back to article Plusnet customers SWAMPED by spam but BT-owned ISP dismisses data breach claims

BT-owned ISP Plusnet has rebuffed concerns from customers who are worried that their email accounts have been compromised by spammers. Despite the protests, at time of writing, Sheffield-based Plusnet was yet to turn itself into the UK's data watchdog – even just as a symbolic gesture to placate subscribers who fear that a …

  1. Paul 87

    Doesn't have to be a hack per-se (as in data stolen), could be that their billing server's email routing software was tricked into sending the spam.

    1. Paul
      Thumb Down

      they still need a list of recipients

  2. Lodgie

    The biggest surprise for me is that Plusnet is owned by BT, can't believe I missed that little nugget. Time to change ISP.

    1. Grease Monkey Silver badge

      Honestly how did you miss that? Years ago when BT bought them I remember loads of fuss on here and other forums. There were commentards throwing the knee jerk* reaction of, like you, threatening to leave with no stated or rational reason. Then there were those predicting that all Plusnet customers would become BT retail customers. Never happened. Of course the joke there is a lot of Plusnet customers were, and still area, BT wholesale customers.

      The thing is however that it was a whole load of fuss over nothing. Nothing really changed operationally. BT for some reason wanted to own a crappy bargain basement ISP so they bought one. End.

      Thing is though if you react like that you'd better check out the products and services you buy and see who the ultimate owner is. You might get a few surprises.

      * I would call your reaction a knee jerk if it hadn't taken many years to happen.

      1. illiad

        surely 'owning' and 'managing' are two different things, but not exclusive to each...

        EE owns orange , tmobile, and its own retail dept.. but they are all separate retail companies...

        When Plusnet FIRST started, it was great value, great service, until internal arguments and mismanagement started to ruin it and bring down the company...

        Joke is, is the SAME email problems were part of that... then they said they were being bought by BT, that would help their massive debt problems... choice was stay with a 60% bad company joining a 80% bad company, or find another...

        A friend worked for openworld, said if your problem has not been solved in 4 weeks, it would be quicker to just get a new account!!

        The main problem then and now, is you tell them a problem, they tell BT, they get onto openworld , or others, and the massive delays between each!! (as well as getting past the idiotic newb PC check.... > :( )

        So I went to virgin - no middleman delays..

        Plusnet has recently been fairly good..BUT when it goes wrong... :(

      2. Anonymous Coward
        Anonymous Coward

        Who needs a bargain basement ISP?

        "BT for some reason wanted to own a crappy bargain basement ISP so they bought one."

        Who needs a bargain basement ISP? Someone who is frightened that one day Ofcon might wake up and actually start regulating their overall business, perhaps?

        BT Retail is supposedly regulated by Ofcon, as are BT OpenReach (poles, ducts, last mile connectivity, etc) and Wholesale (countrywide services to retail ISPs without their own countrywide presence).

        Retail ISP Plusnet is part of BT (same shareholders, same top management) but isn't regulated by Ofcon.

        So if BT need to use their "significant market power" to influence the market in improper ways, such as pricing stuff in an anti-competitive way to ensure new entrants are scared away, BT Retail supposedly can't do it.

        Plusnet isn't regulated in the same way so there's little to stop them doing this kind of on behalf of BTplc though. Why else would a BTwholesale based ISP want to compete on price with the LLU operators?

        At the time of the sale, iirc the cover story was something along the lines of BT wanting Plusnet's home grown automated operations software (Workplace?), so BT could use it themseleves. Not sure if anything came of that,

        1. Anonymous Coward
          Anonymous Coward

          Re: Who needs a bargain basement ISP?

          Forgive me for not taking an argument seriously when you refer to Ofcom as Ofcon.

        2. Anonymous Coward
          Anonymous Coward

          Re: Who needs a bargain basement ISP?

          Not regulated by OfCom?

          ALL uk based ISPs/Telecoms/TV companies are regulated by OfCom...

      3. cantankerous swineherd Silver badge

        i would have thought the problem is that you're likely to get put on an abusive BT contract.

      4. lorisarvendu
        Trollface

        Well I still have a Force9 email address from before Force9 was taken over by Plusnet...who were then taken over by BT.

        So I guess I should have left twice then.

      5. Alan Brown Silver badge

        " BT for some reason wanted to own a crappy bargain basement ISP so they bought one. End."

        Specifically: They wanted Plusnet's billing and customer service system.

        It was only later on when they realised how toxic the BT brand had become that they relaunched Plusnet and took great pains to hide that it's BT Yorkshire.

        In the same way TalkTalk hides that it owns the AOL branding by running that arm through a maildrop in Luxemborg.

