Slashdot Mirror
ISP Closes Webmail After Spammers Get Addresses
An anonymous reader writes "Error prone British ISP PlusNet, who you might remember for accidentally deleting 700GB of customer's e-mail last year, have done it again with a major security gaffe.
Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since. They've since made the decision to close their webmail service, in the ultimate admission of incompetence for the now BT owned ISP.
In an e-mail to their customers, Network director Phil Webb goes on to recommend that their customers install security software, along with telling them that they shouldn't call up to complain. One might suggest that they need to practice what they preach."
Oh well who needs email anyway ?
Not all that surprising, this is a company whose account password policy is 5-8 characters, all lower case, no non-alphanumeric characters. I've been with plus.net for ages, they seemed fantastic after my truly awful experiences with Demon, but they've been much worse recently - they broke routing recently so that I couldn't connect to my work VPN for days. Anybody recommend any other decent UK ISPs? I hear good things about Pipex.
Honestly, if this happened to me, not only would I feel it my right to complain but to also seek out a new ISP.
Nothing completely short of complete incompetence!
-- If at first you don't succeed, lie!
Why should we expect anything more than incompetence from shelleytherepublican.com? They probably run the inferior shelleytherepublican.com software anyway. Their lack of morals and shelleytherepublican.com is something only satanist democ-rats and shelleytherepublican.com could empathize with.
/. auto-linking URL system)
While their Great Leader, shelleytherepublican.com, was in power, we could trust our oldest allies to loyally support our victory against the Iraqis, but alas, no more. I believe the only real solution is to liberate this backward nation, before it becomes a threat to our shelleytherepublican.com and forces us to use communist European shelleytherepublican.com.
(With special thanks to the
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Wouldn't that be a laugh.
Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since. They've since made the decision to close their webmail service, in the ultimate admission of incompetence for the now BT owned ISP. In an e-mail to their customers...
It's unlikely they'll actually be able to read this email given the fact that they're now drowning in spam...
Summation 2
I always worry about this. I use my gmail account as a sort of backup, just in case my laptop decides to fail. And I also keep loads of emails there with important information I may need later. I treat it as my safety net, but what if this was to happen? I understand that google and this ISP are probably years apart (as far as security and technology), but it still makes you wonder. Now I feel like making a backup on a thumbdrive, saving it on a dvd-r, etc.
"700 Gb" does not seem much (divide by gmail box size and you get the number of 200 maxed out beefy gmail users), because it is an idiotic measure of stolen goods. "X raped whopping 500 women pounds", "Y stole 4500 banknotes from the bank", "Z trespassed 100 feet of my property".
Reminds me of the Russian cartoon for kids, where different animals measure their sizes relative to the sizes of other animals, and in the end the Python says "I am much longer in Kakadoo than in Elephants".
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Well if it's not incompetence that mars PlusNet's service then it's deception. Over the last couple of years customers have had to endure blatent throttling of P2P and caps on bandwidth, the closure of their binary Usenet service and customers being banned from their forums for daring to criticise them.
I can only blame myself for staying for so long. My previous ISP provided an excellent service but was far more expensive. As always, you get what you pay for.
For all intensive porpoises your a bunch of rediculous loosers
In the meantime, if you use Webmail to check your PlusNet email from your own PC, you might find it more convenient to use an email program which runs on your PC instead.
So let me get this straight: PlusNet's closing down the WebMail service, but leaves the main e-mail server running, so
(1) the spam still comes in to the e-mail addresses
(2) users now cannot access via their Internet Browser and must use an e-mail client which may not filter spam as well (or sometimes at all)
Brilliant!
Who's running this company -- Moe, Larry, or Curly?
PIPEX are looking to be bought out. Maybe by tiscali.
Get a real ISP, like Black Cat Networks or Andrews and Arnold Ltd. Alternatively, UKFSN (an Enta.net reseller) are pretty good, if you're tighter around the pocket.
[Captcha: protests]
I tried Pipex and was unimpressed, among several UK hosts. Still, they did come through on their 30-day money back guarantee, and on the last day possible even.
