Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

ISP Closes Webmail After Spammers Get Addresses

Posted by CowboyNeal on Sat May 19, 2007 09:25 AM
from the simplest-solutions dept.
Security The Internet
An anonymous reader writes "Error prone British ISP PlusNet, who you might remember for accidentally deleting 700GB of customer's e-mail last year, have done it again with a major security gaffe. Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since. They've since made the decision to close their webmail service, in the ultimate admission of incompetence for the now BT owned ISP. In an e-mail to their customers, Network director Phil Webb goes on to recommend that their customers install security software, along with telling them that they shouldn't call up to complain. One might suggest that they need to practice what they preach."
+ -
story

Related Stories

[+] Technology: UK ISP PlusNet Accidentally Deletes 700GB of Email 282 comments
steste writes "A tale of email woe for PlusNET ISP. According to this announcement they have spent the last month attempting to recover 700GB of accidentally deleted emails. By their estimates, up to 12GB of these had yet to be read by their recipients. Despite the efforts of a data recovery specialist, they have now given up on recovering any of the deleted data. Well that's one way to deal with spam." Spam is one thing; I just wonder how inevitable losses like this one square with the EU-wide data retention laws.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

ISP Closes Webmail After Spammers Get Addresses 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Erm ? (Score:3, Funny)

    by mewt (1057562) on Saturday May 19 2007, @09:29AM (#19190559) Homepage
    Oh well who needs email anyway ?

  • Not surprising (Score:4, Informative)

    by Zelos (1050172) on Saturday May 19 2007, @09:35AM (#19190579)
    Not all that surprising, this is a company whose account password policy is 5-8 characters, all lower case, no non-alphanumeric characters. I've been with plus.net for ages, they seemed fantastic after my truly awful experiences with Demon, but they've been much worse recently - they broke routing recently so that I couldn't connect to my work VPN for days. Anybody recommend any other decent UK ISPs? I hear good things about Pipex.

    • Re: (Score:2, Informative)

      by russasaurusRex (966807)
      Recommend another ISP? Sure. I've used Freedom2Surf for just over 4 years now and haven't had a problem with them once.
    • Zen or Claranet

      Both have decent news feeds too.
      • Since I left Metronet (after they got bought by PlusNet!), I've been with both IDNet [idnet.net] and NewNet [newnet.co.uk] both of which are brilliant. Neither is expensive, and both provide problem free broadband without any port blocking or "traffic shaping". I would strongly recommend either!
      • I'm off to Zen, I requested my MAC (code needed for an ADSL transfer) last night. They're stalling at the moment, trying to get me to move to a new product, but after seeing their service gradually go down the toilet without a corresponding drop in my rental, I decided enough was enough.

        It's a shame, because a few years back when I joined them they were an excellent "techie" ISP...but then the binary newsgroups were dropped, next the traffic shaping started (so they could reserve bandwidth for their VoIP

        • FWIW, I shifted to Zen when I left Plus a few months ago, with a very similar story to yours. Aside from a few teething troubles getting it set up, most of which turned out to be BT's fault rather than Zen's, the technical service has been fine.

          The customer service at Zen is appalling, however. They don't have a 24-hour tech support number, for one thing, so there is no "quiet" time to call. After sitting on hold for 45 minutes during one of those teething troubles, my first question of the technical advi

    • Andrews & Arnold ( http://www.aaisp.net.uk/ [aaisp.net.uk]) have been excellent for me. IPv6, as many IPs as you need, excellent customer service, free domain with a standard ADSL account, unlimited downloads in the evening, IMAP/POP/webmail access with antispam & virus. I've been with them for a few months now and they have been by far the best ISP I have come across in the UK. They do limit usage during the day (I'm on 1GB a month during 0800-1800 Mon-Fri), but over usage is charged in small increments, should yo
    • I've been using Zetnet since 1995 (www.zetnet.com). They used to be Shetland based, but moved to Manchester in a buy out a few years back. They are very much a small independent ISP undoubtably reselling feeds from another company and with that you get the positives and negatives. On the positive side their techies - of which they only have a few - are available by IRC as well as phone and email and they're more than happy to go the extra mile with you. If you like being on first name terms with your su

    • I was with Plus for many years, but their service deteriorated dramatically around a year to 18 months ago.