    2. BongoJoe

      If you are with PlusNet and never noticed anything untoward with your connection or service then why consider changing?

      Clearly you must have been no less happy when it was Broadband Run From tMills.

  3. Grease Monkey Silver badge

    The one thing I don't buy here is that so many people are so anal that they have an email address that they use only to receive ISP bills. It follows therefore that they must have dozens if not hundreds of email addresses each for a single purpose.

    1. Anonymous Coward
      Anonymous Coward

      Hundreds of email addresses! The very thought is enough to make your head explode!

      Actually it's very trivial if you have an email account or mail server filtering that allows arbitrary text to be included to form aliases for your email address - so that for example fred+plusnet@isp.com is a valid alias for fred@isp.com. For a tiny amount of effort you can then see who leaked your information if that alias is used elsewhere.

      1. Alan Brown Silver badge

        "so that for example fred+plusnet@isp.com is a valid alias for fred@isp.com."

        Assuming that webforms allow you to enter the "+"

        There are far too many broken ones which don't - or worse, allow it for account creation but then barf badly when you try to do anything to modify your account settings, claiming that "+" is a bad character (I'm looking at you, EDF and Brutish Hash)

    2. Mark Allen

      Makes phishing emails easy to spot

      This can also be done with email aliases. Which is how I do it. It makes it easy to spot phishing emails as an email from my "bank" which has been sent to my ebay email address is clearly bogus. It also keep my personal mailbox a lot clearer meaning less junk on my phone.

    3. Anonymous Coward
      Thumb Down

      I've been encoding telltales into my mail, the snail mail kind, for over four decades now. It's even easier to do so with email. The only singleton here is for my domain and that was at the behest of the Canadian registrar.

      Hey, if it's cool to track us, it's definitely nice to do the same back. I like to know whose got my back and who's the backstabber.

    4. Pen-y-gors Silver badge

      Multiple addresses are a doddle

      Just buy a domain and set *@aardvark-fun.co.uk to forward to your 'real' account and then you can have tesco@aardvark-fun.co.uk or plusnet@aardvark-fun.co.uk or whatever-you-like@aardvark-fun.co.uk. If you're feeling complicated, after you've used one for a one-off/temporary registration you can always filter specific ones to spam.

      I've been doing it for years and it's highlighted several interesting data leaks!

      1. illiad

        Re: Multiple addresses are a doddle

        NAH, not that easy for most... going to gmail or yahoo is much easier, and can be used *anywhere* :) :)

        1. Anonymous Coward
          Anonymous Coward

          Re: Multiple addresses are a doddle

          "NAH, not that easy for most... going to gmail or yahoo is much easier"

          FWIW you can do it with Google mail as well. Gmail supports aliases with a + separator, so if you are myname@gmail.com you can also be myname+plusnetarebastards@gmail.com

          Not nuclear-hard, but it tells you who's leaking your stuff.

          1. TrevMo

            Re: Multiple addresses are a doddle

            Hey, I didn't know that about Gmail. I'm pretty sure I'll make use of that facility.

            Thanks!

      2. Richard Cranium

        Re: Multiple addresses are a doddle

        Not entirely without merit but a word of caution: I once had a catchall address until the day I came back from lunch to find my mailbox had maxed out (32K emails) because a spammer had come up with the idea of sending to thousands of guessed names (fred, john, julie, mohammed, jacob, sales, enquiries@ etc) to the domain in the expectation that some would reach a real person.

        Currently I maintain a secondary email account for unimportant contacts (forums, retailers etc) and use that with the john.smith+tesco@example.com syntax someone mentioned. If one contact gets too spammy I can set a filter to bin their stuff. If things were to get really bad I could drop that entire account completely with no tears.

        1. Adam Inistrator

          Re: Multiple addresses are a doddle

          I dropped catchalls because it ended up over time being massively spammed but come to think of it you could give out random emails on every occasion but all ending in xyz and then dump everything that doesnt end up in xyz.

      3. Alan Brown Silver badge

        Re: Multiple addresses are a doddle

        "Just buy a domain and set *@aardvark-fun.co.uk to forward to your 'real' account"

        I started advising my clients not to set global forwards after a couple were victims of spam runs spoofing $RANDOM @ their.domain.

        One poor guy got over 400,000 bounces overnight. It killed the domain. He ended up selling it off to another company for $20 when it was worth at least 100 times that to the company in question.

    5. Bod

      Been doing this for 15 years or so. *@mydomain goes to my main mailbox and I just register on each site with an address specific to that site. Makes it a doddle to spot where the spam has come from, and block the spam address, change the registered address to another one.