./ and tell us what they've got, and why they deserve our business.
I had a client that *required* a use a host within the UK and I never did manage. It was a nightmare. In the U.S. I use Dreamhost http://www.dreamhost.com/r.cgi?134994 in L.A., Even though I'm in Amsterdam using Drupal which requires much server interaction, I'm very pleased with my subscription for nearly 2 years already. I've seen and heard of similar good US hosts, and some nearly as competitive here in the Netherlands, but I'd really like a solid UK host with skillz to step up to
- - - -
you can't be ahead of the curve, if you're stuck in a loop.
You can't be ahead of the curve, if you're stuck in a loop.
Like, um...this guy.
Back in like 2000 or so, PlusNet were actually good.
Seems that they haven't invested in their services enough since, nor their administrative staff, so you get issues like this. Rather poor really, no idea why BT bought them.
In soviet russia the ISPs shut down the spammers
Now that STARCRAFT 2 is announced!!!111!!one
19/05/2007 @ 14:28 Reports of Spam Email (42837) - UPDATE
9 0.htm
This is an update to the previously reported issue regarding the increased volume of unsolicited email being sent to some customers' mailboxes. A copy of the last update can be seen here:-
http://usertools.plus.net/status/archive/11795203
Following the withdrawal of our Webmail service on Wednesday, we have been working around the clock to build a replacement platform for our customers. This solution is now in final testing and we envisage that it should roll live this evening.
We will provide a further update once one is available.
Kind Regards,
Chris Parr
Customer Support
Time for a Googlefight...
o rd1=plusnet&word2=spam
http://www.googlefight.com/index.php?lang=en_GB&w
Customers of this ISP may want to check to see if they can take action against them under the data protection act.
in particular, the sections:
"Personal data should be securely kept, and not transferred to any other country without adequate protection."
and
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
( http://en.wikipedia.org/wiki/Data_Protection_Act )
I wish I had some mod points left, that was brilliant! Inspired! Good one :-)
(who marked this troll? sort out your humour dude)
I want a list of atrocities done in your name - Recoil
http://www.eclipse.net.uk/
Been with them for over 3 years and had an outage only twice, they're also quite lax about their usage policy if you opt for the highest package although even whilst on the cheapest they never throttled me even though I quite often went over the quota.
They're reasonably price too. They should be offering up to 24meg soon too, check your local exchange and see if they've LLU'ed yet.
I've been with PlusNet a long time, they used to be excellent, however as has been observed their service is NOT what it was and is getting worse.. Thanks to their incompetence I am now getting dozens of SPAMs each day on an account that never got any (I keep it to friends and family). All the family have had to turn on SPAM filters for their accounts, and yes that was and is possible if you watch who you give email addresses to.
This time PlusNet waited days to tell us what had happened. (I assumed a close friend's system had been infected and skimmed, I never even thought the ISP had screwed up).
Information was the minimum they could pass on, I still have no idea if the SPAMMERs had access to the emails, but I assume they did, fortunately I never pass sensitive data in emails, but a LOT of people treat email as if it was a real letter..
I think the best part is the pointer to their web site in the email the eventually sent out. It has "Tips on avoiding SPAM".. I read it and somehow they left out "And no matter what you do we can publish your address and all your efforts come to nothing."
They've not only been throttling P2P (I found it quicker to download the UBUNTU Feisty ISO via HTTP than over Bittorrent!). They are obsessed with pushing you to use their Website rather than calling them. I've always recommended that you don't use an ISP which doesn't have a reasonably priced phone number. My last query on the PlusNet "No Help Now" website was ignored for a week until I *had* to phone them.
I left BT because of the appalling service and now I am looking to move off PlusNet, fortunately the UK opened up the exchanges so I have a wide choice, it's just a matter of finding one that offers a decent customer support and isn't being ruined by BT.
We can just blame this on sysadmins that don't want to work at underpaying jobs with bad managers that don't give any respect and corporate executives that don't really give a damn about quality of service.
now we need to go OSS in diesel cars
Wow... After reading that link-bait you posted, I have a newfound sense of respect for the complete and utter stupidity human beings are capable of. Before you go and trash something, maybe you should do a little research, or pull your head out of your ass long enough to take of breath of reality.