      At the time, they made it unreasonably difficult to get a transfer authorisation for my BT line to move to another ADSL ISP, and the rules requiring all ISPs to give transfer authorisations within a reasonable time hadn't yet come into force, so I would have lost connection for probably a month during the move. Since I knew I would be moving house fairly soon, I put up with them until then, when I co

    • Re: (Score:3, Informative)

      by glesga_kiss (596639)
      If you live in a Virgin (NTL) area, I'd recommend their connection. I've had it for 6+ years, very few outages. Got the 10 meg one at the moment, get full speed whenever the remote site allows.
        • Avoid uk2 like the plague...
          They are a buch of cowboys, and they make many horrendously stupid security mistakes.

  • Waiter, Can I have the bill please? (Score:4, Insightful)

    by jamesjw (213986) on Saturday May 19 2007, @09:36AM (#19190587) Homepage
    Honestly, if this happened to me, not only would I feel it my right to complain but to also seek out a new ISP.

    Nothing completely short of complete incompetence!

    • Re:I'm one of the victims... (Score:2, Informative)

      by Anonymous Coward
      I've been with PlusNet a long time, they used to be excellent, however as has been observed their service is NOT what it was and is getting worse.. Thanks to their incompetence I am now getting dozens of SPAMs each day on an account that never got any (I keep it to friends and family). All the family have had to turn on SPAM filters for their accounts, and yes that was and is possible if you watch who you give email addresses to.

      This time PlusNet waited days to tell us what had happened. (I assumed a close

  • They sent an email to their customers?! (Score:5, Insightful)

    by Rik Sweeney (471717) on Saturday May 19 2007, @09:37AM (#19190603) Homepage
    Their webmail service was compromised this week, and spammers got hold of customers' e-mail addresses who they've been happily spamming away ever since. They've since made the decision to close their webmail service, in the ultimate admission of incompetence for the now BT owned ISP. In an e-mail to their customers...

    It's unlikely they'll actually be able to read this email given the fact that they're now drowning in spam...
    • I've actually had more emails from Plusnet apologising and informing of the availability or non-availability of webmail and other services than have had spam from Plusnet (11 spam emails since last weekend). I'm feeling somewhat left out!

  • Lost emails (Score:5, Insightful)

    by SuperGT (1104423) on Saturday May 19 2007, @09:40AM (#19190617)
    I always worry about this. I use my gmail account as a sort of backup, just in case my laptop decides to fail. And I also keep loads of emails there with important information I may need later. I treat it as my safety net, but what if this was to happen? I understand that google and this ISP are probably years apart (as far as security and technology), but it still makes you wonder. Now I feel like making a backup on a thumbdrive, saving it on a dvd-r, etc.
    • Google is all about redundancy. We hear these kinds of stories a lot but they don't actually happen to many companies at all.

    • This is why I don't leave any mail on my ISP's server. Everything gets downloaded to my home desktop as soon as possible. This machine is automatically backed-up to a separate partition on the same disk on a daily basis. Once a week the latest of these daily backups is copied to a normally powered down external disk attached to my laptop. Finally, that disk is backed up regularly to another one that normally is not even on-site. The day that all of these things fail at the same time, I more than likely am

    • Use a third party email client locally.

      I use mac's so it's Apple Mail, but thunderbird works just fine. Set your gmail account to leave messages on the server. when you connect with thunderbird you download all messages that you already haven't gotten.

      you can archive stuff with gmail, and your local client will download those too.

      It is a great saftey net because it is unlikely both will fail at the same time. Plus once it is on your machine you can back it up as you like.
      • If you were seriously worried, I'd be going a little more expensive and getting some RAID into that... just felt the addition was necessary.
      • I looked at Amazon S3, however it turns out to cost the same over a 12 month period to buy a network attached hard disk, an ADSL router, small UPS and pay for connection and 12 months broadband at my brothers home 200 miles away, then do daily rsyncs. After year one the costs with this route plummet to the broadband connection and the electricity. The Amazon costs stay the same year on year.

        Even a DLT VS4 drive and half a dozen tapes is cheaper over a two year period than Amazon S3.