      Better still as I run my own mail server and can have it reject an address at source so it's seen as dead, though for non techies it doesn't matter. Most ISPs and mail apps have some form of blocking so at least they'll never receive the spam. Dead easy to do.

      On top of that I can also report the spam occurrence to the site in question and tell them to sort out their servers! ;)

    6. Anonymous Coward
      Anonymous Coward

      Not an issue having lots of addresses.

      I run my own mail server and have simple filters to sort out the dross from the real stuff. I register for a site using a potential throwaway e-mail address. It gets routed to my main e-mail address in the mail server.

      If (when) I find spam etc coming through, I kill that e-mail address by simply blocking it on the mail server. takes about two mins to do end to end, additional e-mail addresses take seconds.

      Nothing anal about it, I have a dedicated e-mail for my ISP, Zen, and so far in 14 years they have never abused it. On the other hand, No2ID managed to lose my e-mail address to them and I got spam from it, which I reported to them, but they ignored it. Thats the attitude of most companies. I don't think most companies deliberately span, they just get careless and lose it along their supply chain. No skin of my nose, I block it and move on.

      I reckon I must have high hundreds of personalised e-mail addresses out there. Indeed El Reg has one :)

    7. Vic

      It follows therefore that they must have dozens if not hundreds of email addresses each for a single purpose.

      Over 3500, last time I counted...

      /etc/aliases makes it all to easy.

      Vic.

  4. david bates

    Plusnet store your Login details in plaintext, and will email your password out to you happily.

    If you question this they will tell you that the password database has no connection to the internet so is perfectly safe - nothing can possibly go wrong. How they send your password out to you if this is true is a mystery....

  5. David 45

    Nothing here

    Not had anything dubious here on my alternative address that they have. Seems to be a lot of panic floating about!

  6. Anonymous Coward
    Anonymous Coward

    No spam here

    As a PlusNet customer I was initially worried about these emails.

    The email account I have with Plusnet has received no emails apart from the once a month notification of my bill.

    However this may be due to the part of that email address (the bit before the @) bears no resemblance to my name. So many ISP default you to something like Jones1234@ispname.com

    Also, very few places on the internet have my real name as an account email. As I run my own email server whenever I add an account for some online store, I create a dedicated account for that store.

    For example jonesjohnlewis.mydomain.co.uk and jonestesco@mydomain.co.uk. One or two stores detect the use of their name in the email address and refuse to let me register the account but these are very much in the minority.

    If any account starts getting lots of spam, I simply delete the email account and stop doing business with them. On the whole, very few get deleted over the course of a year.

    1. Anonymous Coward
      Anonymous Coward

      plenty of spam here

      I'm getting lots, all with my plusnet mail address in the subject and this in the footer.

      To stop all future communications from this sender, please go here

      You may also write to us at

      237 S Delsea Drive #302

      Vineland, NJ 08360

      In the Yorkshire isp's defense I also get spam on the unique address I have given to John Lewis, Chemist Direct and.... SpaceX!!

    2. Alan Brown Silver badge

      Re: No spam here

      "One or two stores detect the use of their name in the email address and refuse to let me register the account but these are very much in the minority."

      In other words, they're pretty much admitting that they want to sell your address and are best avoided.

  7. Anonymous Coward
    Anonymous Coward

    "...we are comfortable there has been no compromise"

    OK, so they have found no evidence of a breach of their systems.

    That still allows for a more obvious and simple cause : a Plusnet employee with access to the data has taken a copy and sold it on. What news on the investigation into that possibility?

    1. Andy Non Silver badge

      Re: "...we are comfortable there has been no compromise"

      Quote: "That still allows for a more obvious and simple cause : a Plusnet employee with access to the data has taken a copy and sold it on. What news on the investigation into that possibility?"

      Indeed. A few years ago I started getting emails from a company specialising in international roaming SIM cards. A week or two later it came to light that the company spamming me was an ex-employee of the company I had an account with for my international roaming SIM. He'd stolen the entire customer database and sold it to a competitor!

    2. Tom 7 Silver badge

      Re: "...we are comfortable there has been no compromise"

      Whenever I've been involved in building this sort of database its always best to set it up so 'Select * from customers' isn't going to work to prevent this sort of thing. It does seem to be DB101 for a lot of places.

    3. This post has been deleted by its author

  8. Tim Warren

    Nothing new here

    I also use unique identifiers for every site or company i give my details to. No details of which are stored on my servers. It just blindly accepts everything.

    The following companies have also had data breaches (some that they deny).

