Plusnet customers SWAMPED by spam but BT-owned ISP dismisses data breach claims BT-owned ISP Plusnet has rebuffed concerns from customers who are worried that their email accounts have been compromised by spammers. Despite the protests, at time of writing, Sheffield-based Plusnet was yet to turn itself into the UK's data watchdog – even just as a symbolic gesture to placate subscribers who fear that a …
Honestly how did you miss that? Years ago when BT bought them I remember loads of fuss on here and other forums. There were commentards throwing the knee jerk* reaction of, like you, threatening to leave with no stated or rational reason. Then there were those predicting that all Plusnet customers would become BT retail customers. Never happened. Of course the joke there is a lot of Plusnet customers were, and still area, BT wholesale customers.
The thing is however that it was a whole load of fuss over nothing. Nothing really changed operationally. BT for some reason wanted to own a crappy bargain basement ISP so they bought one. End.
Thing is though if you react like that you'd better check out the products and services you buy and see who the ultimate owner is. You might get a few surprises.
* I would call your reaction a knee jerk if it hadn't taken many years to happen.
surely 'owning' and 'managing' are two different things, but not exclusive to each...
EE owns orange , tmobile, and its own retail dept.. but they are all separate retail companies...
When Plusnet FIRST started, it was great value, great service, until internal arguments and mismanagement started to ruin it and bring down the company...
Joke is, is the SAME email problems were part of that... then they said they were being bought by BT, that would help their massive debt problems... choice was stay with a 60% bad company joining a 80% bad company, or find another...
A friend worked for openworld, said if your problem has not been solved in 4 weeks, it would be quicker to just get a new account!!
The main problem then and now, is you tell them a problem, they tell BT, they get onto openworld , or others, and the massive delays between each!! (as well as getting past the idiotic newb PC check.... > :( )
So I went to virgin - no middleman delays..
Plusnet has recently been fairly good..BUT when it goes wrong... :(
"BT for some reason wanted to own a crappy bargain basement ISP so they bought one."
Who needs a bargain basement ISP? Someone who is frightened that one day Ofcon might wake up and actually start regulating their overall business, perhaps?
BT Retail is supposedly regulated by Ofcon, as are BT OpenReach (poles, ducts, last mile connectivity, etc) and Wholesale (countrywide services to retail ISPs without their own countrywide presence).
Retail ISP Plusnet is part of BT (same shareholders, same top management) but isn't regulated by Ofcon.
So if BT need to use their "significant market power" to influence the market in improper ways, such as pricing stuff in an anti-competitive way to ensure new entrants are scared away, BT Retail supposedly can't do it.
Plusnet isn't regulated in the same way so there's little to stop them doing this kind of on behalf of BTplc though. Why else would a BTwholesale based ISP want to compete on price with the LLU operators?
At the time of the sale, iirc the cover story was something along the lines of BT wanting Plusnet's home grown automated operations software (Workplace?), so BT could use it themseleves. Not sure if anything came of that,
" BT for some reason wanted to own a crappy bargain basement ISP so they bought one. End."
Specifically: They wanted Plusnet's billing and customer service system.
It was only later on when they realised how toxic the BT brand had become that they relaunched Plusnet and took great pains to hide that it's BT Yorkshire.
In the same way TalkTalk hides that it owns the AOL branding by running that arm through a maildrop in Luxemborg.
Hundreds of email addresses! The very thought is enough to make your head explode!
Actually it's very trivial if you have an email account or mail server filtering that allows arbitrary text to be included to form aliases for your email address - so that for example fred+plusnet@isp.com is a valid alias for fred@isp.com. For a tiny amount of effort you can then see who leaked your information if that alias is used elsewhere.
"so that for example fred+plusnet@isp.com is a valid alias for fred@isp.com."
Assuming that webforms allow you to enter the "+"
There are far too many broken ones which don't - or worse, allow it for account creation but then barf badly when you try to do anything to modify your account settings, claiming that "+" is a bad character (I'm looking at you, EDF and Brutish Hash)
This can also be done with email aliases. Which is how I do it. It makes it easy to spot phishing emails as an email from my "bank" which has been sent to my ebay email address is clearly bogus. It also keep my personal mailbox a lot clearer meaning less junk on my phone.
I've been encoding telltales into my mail, the snail mail kind, for over four decades now. It's even easier to do so with email. The only singleton here is for my domain and that was at the behest of the Canadian registrar.
Hey, if it's cool to track us, it's definitely nice to do the same back. I like to know whose got my back and who's the backstabber.
Just buy a domain and set *@aardvark-fun.co.uk to forward to your 'real' account and then you can have tesco@aardvark-fun.co.uk or plusnet@aardvark-fun.co.uk or whatever-you-like@aardvark-fun.co.uk. If you're feeling complicated, after you've used one for a one-off/temporary registration you can always filter specific ones to spam.
