Yahoo problems

The following two options should workaround the bug in the Yahoo mail system that affect many more than just those with @Yahoo mail addresses.  There is also a Thunderbird bug that has been raised to investigate this issue here that provides more detailed information should you be interested. 

Select options from the three bar menu.
Select the Display | Formatting tab | Advanced button
Set outgoing mail text encoding to Unicode Select the "When possible, use the default text encoding in replies" Click on Ok.

If that does not do it for you you will need to use the config editor to modify the setting mail.strictly_mime to true to force Thunderbird to use 7bit encoding in email.  This is not an optimal setting but is sometimes needed to workaround the various Yahoo issues.

Copy Thunderbirds profile to a new computer.

This is something we all must undertake at some point,  and to this end there is an article on the Thunderbird support forum that offers a number of methods.  See here 

I am writing this because really the article is  inadequate,  but attempts to improve it run into issues with Linux and OSX.  So here the discussion is about windows only and will offer instruction that assume you have not changed some fundamental options in Thunderbird.

While the vast majority of Thunderbird users do not change the location of their profile, or change the folder ("Local Directory") used to store the mail data for an account. It is possible to do both things and is one of the reasons the instructions on the support site are not as good as they should be.
So check the following in your old device.

Local Directory

1. Right click the account in the folder pane in Thunderbird.
2. Select properties
3. In the server Settings for the account look at the "Local Directory"

In the above image I have removed the parts of the path that are specific to any one computer.  The remaining information is consistent with all versions of Windows since XP.  The part that needs to be checked  to ensure it is set to a default location is \appdata\Roaming\Thunderbird.  If your path does not contain this string.  These instructions are not for you.

Profile folder location

1. On the help menu select troubleshooting information.  
2. Click open folder beside "Profile Folder"
3. Windows file manager will open. 

Again check the profile location contains \appdata\Roaming\Thunderbird.  This is the default location of the profile and unless it has been actively changed will show in the path at the top of the explorer window.

If the above two checks show  \appdata\Roaming\Thunderbird then proceed with the profile size check and actual copy below.

 Size check and copy
Old device.

1. Windows key + R
2. Type %appdata%
3. In the Windows explorer window that opens select the Thunderbird folder with your mouse in the left hand pane.
4. Right click the Thunderbird folder with your mouse and select properties from the menu that appears. Take note of the size of the Thunderbird folder and the number of files.
5. Select a USB device with sufficient free space to hold your profile folder and copy the folder to it.
6. Right click the Thunderbird folder on the USB drive and confirm it is the same number of file and folders as you noted earlier.  If it is different then the copy will most likely not be complete. 

New Device

1. Windows key + R
2. Type %appdata%
3.  Copy the Thunderbird folder from your USB device and drop it onto the appdata folder in the windows file manager.  If there was no Thunderbird folder before, one should be created.  If there was one you should be prompted to replace files.
4. Install Thunderbird.  Or start it if you previously installed it..

Is yahoo a lost cause? Probably!

Today I got an email from Yahoo,  they were very concerned for my account security.  So concerned in fact they told me.

Our external forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe that a forged cookie may have been used in 2015 or 2016 to access your account.

That is nice.  Someone accessed my account.  I wonder what they actually accessed?  Yep, you guessed it. No information form the nice folks at yahoo on that subject.  Just a bland generic suggestion that I "Review all of your accounts for suspicious activity."  really,  this tells me what they accessed how?  Was that email from the Japaneese company I was negotiating the export contracts with in the account when it was accessed?  Was that why the group for Bangladesh managed to undercut my price?



Now this account has only one purpose,  it is one I created to test Thunderbird against the ever more bizarre processes used by Yahoo.  Looking back over the account from the time it was created on the 16th February 2011 it has received exactly two email not originating from me.  Both were from Thunderbird users trying to navigate the complexities of Yahoo. (the last of those emails was in 2014).  But it appears from Yahoo that I have been the victim of state sponsored hacking for the purpose of just peeking in I suppose.