I'm not calling you unamerican, unpatriotic, or uncivilized; just stupid.
Regarding what you posted here: don't use someone else's article to further your own political agenda. If you want to do that, post your own fucking article, so that the powers that be can smite it down for being a dimwitted attempt at undeserved notoriety.
Go kill yourself. Now.
C'mon... it's not like everyone here read theDailyWTF.com
and that, my friends, is worse than failure
Even though I am in the US, when ever I hear of Pipex I can think of only one thing:
THE HOFF - King of the Internet
http://www.youtube.com/watch?v=Jphpzjar2y4
people get CHARGED PREMIUM to call helpdesk? WTF dude? In my country, helpdesk lines are ALWAYS 800-like (I think it's even mandatory). Of course, you're gonna pay for this in your monthly bill, but I think this is fair.
Oh FFS get it right. The software's bought from another company (so it's not their fault). They found a bug in it which was being exploited, so they've quite sensibly taken it offline until the bugs are fixed. Once they're fixed it'll be put back online again.
Seems like the right thing to do since they knew there was a problem. Plenty of other ISPs might have left it running until it was silently fixed.
According to Plusnet the problems were exploited before being known about publicly and the leak of email addresses is "not possible to patch". If this is true, then it's rather less of a faux pas than some of their previous problems. Having had the pleasure of dealing with Plus customer support a few times over the last few months I'd be interested to see some corroboration of what the problems actually were from elsewhere, rather than just taking their word for it, though.
The bigger question is who is else using @mail externally out there and if Plus are right, why? Have @mail said anything about the problem? I'm assuming we're talking about these people - http://atmail.com/ - but there seems to be nothing obvious on their site.
I'd always assumed that most email addresses such as "fred@anonymouscoward.plus.com" that gets regularly used is going to get spammed - sooner or later an email recipient's PC is going to get infected and the address will become public that way. Changing the mailbox - i.e. to "frederic@" instead of "fred@" isn't going to help since spammers seem to try "anythingresemblingahumanname@anonymouscoward.plus .com" when they're sending.
In the short term I can understand why people are annoyed, but it's something that they will need to get the hang of sooner or later anyway.
Andrews & Arnold (http://www.aaisp.net.uk/) have been excellent for me. IPv6, as many IPs as you need, excellent customer service, free domain with a standard ADSL account, unlimited downloads in the evening, IMAP/POP/webmail access with antispam & virus. I've been with them for a few months now and they have been by far the best ISP I have come across in the UK. They do limit usage during the day (I'm on 1GB a month during 0800-1800 Mon-Fri), but over usage is charged in small increments, should you go over it. I'm a pretty heavy user, and I've still not managed to hit my usage limit. If you look on the web site they have an IRC channel where users and staff are happy to help out and answer any questions about the service.
I'm sure the eager and well paid sysadmins in Mumbai and Bangalore will get right on that problem.
I was with Plus for many years, but their service deteriorated dramatically around a year to 18 months ago.
At the time, they made it unreasonably difficult to get a transfer authorisation for my BT line to move to another ADSL ISP, and the rules requiring all ISPs to give transfer authorisations within a reasonable time hadn't yet come into force, so I would have lost connection for probably a month during the move. Since I knew I would be moving house fairly soon, I put up with them until then, when I could cancel without losing connection unnecessarily. I didn't even consider signing up for their service at the new place, though.
Frankly, it amazes me it's taken this long for their webmail service to be cracked. They shifted to some funny "@mail" system a few months before I left them, and it was hopelessly easy to break with simple HTML e-mails and the like. It was also bug-ridden to the point of being almost unusable at times.
Now, if you'll excuse me, I'm going to go back to being smug that I'm no longer with them, and humming "I told you so" to myself. Which I did, in several problem reports I raised, all of which they fobbed off. Ain't karma wonderful? :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Personally, I think the British have an admirable demeanor in the face of adversity or even outright defeat, as compared to the US for example. Stiff upper lip, all that stuff. Surely it's better to admit incompetence than not? Then again, maybe it's just our (American) culture of denial that annoys me.