I've been doing it for years and it's highlighted several interesting data leaks!
"NAH, not that easy for most... going to gmail or yahoo is much easier"
FWIW you can do it with Google mail as well. Gmail supports aliases with a + separator, so if you are myname@gmail.com you can also be myname+plusnetarebastards@gmail.com
Not nuclear-hard, but it tells you who's leaking your stuff.
Not entirely without merit but a word of caution: I once had a catchall address until the day I came back from lunch to find my mailbox had maxed out (32K emails) because a spammer had come up with the idea of sending to thousands of guessed names (fred, john, julie, mohammed, jacob, sales, enquiries@ etc) to the domain in the expectation that some would reach a real person.
Currently I maintain a secondary email account for unimportant contacts (forums, retailers etc) and use that with the john.smith+tesco@example.com syntax someone mentioned. If one contact gets too spammy I can set a filter to bin their stuff. If things were to get really bad I could drop that entire account completely with no tears.
"Just buy a domain and set *@aardvark-fun.co.uk to forward to your 'real' account"
I started advising my clients not to set global forwards after a couple were victims of spam runs spoofing $RANDOM @ their.domain.
One poor guy got over 400,000 bounces overnight. It killed the domain. He ended up selling it off to another company for $20 when it was worth at least 100 times that to the company in question.
Been doing this for 15 years or so. *@mydomain goes to my main mailbox and I just register on each site with an address specific to that site. Makes it a doddle to spot where the spam has come from, and block the spam address, change the registered address to another one.
Better still as I run my own mail server and can have it reject an address at source so it's seen as dead, though for non techies it doesn't matter. Most ISPs and mail apps have some form of blocking so at least they'll never receive the spam. Dead easy to do.
On top of that I can also report the spam occurrence to the site in question and tell them to sort out their servers! ;)
I run my own mail server and have simple filters to sort out the dross from the real stuff. I register for a site using a potential throwaway e-mail address. It gets routed to my main e-mail address in the mail server.
If (when) I find spam etc coming through, I kill that e-mail address by simply blocking it on the mail server. takes about two mins to do end to end, additional e-mail addresses take seconds.
Nothing anal about it, I have a dedicated e-mail for my ISP, Zen, and so far in 14 years they have never abused it. On the other hand, No2ID managed to lose my e-mail address to them and I got spam from it, which I reported to them, but they ignored it. Thats the attitude of most companies. I don't think most companies deliberately span, they just get careless and lose it along their supply chain. No skin of my nose, I block it and move on.
I reckon I must have high hundreds of personalised e-mail addresses out there. Indeed El Reg has one :)
Plusnet store your Login details in plaintext, and will email your password out to you happily.
If you question this they will tell you that the password database has no connection to the internet so is perfectly safe - nothing can possibly go wrong. How they send your password out to you if this is true is a mystery....
As a PlusNet customer I was initially worried about these emails.
The email account I have with Plusnet has received no emails apart from the once a month notification of my bill.
However this may be due to the part of that email address (the bit before the @) bears no resemblance to my name. So many ISP default you to something like Jones1234@ispname.com
Also, very few places on the internet have my real name as an account email. As I run my own email server whenever I add an account for some online store, I create a dedicated account for that store.
For example jonesjohnlewis.mydomain.co.uk and jonestesco@mydomain.co.uk. One or two stores detect the use of their name in the email address and refuse to let me register the account but these are very much in the minority.
If any account starts getting lots of spam, I simply delete the email account and stop doing business with them. On the whole, very few get deleted over the course of a year.
I'm getting lots, all with my plusnet mail address in the subject and this in the footer.
To stop all future communications from this sender, please go here
You may also write to us at
237 S Delsea Drive #302
Vineland, NJ 08360
In the Yorkshire isp's defense I also get spam on the unique address I have given to John Lewis, Chemist Direct and.... SpaceX!!
OK, so they have found no evidence of a breach of their systems.
That still allows for a more obvious and simple cause : a Plusnet employee with access to the data has taken a copy and sold it on. What news on the investigation into that possibility?
Quote: "That still allows for a more obvious and simple cause : a Plusnet employee with access to the data has taken a copy and sold it on. What news on the investigation into that possibility?"
Indeed. A few years ago I started getting emails from a company specialising in international roaming SIM cards. A week or two later it came to light that the company spamming me was an ex-employee of the company I had an account with for my international roaming SIM. He'd stolen the entire customer database and sold it to a competitor!
This post has been deleted by its author
I also use unique identifiers for every site or company i give my details to. No details of which are stored on my servers. It just blindly accepts everything.
The following companies have also had data breaches (some that they deny).