We have connected some of the cookie-forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on 22 September 2016


Now this is where I get a little concerned.  They have connected "some of the ... activity" to that source.  So are they telling me that the account has been hacked by multiple parties on multiple occasions?  Are they telling me anything at all or just pressing the flesh and selling their new authentication protocol that offers them further advertising opportunities and more information about me as a person. I actually think both.  They are I think admitting their accounts have been an open door for years for those in the know.  I must wonder why Yahoo got those information requests from the US government.  Perhaps they are not as good at hacking as other nations

The older I get the more aware I am that TNSTAAFL  but the marketing spin and the sheer cheek here is astounding.  At this point, Yahoo have whatever details I gave them to create the account and they will not be fiction,  but may well be a long way from what my credit provider calls the truth.  This blog has more personal information that my yahoo account,  and that is no accident.  But this email does not encourage me to give Yahoo any more insight into who I am, they proved they are not capable of managing any personal data at all. Giving them a phone number is not something that will be happening.  Closing the accounts will be first.


But lets look at what they did say, "the creation of forged cookies" is what their external investigators are looking at. Almost everyone knows,  once you log into a web site it gives you an authorization cookie that validates you against subsequent pages,  like opening an email, so you do not have to enter your password for every page load.  Apparently Yahoo had an issue with these cookies, their algorithm for producing a secure authorisation was too simple or to well known and multiple unknown parties had unfettered access to just about everything they had in peoples accounts over a number of years. Now yahoo wants to put the genie back in the bottle. by replacing one single factor authentication method (A password) with another.  (Pressing ok on a phone app when I try and access their web site or mail.) 

What have yahoo done to stop the use of forged cookies?  Well, they invalidated the forged cookies. This implies that the forged cookies were still being used until very recently, like this week really. Good hey. That is like closing the garage door when you see your car turning the corner at the end of the street.

They (Yahoo) are also  "constantly enhancing our safeguards and systems that detect and prevent unauthorised access to user accounts".  Hey guys.  Just a concept here.  But I have been accessing this account from the same IP for years.  perhaps I do not need a phone app or a password to identify my connection as me.  Instead you come up with safeguards that make using your service a burden instead of a pleasure.  I do not need a new log in method.  I need a new provider of email. Sorry but bungling ham fisted bulk admissions really do not leave me feeling any better about Yahoo that I felt the day I first heard they had been hacked. 

For others that actually used their yahoo account;

• Did you have photos stored on yahoo that your would not like public?  They probably are now. 
• Did your business have sensitive document or email stored on Yahoo?  They are probably public now. 

No amount of generic admissions can excuse this breach of trust.  But to add insult to injury  Bob Lords email contains web beacons.  That is not what I would call a contrite apology.  More like meeting some legal requirement and garnering proof of doing so for use in subsequent litigation.

Anti Virus again

For a very long time I have been banging on about anti virus (AV) programs and how they appear to be designed to make email clients look bad.  Early on I though it was just me,  but then I found an MVP for Outlook Express that also had issues with Anti virus products and their continual ability to mess up email and email applications. Microsoft kindly removed his web presence.  I did get a copy of what he said in my post here though

Today I stumbled on a series of articles and discussion by people whose opinions I think are worth taking notice of.and they are all denouncing Anti virus products.  Some (most really) of this is not new.  But it would appear the cat may be out of the bag.  But You draw your own conclusions.

Robert O'Callahan, was a developer with Mozilla until about 12 months ago.  He has just posted to his blog a recommendation to Disable Your Antivirus Software (Except Microsoft's) a fairly strong statement followed up by a suggestion that. "At best, there is negligible evidence that major non-MS AV products give a net improvement in security".   So there we have it.  But why now?  Because when he tried doing something about the appalling way anti virus affected Firefox in 2012.  He was shut down for shaming Mozilla "partners".  Now having been away from Mozilla he feels he can freely express his opinion.  I encourage you to read everything he says on that blog post.  It really does not reflect well on so called "security" products.

