Since I wrote about Xtra/Yahoo's email woes, there's been quite a bit of activity. Not all of it good.

Telecom even emailed, telling me they're working on the situation, but so did a bunch of friends who are Xtra subscribers, even though they had no idea they'd done so.

You see, their emails were spoofed, so even though they appear to be from people I knew, the email was sent by someone else.

Spoofing can be fun and is great for the odd office prank - there's even a bunch of free online services that'll let you send emails to anyone from anyone.


Trouble is the situation at Xtra has gone way beyond amusing.

Even though Telecom locked down email accounts, forcing users to choose stronger passwords, spoofed emails supposedly from Xtra subscribers still arrive in my inbox with annoying regularity.

The worrying thing is that all the emails have contained nothing but a link - one which most likely directs unsuspecting recipients to a malware-laden website.

Just how many have fallen into the trap of thinking "hey a link from mum/dad/my wife/my husband" and clicked it, we'll never know.

Chances are though that these people's computers are now awash with malware, allowing a whole new cycle of cyber nastiness to commence. Not good.

So if an email arrives in your inbox - even if it's from someone you know and trust, be very suspicious if the message contains only a link.

Whatever you do, don't click it. Email the person (or better still, phone them) and let them know that they're sending out dodgy links.

Even though Telecom have gone all-out on the issue, and it is great to see their CEO of retail, Chris Quin stepping up to tell people to use more secure passwords, the situation is far from resolved.

In fact the digital equivalent of the stable door is now swinging in the breeze and there's no sign of a horse whatsoever.

In other words, no easy fix is in sight for Telecom.

So what to do? That user account details and address book contacts appear to have been hoovered wholesale off of inadequately secured servers by malicious parties so they could have their spoofing fun is an appalling breach.

Because of this, the first thing I'd do if I were Telecom would be to dump Yahoo and take email back in-house. Calling Yahoo a dog would of course be a disservice to canines (if they could type, my dogs would never sent me spoofed emails with dodgy links, ever).

This is unfortunately easier said than done for both Telecom and its subscribers according to TUANZ CEO, Paul Brislen.

"Xtra is both a godsend and an albatross around Telecom's neck. On the one hand, it makes it very hard for Xtra customers to move away... They can't take their Xtra email account with them to a new ISP and that means they are very reluctant to move. VERY reluctant. On the other hand, Telecom doesn't want to run it in-house because of the cost and requirement to keep on top of spam/filtering/DDOS/white list and black list stuff, which is what drove it to outsource in the first place."

Even if Telecom did take email back in house and dump Yahoo, spoofed emails probably continue to be sent from supposed Xtra email address.

This said, if Telecom re-launched an in-house email service called something other than Xtra, people could at least then tell the difference between a spoofed Xtra email and an otherwise legit message sent using the new service.

As it stands, if you're an Xtra email user, chances are that unless someone tells you, you've no way of knowing that your name is being used in emails with links directing friends, family, and even business associates to what is a dodgy website that'll probably leave their computers subject to cyber mayhem.

Because of this, any possible solution should involve Xtra customers making use of another email service (Gmail or Outlook are both great and they're free), advising all their Xtra address book contacts that any future emails from their Xtra email account should be deleted and ignored until further notice.

Brislen agrees "If you want an email address as a customer you're better off with Gmail or the like, or getting your own and having Google manage it for's very simple and means we can move from telco to telco as the need arises, without needing to set up new email accounts."

Sadly it appears there's no end in sight to what must rapidly be becoming a PR nightmare of epic proportions for Telecom.