    Last FM

    Adobe

    The IET (formerly the IEE, Institute of Electrical Engineers)

    WEX photographic

    Linked In

    drop Box

    EDA board

    Seriously doubt that my server has been compromised as only a select few addresses above have ever been used for spam, and the ones that are seem to come in all at the same time indicating that each breach is separate and unique. If my server was compromised then i would expect spam to hundreds of valid addresses.

  9. cupperty

    Overstepping

    "Plusnet was yet to turn itself into the UK's data watchdog"

    I hope that doesn't happen ...

  10. Anonymous Coward
    Anonymous Coward

    Metronet-Plusnet-BT

    They also, therefore, own Metronet who are owned by Plusnet. I started off with Metronet before moving to Plusnet for less cost. Not planning on moving further up the food chain.

  11. Anonymous Coward
    Anonymous Coward

    "Plusnet was yet to turn itself into the UK's data watchdog"

    Am I the only one who thinks this sounds like a magic trick?

  12. This post has been deleted by its author

    1. TopCat62

      Re: Guessing email addresses is trivial for spammers

      Well I've been getting spam for the last couple of months sent to plusnet@mypersonaldomain.com

      Guess how I know I haven't given it to anyone but Plusnet?

  13. Vimes

    Has everybody here forgotten the 'stealth' BT trials of Phorm and the way in which they even went as far as concealing the truth from their own customers? Even their own support people seemed to be in the dark.

    How on earth can BT or any BT-owned ISP be trusted now?

    http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/

  14. Anonymous Coward
    Anonymous Coward

    Part of a bigger problem?

    PlusNet used to be great for support - you could easily speak to real people who knew what they were talking about and knew what to do about it, and when you needed support, you'd get it quickly and in an unpatronising manner. But my latest support call is a classic - I logged a call about poor upload speed, which for what I use my ADSL connection for is important, very poor latency, up to 250ms at times and dropped packets - over 10% on occasion. I got a response containing boiler plate links and saying my download speed was within acceptable levels. I replied patiently, saying that my download speed was not the issue, and repeating the issue. Eventually I got a response saying that it's not a problem they can do anything about and they;re not prepared to raise a call against BT wholesale (the problem is almost certainly our local exchange. 4 neighbours, on different ISPs all have the same problem) I will definitely be leaving PN after 12 years with them, at the earliest I can. They seem to have forgotten that it takes more than telly marketing to run an effective ISP.

    1. Tapeador

      Re: Part of a bigger problem?

      You could do a breach of contract claim in the small claims court, on behalf of yourself and your neighbours, on grounds that provision of the service has not been carried out with reasonable care and skill. Sounds pretty slam dunk to me. http://www.legislation.gov.uk/ukpga/1982/29/section/13 Unless you go for fibre, there's no guarantee any other provider will take the problem seriously.

      1. Anonymous Coward
        Anonymous Coward

        Re: Part of a bigger problem?

        > You could do a breach of contract claim in the small claims court

        Interesting, and worth researching. As it happens, a neighbour moved to Zen, and they are taking the issue seriously. They asked for pings to be enabled on a few of our routers and claim to be building a case to take to BT wholesale.

        No fibre in our area, and no plans either. That whole "market" thing that's supposed to sort all the arrogance of a residual monopoly just doesn't seem to be working.

        1. Alan Brown Silver badge

          Re: Part of a bigger problem?

          "That whole "market" thing that's supposed to sort all the arrogance of a residual monopoly"

          What "residual"? BT still has a monopoly on lines and leverages that to the disadvantage of all the competitors.

      2. Alan Brown Silver badge

        Re: Part of a bigger problem?

        "You could do a breach of contract claim"

        Could and should. My experience is that problems are solved and claims settled as soon as the paperwork lands on the appropriate desk at the ISP.

        "Unless you go for fibre, there's no guarantee any other provider will take the problem seriously."

        Virtually all the small ISPs will chase this kind of thing and don't have locked in boilerplate procedures.

        It's widely believed that most of the larger ISPs have contracted lower rates from Openreach in exchange for "lower priority" LLU service. If true, that wouldn't surprise me (and under NDA, the same way that govt departments were hiding their 0870 revenue raising joint-ventures)

  15. Anonymous Coward
    Anonymous Coward

    no proof

    ok so lets just get rid of one urban mith that just cause you have a 'unique' email address for a particular business it's the businesses fault if you get some spam and there must have been a breach.

    If you accept wildcard (*@mydomain.com) then it's very likely over time you will get some spam - most reasonable isp's don't even allow wildcards as they generate so much spam and use so many resources. All an 'attacker' has to do is send try a lsit of words plus your domain at some point it's highly likely the word 'plusnet' will get added to that list along with tesco, asda etc. I'm suprised anyone uses wildcards.