This all gave me some vindication for my prior distaste for AV products,  but  then I wandered into  the twitter sphere of Chrome developer Justin Schuh where he said "AV is my single biggest impediment to shipping a secure browser." and "I could rattle off a laundry list of total security breakage due to worthless AV code."  So now we have developers involved with two major browser projects that are not at all happy with the way things are going with Anti Virus products.  Looking through that discussion you might notice a current Mozilla employee with a grime about AV caused problems,  and a computer technician that does not want thing to change because he makes his money fixing the mess left by anti virus products.  So who actually think these things are doing their job and making things more secure.

Logic would indicate that at east those selling Anti virus product would be supporting them as a good thing.  Not so. Anti virus products are "doomed to failure," according to Brian Dye, senior vice president for information security at Symantec, the maker of Norton brand of anti virus products.

"Antivirus products are catching less than half of all cyberattacks", Dye said, in May 2014.  For a company that is aware of the playing field,  I wonder why they are still in the market all these years latter. (As the Wall street journal article is behind a paywall.  I will link to the ZDNet report for further reading.)

To give Norton a break, they have concentrated more on whitelisting applications that their firewall will allow to access the internet in the past few years.  But this has issues all of it's own.  Thunderbird releases a new version and the support forums light up with users who can no longer get their mail because Nortons firewall has blocked the new version.

But the question is still open.  Is their software leaking?  Is it secure? I really do not know.  Norton had issues last year.  but given the speed of their releases, can they really be doing much more than patching vulnerability as they are notified of them?
The SecurityIntelligence article that reported the Norton issues stated. "It’s a relatable conundrum: Security companies don’t want to lose their share of the market and often choose speed over safety, something corporate IT departments struggle with on a daily basis. But the continuing parade of bad medicine stories suggests that it’s time for a change; using kernel privileges carries the risk of Heartbleed-like failure and simply isn’t worthwhile in the long term. "

The reality is all anti virus products have issues,  just how bad they are is still open to some discussion.  But I think everyone should take just a little time to actually consider what their anti virus product is doing for them, and what issues it might be causing for them.  Not the least of which is slowing your system down.

For once a bibliography.
ZDNet article that set me off on this journey 
Twitter discussion Justin Schuh
Robert O'Callahan's blog post
Antivirus Hall Of Shame discussion on mozilla.dev.platform
Security intelligence report on Norton's vulnerability.
ZDNet report on comments by Brian Dye, senior vice president for information security at Symantec 

Blind Carbon Copy and Outlook.com

For some time now there have been issues with Blind Carbon Copy appearing in support forum where the mail provider is outlook.com, in searching for a solution it bacame obvious that the issue encompased all mail clients wsending mail with SMTP, indicated it was a bug, or change of policy at outlook.com.
The effect of this issue was that mail send using BCC was not delivered by outlook.com.  It appeared that BCC addresses were simply stripped  and dropped from the email.  The mail would be delivered to anyone in a CC or To field,  but BCC recipients simply did not receive mail.  At one point I had contact with folk who were able to get some BCC mail addresses to work,  but not reliably and they were doing nothing different to others.  This reinforced my view that indeed there was a bug with outlook.com

I have had a support request with the Outlook folks for some time on this matter and I have now been notified the yes they do have a bug. Yes, they have a fix and are testing it.  Hopefully BCC will soon work again for those using SMTP in the near future.

I will update this post when the fix is released. If I am notified of the release.

Update:  All Outlook.com mail accounts should not work with BCC

Outlook Calendar in Thunderbird

This has been something of a thorn in many peoples side.  It is simple to press the publish button in an outlook.com account on the web and add the resultant ICS file to Thunderbird as a read only calendar.  But what if you want a calendar you can update, one that syncs both ways.  Until now I had though it was simply not possible.  But it appears I have been mistaken.

So how to do it.  It is in fact fairly simple,  but has a crucial step that has to be executed before you try and set up the calendar.

