Group
Wellington Linux Users Group
Auckland Operational Support Unit
NZ Association of Radio Transmitters
Wellington VHF Group
Papakura Radio Club
New Zealand Network Operators Group
Undernet IRC Network
Recent blog posts
There are currently 0 users and 0 guests online.
Telecom's Xtra - Doomed to be an Email Failure?
If you're a Kiwi you'd have to have been hiding under a rock to have missed the fact that Xtra's email service has been under siege lately.
In February, a significant number of xtra.co.nz email addresses - hosted by Yahoo in Sydney - were compromised. It appears that an organised botnet was able to access the mailboxes of many thousand subscribers, and use those mailboxes to generate spam emails (pointing at malicious web content) to email addresses found in those mailboxes - pulled from address books, sent items or similar.
The root cause has not been publicly announced by Yahoo, as far as I know, but I recall reading about a Cross Site Scripting issue involving Wordpress that sounds plausible in some respects. That said, I know that several of the accounts compromised (including one of mine!) have not been used in a long time - or at least, hadn't been, until this issue came to light... which makes one wonder how long this has been parked, waiting - or whether there is some _other_ vulnerability at work.
Anycase, there was a public outcry, and lots of 'change your password' advice being given out to account holders, and the rest of us got to suffer under a deluge of spam originating from Yahoo's servers - let's make it clear, it's not just the account holders that've suffered here, it's the folks they've corresponded with! - and in the aftermath Telecom had to announce a review of their email arrangement with Yahoo (to whom xtra.co.nz email has been outsourced for some years). NBR has a good article with the background, and their public announcement to stay with Yahoo on the grounds of a promise from Yahoo to 'do better'.
Less than a fortnight later, we're being clobbered again. The spam itself is basically identical - an email sent to 5-10 recipients, containing no more than a few words and a URL - and being relayed by Yahoo, thus actually coming from the compromised accounts. Discussion on Geekzone - a technical-user web forum - was amongst the first public discussion on the recurrance, with little public acknowledgement on Telecom's part for almost 24 hours. Then, more 'active minimisation' of the problem, with Telecom pointing out that it's a smaller number of accounts (1,000 or so) and talking up the 'here's how to change your password' approach that Journo's seem to be happy to accept.
What no-one is seeming to flag, is that this approach is simply ridiculous. I don't have much hard data myself (my two Yahoo-hosted email addresses seem to have been skipped in the most recent compromise) but some points to consider:
I don't have the words to express how truly exasperating this situation is, and I fear this blog entry isn't as coherent as I wish it would be, but this needs to be said.
The move to outsource Xtra's email platform to Yahoo was greeted with much animosity when it happened in the first place - the 'Bubble' escapades were fraught with cockups - and Yahoo's reputation as an email service provider is not great in the security space (plenty of spam originates from Yahoo and as an outsider, it doesn't appear that they're very pro-active in dealing with this). On the other hand they can leverage their large marketshare and impose restrictions on the email they receive, placing other players at their mercy (mail administrators who're sick of the spam, can't get away with blocking Yahoo - they're too big, so the collateral damage is too high. And this is before you consider that NZ's largest residential and small business ISP, with more than 400,000 email addresses, is someone that other NZ mail servers need to be able to talk to.
At a business level, they 'reviewed' the situation, and opted to stick with the status quo - and got pwned, yet again. And yet I expect that they'll remain where they are, due to the complete lack of interest in providing a reliable email platform for their customers. In the back of my mind I suspect that they don't tie much of their revenue to email - lets face it, these days email service is a tack-on to internet access agreements, and it's the latter that's deemed to make the ISP money (as plenty of folks stick with free email services and don't use the ISP supplied email accounts anyway).
Which brings me back to this. The rest of us are at the mercy of Yahoo/Xtra because we need to correspond with them, because we need to correspond with our friends and family who use them.