    If you accept obvious words @yourdomain.com then again a simply dictionary attack will mean that eventually you are likely to get something to plusnet, teco, asda etc, the better way would be to use something like tesco.myname@yourdomain.com or even perhaps better (as that is a fairly simple thing to try) tesco.ddmmyyyy@yourdomain.com.

    If your mail provider doesn't have some form of counter measures to prevent dictionary attacks then you are likely to eventually get junk. My mail servers gets these sort of attacks all day every day, usally from mulitple ips at the same time trying the same list, clearly a botnet and they get banned at the firewall within a few tries.

    It could be that a mail provider or isp has been breached and not plusnet, thus the leak could be at your mail provider or isp. That would take some coordination from the various people who think their address has been leaked to see if there is any common link between them and it may not be obvious without looking at the complete set of servers the email has traversed in it's journey.

    Finally mail is sent over plain text so there is presumably nothing to stop someone sniffing network traffic and grabbing email addresses. I'm no expert on that one but I'm sure it's possible.

    Simply assuming it's plusnet fault is a little naive. It may well be the truth but there is no proof as yet.

    1. Anonymous Coward
      Anonymous Coward

      Re: no proof

      Wrong. Anything sent to my domain (as with many others who have this issue) is received. If there was a dictionary attack, I would get every 'aaa@', 'aab@' etc in my inbox.

      We are not getting that. We are getting our specific PN email addresses, only.

      It's not a dictionary attack on possible addresses - it's our specific addresses that are being used.

      Mine has only ever been given to PN and is not even stored on my own PC, it just gets collected in a catch-all account with everything else @mydomain.

      It can only have come from PN, in some way.

    2. Bod

      Re: no proof

      @AC - Very wrong.

      I get plenty of other spam, but all of these have followed a pattern.

      They are *all* addressed to a unique address only used for PlusNet (e.g. mynamemangled.pn@mydomain etc).

      They *all* have a subject that starts with "(mynamemangled.pn@mydomain)"

      They are *all* are sent from the same "spammer"*.

      They *all* have this footer...

      "To stop all future communications from this sender, please go [link here]

      You may also write to us at 237 S Delsea Drive #302 Vineland, NJ 08360"

      Not just mine, but everyone else too.

      * - I say spammer, but unlike random garbage spam looking for active mailboxes, this to me this looks like PlusNet/BT have released addresses to a third party for marketing use, which is in breach of their policy where they say they will *never* do this without permission.

      I have blocked the address in question and changed my PlusNet registered address to something else unique. Guess what? These mails have stopped.

      If this was random attacks guessing addresses, I'd have tonnes going to random addresses testing them. I don't.

      So yes, it's entirely an issue with PlusNet and/or BT. Remembering that BT have leaked addresses recently, and PN is owned by BT.

      1. Alan Brown Silver badge

        Re: no proof

        "237 S Delsea Drive #302 Vineland, NJ 08360"

        No surprise to see it's a UPS store.

        http://vineland-nj-1314.theupsstorelocal.com/

    3. TrevMo

      Re: no proof

      Re: 'no proof':

      That's Total rubbish. If it were a dictionary attack...

      1. What, on all our different domains that have never had spam (in most cases) before, all at the same time? REAlly....

      2. On our catch-all accounts where ALL AND EVERY email sent to the domain comes in, we would have all of the 'aaa@', 'aab@' etc come in as well. I would, anyway. Despite what you say, I have remarkably little spam to that domain despite having used it in this way for over fifteen years!

      It is only those specific address that we have created and given to PN, and only to PN, ever. Mine does not even exist on my PC as an address I can use, and I never have, it just comes in to the catch-all account like all the rest. If I were to send a reply, it wouild not have that address as my sending address.

      So yes, we can say that the released information has come from PN in some way. There are plenty of us with similar (but different domains) setups having exactly the same issue. The only direct common factor is PN. Any indirect ones still include PN as the source.

    4. Anonymous Coward
      Anonymous Coward

      Re: no proof

      I'm a Plusnet customer (since I left Pipex, many years ago).

      I use one of the slightly complex schemes you suggest, ie vendor.sequence@myid.plus.com

      So for example for registering with Pixmania in 2011 I'd have used

      pixmania.11@myid.plus.com

      That specific example is chosen because the only address leak I've ever had came via Pixmania in the days it was a Dixons Stores Group company (did they sell it yet?).

      The jury may be still out for Plusnet, but for me and Pixmania, the case is long since proven and Poxmania were guilty as charged.