Last FM
Adobe
The IET (formerly the IEE, Institute of Electrical Engineers)
WEX photographic
Linked In
drop Box
EDA board
Seriously doubt that my server has been compromised as only a select few addresses above have ever been used for spam, and the ones that are seem to come in all at the same time indicating that each breach is separate and unique. If my server was compromised then i would expect spam to hundreds of valid addresses.
This post has been deleted by its author
Has everybody here forgotten the 'stealth' BT trials of Phorm and the way in which they even went as far as concealing the truth from their own customers? Even their own support people seemed to be in the dark.
How on earth can BT or any BT-owned ISP be trusted now?
PlusNet used to be great for support - you could easily speak to real people who knew what they were talking about and knew what to do about it, and when you needed support, you'd get it quickly and in an unpatronising manner. But my latest support call is a classic - I logged a call about poor upload speed, which for what I use my ADSL connection for is important, very poor latency, up to 250ms at times and dropped packets - over 10% on occasion. I got a response containing boiler plate links and saying my download speed was within acceptable levels. I replied patiently, saying that my download speed was not the issue, and repeating the issue. Eventually I got a response saying that it's not a problem they can do anything about and they;re not prepared to raise a call against BT wholesale (the problem is almost certainly our local exchange. 4 neighbours, on different ISPs all have the same problem) I will definitely be leaving PN after 12 years with them, at the earliest I can. They seem to have forgotten that it takes more than telly marketing to run an effective ISP.
You could do a breach of contract claim in the small claims court, on behalf of yourself and your neighbours, on grounds that provision of the service has not been carried out with reasonable care and skill. Sounds pretty slam dunk to me. http://www.legislation.gov.uk/ukpga/1982/29/section/13 Unless you go for fibre, there's no guarantee any other provider will take the problem seriously.
> You could do a breach of contract claim in the small claims court
Interesting, and worth researching. As it happens, a neighbour moved to Zen, and they are taking the issue seriously. They asked for pings to be enabled on a few of our routers and claim to be building a case to take to BT wholesale.
No fibre in our area, and no plans either. That whole "market" thing that's supposed to sort all the arrogance of a residual monopoly just doesn't seem to be working.
"You could do a breach of contract claim"
Could and should. My experience is that problems are solved and claims settled as soon as the paperwork lands on the appropriate desk at the ISP.
"Unless you go for fibre, there's no guarantee any other provider will take the problem seriously."
Virtually all the small ISPs will chase this kind of thing and don't have locked in boilerplate procedures.
It's widely believed that most of the larger ISPs have contracted lower rates from Openreach in exchange for "lower priority" LLU service. If true, that wouldn't surprise me (and under NDA, the same way that govt departments were hiding their 0870 revenue raising joint-ventures)
ok so lets just get rid of one urban mith that just cause you have a 'unique' email address for a particular business it's the businesses fault if you get some spam and there must have been a breach.
If you accept wildcard (*@mydomain.com) then it's very likely over time you will get some spam - most reasonable isp's don't even allow wildcards as they generate so much spam and use so many resources. All an 'attacker' has to do is send try a lsit of words plus your domain at some point it's highly likely the word 'plusnet' will get added to that list along with tesco, asda etc. I'm suprised anyone uses wildcards.
If you accept obvious words @yourdomain.com then again a simply dictionary attack will mean that eventually you are likely to get something to plusnet, teco, asda etc, the better way would be to use something like tesco.myname@yourdomain.com or even perhaps better (as that is a fairly simple thing to try) tesco.ddmmyyyy@yourdomain.com.
If your mail provider doesn't have some form of counter measures to prevent dictionary attacks then you are likely to eventually get junk. My mail servers gets these sort of attacks all day every day, usally from mulitple ips at the same time trying the same list, clearly a botnet and they get banned at the firewall within a few tries.
It could be that a mail provider or isp has been breached and not plusnet, thus the leak could be at your mail provider or isp. That would take some coordination from the various people who think their address has been leaked to see if there is any common link between them and it may not be obvious without looking at the complete set of servers the email has traversed in it's journey.
Finally mail is sent over plain text so there is presumably nothing to stop someone sniffing network traffic and grabbing email addresses. I'm no expert on that one but I'm sure it's possible.
Simply assuming it's plusnet fault is a little naive. It may well be the truth but there is no proof as yet.
Wrong. Anything sent to my domain (as with many others who have this issue) is received. If there was a dictionary attack, I would get every 'aaa@', 'aab@' etc in my inbox.
We are not getting that. We are getting our specific PN email addresses, only.
It's not a dictionary attack on possible addresses - it's our specific addresses that are being used.
Mine has only ever been given to PN and is not even stored on my own PC, it just gets collected in a catch-all account with everything else @mydomain.
It can only have come from PN, in some way.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