Click this link. https://outlook.com/ews/exchange.asmx
You will be asked for your password and user names.  These are the same username and password you use to log into the Outlook.com web site.  In my case my Hotmail.com email address and associated password.  Once you are authenticated you will see a web page advising you that your have created a service and giving a lot of instructions about how to create a code file.

Not important in our world.  What we have done is enabled EWS on the URL for ourselves.  Up until this point is you put in the URL https://outlook.com/ews/exchange.asmx into Thunderbird using the ESW add-on it would simply give an error about being forbidden.  Now it just works.

So the next part is easy;

1. Locate the EWS exchange add-on. download link here 
2. Open Thunderbird's  add-on manager by clicking on the on the tool bar and select add-ons
3. Drag the entry for exchangecalendar-v3.8.0.xpi from that page to the Thunderbird add-on manager and drop it.
4. When the install dialog opens (it will take a little while as the add-on is downloaded) click install. 

Or use the instructions here

Once the add-on is installed and you have restarted Thunderbird before configuring a new calendar.

• Open the calendar tab.
• Right click in the calendar list pane
• Select New calendar.
• Select "On the Network" and click next.
• Select Microsoft Exchange 2007/20110/2013 and click next
• Give your calendar a name and select the email associated with the calendar
• Click next 
• Select Hosted Exchange
• Server URL  https://outlook.com/ews/exchange.asmx
• Primary Email address <Your primary outlook email address, no alias>
•  User name  the user name you enter to log into Outlook.com.  For me it is my email address again.

(The following were the default values. I did not change them)

• Domain Name is blank.
• Share folder Id is blank.
• Folder base is "Calendar Folder"
• Path below folder base is /
• Check the server name and settings and complete the Wizard using it's defaults.

I have not yet tested this over a period of time.  But after a number of hours I still have a rad write outlook.com calendar in Thunderbird.

Please  let me know if this does not work.  I have not found it anywhere else on the web, and I doubt my own abilities.  Perhaps it only works for a day.  Only time will really tell.

Bigpond mail changes.

Today I got an email from Bigpond/Telstra advising me their mail system was changing.  It was full of nice touchy feely vibes and after I read it all I knew was at some future date something was changing.  Congratulations Telstra.  This is important stuff and you have dumbed it down to the level of a marketing email.  Then I check the date the change is scheduled for and it is today.  Talk about forward planing.  The email they send today said "We'll email you in a few weeks with the exact move date of your email service listed below".

By searching around on the Telstra web site. They do have the information, and I must admit the email has a link to the starting point. I learned that the changes to  me really involve their closing up of shop of the Bigpond brand, and finally modernizing their email system to use secure connections. Minor really,  but enough to stop my Thunderbird accounts getting mail without changes.

So my ancient Bigpond server settings will need to be changed when the day comes (Today).  Telstra recommend I also convert to IMAP.  That is a whole different issue.  My existing email accounts are POP and I just want then to keep working.  So here are the changes I will have to make to my existing Bigpond mail accounts.

To summarise the changes to "just keep on as it was"  the following information will need to be changed

Incoming information in your account.

Field	Existing Setting	New Setting
Server Name:	mail.bigpond.com	pop.telstra.com
Port:	110	995
Connection Security:	None	SSL/TLS

Outgoing Server (SMTP)
This is at the bottom of the list of accounts in account settings.

Field	Existing Setting	New Setting
Server Name:	mail.bigpond.com	smtp.telstra.com
Port:	25	465
Connection Security:	None	SSL/TLS

I have included the recommended settings. However Telstra also allow for the use of Port 587 and connection security STARTTLS. As this is actually more secure, I suggest you try those first, before using the recommended less secure settings.

It is always possible to add a new account as IMAP,  but that is not the purpose of my posting.  My purpose is to offer setting that will allow your existing account to just keep working.

Source links at Telstra. 

Details of the date the move is scheduled for you.

Manual POP and IMAP settings post change over.

What is the difference between IMAP and POP