    5. Anonymous Coward
      Anonymous Coward

      Re: no proof

      Sorry but you are talking bollocks and you are being naive. Nobody here is suggesting that they have wildcards of the form *@somedomain.com, they are talking about specific e-mail addresses for specific uses. I'm not even sure you can have a * in a username in a mail address. I suspect the mail RFC would state thats not allowable.

      You have misunderstood what people are doing, we give out a specific e-mail address that only exists for the purposes of registering with a company, e.g. john.plusnet123@mydomain.co.uk. That e-mail address only 'lives' for that usage. It is never recorded elsewhere and it is never stored on the server unless its to blacklist it. There are common rules to filter based on the e-mail address on the mail server which forwards to the correct e-mail address for the person. Most people do not use specific rules, e.g. john.plusnet123@mydomain.co.uk -> john@mydomain.co.uk but simple rules that allow them to create ad-hoc e-mail addresses quickly, e.g. john*123@mydomain.co.uk -> john@mydomain.co.uk. This allows john.tesco.123 and john.dodgydealer.123 to all work.

      So how do we know that we aren't subject to dictionary attack, dead simple, we can look in the log files. We can see that john.asda@mydomain.co.uk and john.whsmith@mydomain.co.uk and john.sales@mydomain.co.uk aren't being used for mail addresses. We can see that there aren't dictionary attacks going on all the time. Oddly enough, thats one of the things we check for.

      I do get the 'normal' e-mail attacks, e.g. sales@mydomain.co.uk along with support@mydomain.co.uk etc etc. Thats just part of the daily routine and is noise.

      I accept that mail is sent in plain text (well some of it is), and that network sniffers could grab it but that would imply a level of coordination worthy of NSA or GCHQ.

      When you find that a specific e-mail address has been leaked, which is the likeliest option?

      1) the piss-poor company has leaked it by accident

      or

      2) GCHQ/NSA have targeted your personal e-mail address and then have leaked it to spammers.

      I can accuse the NSA and GCHQ or many things but as a front for spammers? No.

      Most companies will not accept that they leak data, even in the face of obvious proof. Its always easier to blame other people. The list of dishonourable mentions is very large now.

      At the end of the day, its easy enough not to deal with them again and simply block the address which I do.

      1. jabuzz

        Re: no proof

        Sorry but you can setup your email at PlusNet so that all email to *@myid.plus.com gets delivered. It is one of the features of their system and has been like that since well longer than I care to remember certainly more than an decade. That said I have the wildcard address directed to /dev/null another very long standing feature, though I can remember a time when it was not.

        The amount of spam I get on my PlusNet hosted email account is very limited ever since they included virus and spam filtering by default rather than an optional extra. I have personally not received the spam in question, and one would presume that if the PlusNet database had been compromised that the spammer would have spammed all the addresses harvested not just some.

        That last bit suggests to me that the spammer has managed to harvest the email address from somewhere else. Where and how is the question.

    6. Alan Brown Silver badge

      Re: no proof

      "Finally mail is sent over plain text"

      Only if you've disabled STARTTLS on port 25. There are very few mailservers around which don't support that these days (it's not just for MUAs)

  16. Dann

    Nope nothing here

    I really have a unique e-mail address for plus net and I have just checked and nothing.

    I feel a little left out

  17. Mike 16 Silver badge

    At least they have a complaint process

    that can be used electronically. When Adobe gave my custom email address to a pron-spammer, less than an hour after I registered one of their products, I found that the only way to file a complaint was via paper mail sent to a legal firm care of a P.O. Box in Los Angeles, Note that when faced with this sort of thing it is recommended to send such mail "Certified, return-receipt-requested" or it will somehow be lost in transit, unlike the tsunami of physical spam I regularly receive. Clearly the Post Office is much more careful with Bulk mail than first-class.

    Of course, I have no doubt Plusnet simply ignores complaints, but Adobe makes it abundantly clear up front that they do not want to hear from you about anything, now that the payment has cleared.

  18. Anonymous Coward
    Anonymous Coward

    no spam here

    I have a unique address on my plusnet a/c - and run my own mail server. I've just grepped the logs and have not seen any spam come to that address, rejected or delivered.

    From my sample size of one I can't say that no addresses have been collected - all I can say is that the spammers didn't get mine - or at least they haven't used it so far. So this situation is not as simple as all addresses have been compromised and spammed.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: no spam here

      same here, been a plusnet customer since.... hmmm .... April 2010.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: no spam here

        and just checked my mailogs back to November 9th, none of the ip's which have been listed on the plusnet forum even feature.