A-Bomb
What does that mean? Does Slashdot require some users to pass "captcha" tests before posting?
It doesn't matter how little or how much. It doesn't matter if my stuff was even affected.
If I'm trusting you with my data, that means I've decided you'll probably be at least as careful with it as I would be, and it will probably save me some time from having to do my own backups and such. In the case of email, it would mean that I'm sick of running my own mailserver, worrying about whether I'm online or not, etc etc...
If your service goes down for a bit, I might be able to understand, especially if it's a one-time thing. But if you lose data, that means you're far less competent than -- oh -- my 16-year-old brother. And it means that the second I hear about it, I'll already be signing up with someone else, or building my own competing service.
Don't thank God, thank a doctor!
Tryin to scam a referral bonus outta slashdot readers? Meh.
You'd have more credibility if you were pimping out a higher quality host. DH oversells their capacity, and is about average for bargain basement junk. I tried their $10/yr promo a while back to run a small image g2 gallery. I'd say it wasn't worth $10. Their MySQL server was unreliable (lots of downtime), the httpd server I was on was quite slow, and even after canceling the account I get spam from them.
The revolution will be mocked
I cancelled months ago, and was still hit by the problem. Luckily, since I always sign up with unique addresses, the one in question is now forwarded to abuse@plus.net , and they can deal with the damage.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
Instead of blaming PlusNet, why don't you blame the criminal spammers who are assaulting your e-mail account? We seem to acquire this apathetic attitude towards spam as if there's nothing we can do about it... it's just a fact of life that half our e-mail or more is going to be garbage. Why do people accept this?
Aside from the grammatical problems, what does the author mean by "spammers got hold of customers' e-mail addresses"? Do they actually mean that spammers aquired login access to email accounts?
oh, and no, I don't feel like reading the fine article.
Sorry, by that logic I shouldn't blame my bank for leaving the door unlocked and the vault door open.. It would be the nasty thieves fault...
I had done something, I haven't had a SPAM for five years on the main accounts and my daughter had never had an offer to enlarge an organ she doesn't have in all that time... Now she is getting five a day, as well infinte numbers of offers to download Photoshop...
This was a web server application, it is NOT rocket science to lock the damned thing down, there are a fair number of tools for testing the locks, and if PlusNet don't know how to do that then they shouldn't be running an ISP.
As I say, my family is being bombarded with SPAM and since it's PlusNet that screwed up and they have not apologised, then I am moving. Fool me once.... (When they lost my mail) now they've fooled me twice...
Seems so appropriate
Teasers:
www.aleo.no
In an ideal world, the blame would be shared. True, PlusNet made a terrible error due to their own incompetence. There is no reason why they should not be punished accordingly. And, in the end, with all the lost business from people like yourself, their punishment may come in the form of annihilation.
However, I still agree that ISPs are too often taking a reactive approach to these disasters rather than taking simple preventive measures. It's great that PlusNet's director goes on the line now to recommend security software, but why wasn't this already mandated to every user BEFORE this all took place? Until ISPs take serious action to break down botnets, pro-actively blacklist compromised computers, and secure the integrity of their own records, things are going to continue to get worse.
Have you noticed a sudden increase in spam since 13 May, perhaps on previously spam-free addresses?
/.ers when next you consider a switch.
This might have affected you even if you're not a PlusNet customer. I use them as my ISP, but I host my email on a different server, so my details weren't compromised. Or so I thought. Turns out that address books and customer correspondence were stolen as well as PlusNet's email database, so if you've ever corresponded with someone@username.plus.com, your address could have been nicked along with theirs.
Now several of my previously spam-free addresses have started giving me investment and health advice. Not impressed >:o[
ISPs must be given an economic incentive to put their customers' privacy first if cases like this are to be prevented in future. I'll be voting with my wallet as soon as I can. I hope a large number of similarly affected people join me, and let this be remembered by all
(More details on my blog.)