  • units, people, watch your units. (Score:4, Insightful)

    by mapkinase (958129) on Saturday May 19 2007, @09:43AM (#19190641) Homepage Journal
    "700 Gb" does not seem much (divide by gmail box size and you get the number of 200 maxed out beefy gmail users), because it is an idiotic measure of stolen goods. "X raped whopping 500 women pounds", "Y stole 4500 banknotes from the bank", "Z trespassed 100 feet of my property".

    Reminds me of the Russian cartoon for kids, where different animals measure their sizes relative to the sizes of other animals, and in the end the Python says "I am much longer in Kakadoo than in Elephants".
      • If you actually followed the story at the time, the vast bulk of the email lost was stuff that had already been downloaded at least once from their mail servers and customers had just left it there. Very few unread emails where actually lost, and Plus.Net don't advertise their email service as something that you can leave emails on. It is strictly a store and forward service, with a webmail option for when you are travelling.

  • Security software (Score:4, Insightful)

    by Mostly a lurker (634878) on Saturday May 19 2007, @09:49AM (#19190665)

    Network director Phil Webb goes on to recommend that their customers install security software, along with telling them that they shouldn't call up to complain. One might suggest that they need to practice what they preach."
    A few comments:
    1. They almost certainly were using security software. The problem is that it is awfully difficult to judge effective security software from the much more common snake oil that is out there.
    2. There is a decent chance that the breach was not the fault of the security software but some kind of human error. They probably made the common mistake of assuming all they had to do was install firewall, intrusion detection and anti-malware tools and they were magically fully protected.
    3. This kind of event will probably become commonplace. There is a lot of money to be made, the crackers are technically more competent than much of the sysadmin community, and they only need to attack at the weakest points.

    • They almost certainly were using security software. The problem is that it is awfully difficult to judge effective security software from the much more common snake oil that is out there.

      Obviously not. Assuming they used security software, this ISP certainly learned the difference.

      There is a decent chance that the breach was not the fault of the security software but some kind of human error. They probably made the common mistake of assuming all they had to do was install firewall, intrusion detection a

    • Re: (Score:2, Insightful)

      by Serious Poo (597509)
      No offense intended, but when you say "almost certainly", "there's a decent chance", and "will probably" that means that you don't really know and are making assumptions and/or generalizations. I'm not so forgiving in my view of this ISP's actions - it appears that they messed up big time. While I completely agree that there's a lot of FUD in the security marketplace these days, it's the responsibility of management to hire people who know this stuff cold. People who know that it's "People, Process, and
      • There was a flaw in the third party software they where using for web mail, and they suffered from a zero day attack. Hardly Plus.Nets fault. On those grounds everyone using Microsoft software would be in for trouble.

        On the plus side they are activating their spam filtering for free, which was previously a paid for service.

        As a Plus.Net customer I have not actually been effected, as I ditch all email addressed directly to the account, as I have a domain hosted with them, and that does not appear to have bee
        • They used a proprietary web mail product, which suffered from a 0day attack.

          Obviously this is not desireable, but it can happen to any software... The real reason they turned it off, is because due to the webmail system being proprietary, they can't fix this problem so it will only get compromised repeatedly.

          Also, most of the webmail systems i've seen don't hold any data or authentication details themselves, they just hook over an imap server, so by hacking the webmail system you can only compromise the use

        • There was a flaw in the third party software they where using for web mail, and they suffered from a zero day attack. Hardly Plus.Nets fault.

          On the contrary. The software they chose to use was bug-ridden — and I don't mean subtle, occasional bugs, I mean "incapable of even performing its basic functions correctly" — and this was abundantly clear to anyone who had tried to use it for more than a few minutes and received a couple of HTML e-mails. It doesn't require a 45th level geek to appreci

  • Well if it's not incompetence that mars PlusNet's service then it's deception. Over the last couple of years customers have had to endure blatent throttling of P2P and caps on bandwidth, the closure of their binary Usenet service and customers being banned from their forums for daring to criticise them.

    I can only blame myself for staying for so long. My previous ISP provided an excellent service but was far more expensive. As always, you get what you pay for.

    • I used to be with a wonderful ISP known as Metronet. They were cheap, but had *really* clued up staff (i.e. when you phone you don't speak to phone monkeys - you speak to actual techs). Meanwhile, a shite ISP called PlusNet who had been publicly floated, wanted to impress share holders with their fantastic management team so decided to buy a small-ish ISP, namely Metronet and then proceeded to migrate Metronet customers to the PlusNet platform resulting to many of them leaving (including me). All the while
      • They didn't used to be shite....