  19. Doctor Syntax Silver badge

    I use PlusNet but I just gave them a Hotmail address which I tend to give to anyone I've no experience of dealing with in case they turn out to be a spammer. So if any of it comes in my direction the Hotmail spam filters will have dealt with it. Mostly the spam that the filters let through is that pretending to come from Hotmail/Live/Outlook/Have-they-rebranded-again-this-week? You'd think that not only would that be pretty easy to trap but that they'd be particularly keen to do so.

    But one very odd thing does sometimes turn up in that mailbox. It's mail addressed elsewhere being sent by other Hotmail users. There's no mention of my address anywhere in the headers so no indication of how it got there. The contents are quite innocuous - it genuinely looks like other people's mail gone astray. So far there have been 3 instances of that.

  20. Anonymous Coward
    Anonymous Coward

    Pull the other one Bob

    "Plusnet takes its obligations regarding our customer data very seriously"

    They really don't, and have a long, long record of not doing so with customer emails going back at least ten years. I set up an email address for my parents, solely for plusnet billing purposes, that's been getting a ton of garbage as described since mid Nov. Since none of the other addresses on the domain are getting spammed I can only put it down (yet again) to Plusnet.

    Its long overdue for PN to clean up their act in this respect, and to come clean when they do screw up yet again. So I won't be holding my breath, but I'd love to think the ICO would take them to the cleaners for what is quite obviously down to them.

  21. Mark.L.P

    Don't forget robots..

    I think it's easy to forget that spam can hit non-public email addresses, sometimes even those that have never been used, too. The robots simply generate a list of hundreds of thousands or millions of potential addresses for any given domain and when targeted they get bulk sent. Only a few small per cent will find a correct recipient but that can still hit thousands of customers.

  22. This post has been deleted by its author

  23. AMB

    This is definitely not just a random spam attack

    I'm very pleased to see that various people have already done a most excellent job in shooting Mr.Anon well and truly down in flames. What utter tosh Re: catch-all e-mail accounts !!! It is, almost without any doubt whatsoever, the full or partial release of a current(ish) customer e-mail database. The only true unknowns are the extent of the data involved, the effective date of acquisition by Mr.Spammer and how he managed to get his grubby mitts on it in the first place.

    There are plenty of reports suggesting that the database is definitely post May 2007 breach data although I can add that it does also include data previously acquired in the 2007 breach that hadn't been changed. It's not just 'new', 'recent' or modified data. It appears to be 'current' data at a given date. It doesn't however appear to include any data from 'free', 'dormant' or otherwise unused and/or unpaid-for accounts. I have several A/Cs and countless e-mail addresses both ancient and current, used and not used, very public and mostly private. I also monitor every e-mail ever sent to my A/Cs and retain archives of all of them.

    There is no dictionary attack. There is no easy-to-guess-words or common words attack. There is no even remotely similar spam to other well used and well known addresses or even to various other addresses previously compromised by PN. This current spam attack is *ONLY* being directed to the primary e-mail address for my primary A/C. I have no need for smoke and mirrors. No need to wriggle, squirm or otherwise sound embarrassed trying to defend the indefensible. And certainly no need to make stuff up. Comprehensive archives going back to 2007 confirm everything that needs to be said: The spam campaign starting on 14th November currently solely consisting of VERY identifiable spam is ONLY being directed at one solitary e-mail address out of what is effectively an infinite number of potential e-mail addresses.

    Based on all the 'evidence' posted in various places, the only plausible conclusion to this story is ... PN are being substantially less than entirely honest I'm afraid. It is implausible that so many customers could have suddenly seen the exact same problem at the exact same time from the exact same source purely randomly. There has to be a connection and that connection almost certainly has to be PN. Whilst it needs to be accepted that the data may actually have been physically acquired from elsewhere, the original source of the data, the responsibility for the data and thus the root cause of this problem IMHO has to be PN.

  24. Anonymous Coward
    Anonymous Coward

    Where are your passwords and logon details?

    Lets not forget there are indeed people who store their logon details for all their sites in a spreadsheet, and store that spreadsheet in could based storage such as dropbox, etc. (or even in lesser secure places). So password/username/email security really starts at home. I do actually know people who have been targetted purely because they unwittingly leaked their own logon details. Take care of your stuff people.

    1. druck Silver badge
      Unhappy

      Re: Where are your passwords and logon details?

      PlusNet also don't support any form of encryption on email transit, despite many many years of pleading by users. So if you've set your phone or laptop up to collect email from PlusNet when logged on to public WiFi, you will sending your login details in plain text over an insecure network. The email user name is often the same as the primary email address used on the account.

      1. TrevMo

        Re: Where are your passwords and logon details?

        What you, and the comment you have replied to, are saying is essentially true and a definite security concern. However, it is completely irrelevent to the current issue.

        I have never, ever logged in to PN in any way other than from my home (wired) PC. I'm paranoid about security (have been since pre-Internet!) and would never store any useful information 'in the cloud'. In fact, I don't do that for anything that I don't specifically want to share with the whole planet.

        Most of the people who have discovered they have this spam problem are similar to me, because they have set up unique email addresses too, so we are all security concious. I bet none of us have uploaded our login details to the cloud.

        Anyway, we certainly haven't all used the same wifi hotspot or cloud service at the same time!

        The leak has originated from PN. There is no other reasonable explanation.

        1. Anonymous Coward
          Anonymous Coward

          Re: Where are your passwords and logon details?

          Thanks for your comments. Although I think it is certainly relevant. The article is referring to a potential breach of email addresses by PN. I was merely pointing out that such a breach "might" be closer to home.

          1. Anonymous Coward
            Anonymous Coward

            Re: Where are your passwords and logon details?

            Given the circumstances, quite clearly defined by a large number of clearly competent commentards, its evidently not remotely close to home (much nearer to Sheffield in fact) although a completely dissimilar breach might be.

            And I doubt there are very many here who store passwords on dropbox.

  25. Ian 25

    Yup, I'm also being hosed with PlusNet spam

    Again, a unique addy. They have obviously been breached. I've had 2 successful dictionary attacks on my domain in 5 years. My guess = marketing partner breached (this is very very common - use a shonky agency for a mailing and watch your data get sold) or an employee and a USB.

    FESS UP guys.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yup, I'm also being hosed with PlusNet spam

      The 'dodgy marketing weasel' is indeed the current frontrunner on the plusnet thread.

  26. Wolfclaw

    Plusnet BS

    Plusnet we'll do you proud, by leaking your deatils and then not accepting any blame, while doing a cover-up, until the ICO slap wrists !

  27. TrevMo

    More people are coming onto the PN forum having found out about the reason for their spam here.

    The fact that some people are not getting the spam (provided that's not because of filtering) is of great interest, just as much as those who are.

    If PN were to do a customer survey and determine which accounts are compromised and which not, they might be able to narrow down the point of the leak.

    Was it because we had opted in (in my case, without my knowledge) into a certain mailing list from one of the many tick boxes perhaps.

    A proper investigation... I'm not holding my breath... Much too much work to do covering corporate backsides to actually investigate anything!

  28. Chris Evans

    If anythingAnd Everyything@yourdomain.co.uk is forwarded spam?

    Many years ago we removed having a catch all as we a number of times received deluges of emails addressed to:

    richard.a.smith@ourdomain

    john.f.adams@ourdomain

    chris.h.willams@ourdomain

    ....

    I think the spammers had forged the from, send and/or reply to addresses and hoped we would bounce it (To the real target address the 'from' address)

    If you have a catch all how do you block the above.

    ..

    1. TrevMo

      Re: If anythingAnd Everyything@yourdomain.co.uk is forwarded spam?

      Well, after 15 years of using the same catchall/domain, I actually get very few such emails. The vast majority of the spam I get (and really there isn't much) is to specific addresses identifiable as having been leaked by some company or other.

      Anyway, firstly the base address I have (anything@my-domain.com) is never used. Anything that comes directly to my-domain.com is spam and is filtered first.The catch-all is of the format anything@my-account.my-domain.com. That is a harder one for spammers to randomly generate stuff for, because they won't know the my-account bit to add on to the domain.

      That said, I do get occasional emails like that, likely from spam lists taking one of my compromised addresses and changing the prefix to something random. Perhaps a few every month, usually in a short burst. Again, these are easy to spot because they will not be filtered into a specific folder and instead will land in the (rarely used) general inbox. I just delete them.

      So, it's easy, provided one is careful with one's email address in the first place, which I have been. My wife, on the other hand, was not so careful and was receiving hundreds per day to her account before I closed it.

      I've just checked my trash folder (last did about a week ago) and there are only 72 entries, mostly ones I recognise as knowlingly compromised as mentioned first above. For an email I've used for 15 years, and given to hundreds of people and companies, that's not bad going.

  29. TrevMo

    Plusnet is still declining to comment on this issue, oficially or in the thread on PN's forum. It seems they are just going to ignore us all completely until we go away.

  30. GloomyTrousers

    user+identifier@mydomain.com not reliable

    Problem with the user+identifier@mydomain.com thing: it's a commonly known pattern, so the identifier is trivially removed or spoofed by anyone seeking to obfuscate the source of their list, or direct your attention elsewhere. So you can't really rely on it to identify the source of a leak.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021