        At one point PN where probably the best ISP in the UK - sadly after floating on the stock market those days soon came to an end at the alter of shareholder profits and sod the customer :(.

        Anyway even while a good ISP one thing PN had going for it was the customer forums - usually had a lot of knowledgable people on so even if you ran some odd software/os/hardware combination or wanted to do something beyond a simple mail form on your website you'd get alot of community help.

        I
  • From PlusNet's letter:
    In the meantime, if you use Webmail to check your PlusNet email from your own PC, you might find it more convenient to use an email program which runs on your PC instead.

    So let me get this straight: PlusNet's closing down the WebMail service, but leaves the main e-mail server running, so

    (1) the spam still comes in to the e-mail addresses
    (2) users now cannot access via their Internet Browser and must use an e-mail client which may not filter spam as well (or sometimes at all)

    B

  • Like, um...this guy [youtube.com].

  • Data Protection Act? (Score:5, Insightful)

    by Phil246 (803464) on Saturday May 19 2007, @10:17AM (#19190783)
    Customers of this ISP may want to check to see if they can take action against them under the data protection act.
    in particular, the sections:
    "Personal data should be securely kept, and not transferred to any other country without adequate protection."
    and
    "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

    ( http://en.wikipedia.org/wiki/Data_Protection_Act [wikipedia.org] )

    • Re: (Score:2, Informative)

      by Peet42 (904274)
      It's a pretty sad state of affairs. I used to be with Plus Net, and they used to be really good. I dropped their service when they sacked a lot of their technical guys and hired a premium-rate call centre to handle their technical queries through a very s...l...o...w... script instead of just talking to you on an ordinary national-rate 'phone line to talk to someone who actually knew what was going on. The guys in the call centre used to look at the same web page as I did to find out if there were any pr
        • Yeah, its a common practise in the UK for a corporation who wants to squeeze a little more off their customers.
          It sure doesnt go down well but there is very little option at times.
            • 0845 is _NOT_ local rate...
              It is LO-CALL rate, which is a revenue sharing service. It is charged at the same cost local rate calls used to be in the early 90s, and it is always charged by the minute regardless of your phone service plan. Also, inclusive minutes usually don't count for calls to 0845 numbers.
              BT charge a flat rate of 5p for a 1 hour national landline call at evenings and weekends on their lowest call plan, a 1 hour evening or weekend call to an 0845 number would cost 120p evenings and 60p weekends. BT's higher calling plans (options 2 and 3) charge you nothing for the first 60 minutes to a national number at evenings or weekends (again 0845 arent included) and in the case of option 3, also during the day.

              What's worse is, a share of the call revenue goes to the company operating the number (which is why BT can't offer free calls to 0845) which gives these companies an incentive to keep you on hold.
              In essence, 0845 really is premium rate. It may be a lower per-minute cost than 09 premium rate numbers, but it works in just the same way.

  • We can just blame this on sysadmins that don't want to work at underpaying jobs with bad managers that don't give any respect and corporate executives that don't really give a damn about quality of service.

  • According to Plusnet the problems were exploited before being known about publicly and the leak of email addresses is "not possible to patch". If this is true, then it's rather less of a faux pas than some of their previous problems. Having had the pleasure of dealing with Plus customer support a few times over the last few months I'd be interested to see some corroboration of what the problems actually were from elsewhere, rather than just taking their word for it, though.

    The bigger question is who is el
  • I'm sure the eager and well paid sysadmins in Mumbai and Bangalore will get right on that problem.
  • in the ultimate admission of incompetence

    Personally, I think the British have an admirable demeanor in the face of adversity or even outright defeat, as compared to the US for example. Stiff upper lip, all that stuff. Surely it's better to admit incompetence than not? Then again, maybe it's just our (American) culture of denial that annoys me.

    • Why should we expect anything more than incompetence from shelleytherepublican.com? They probably run the inferior shelleytherepublican.com software anyway. Their lack of morals and shelleytherepublican.com is something only satanist democ-rats and shelleytherepublican.com could empathize with.

      While their Great Leader, shelleytherepublican.com, was in power, we could trust our oldest allies to loyally support our victory against the Iraqis, but alas, no more. I believe the only real solution is to liberate

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.