|
|
There will be a time when questioning PN and the failure can be done but for now people need advice on how to help themselves. Hotbalck suggested the following: In reply to:
A simple first step that I've just recommended to a friend is to setup a free gmail account. Then have all mail from their PlusNet address forwarded to this and advise contacts to use their new address. After a number of months they can then switch of forwarding and forget about their old address.
I'll add that gMail is now free and you don't need an invitation to open an account: gMail Link. You can also use Hotmail or Yahoo mail if you prefer. gMail and Hotmail allow you to also use the accounts to download from your normal pop3 server like PN's although setting up forwarding is just as easy.
To find out how to set-up forwarding from PN or to do anything else with it see this link. You can also set-up different email addresses and set-up spam filtering etc. on the portal. Do what is necessary and meets your need.
I would also urge you to change your password on the portal but only after you have done an online virus test ( Trendmicro Housecall) or run a virus scan on your machine first. To do so follow this : In reply to:
Purely as a precaution we advise customers to change their account password by visiting our website https://portal.plus.net/my.html?action=change_password&s=0 Please note if you change your account password this will need to be updated in your router or modem as well as your browser and email software.
This is because: In reply to:
Your default mailbox password is the same as your account password. Any additional mailboxes that you have setup may be setup with different passwords depending on what you suggest.
If someone has managed to gain access to your username or password they would be able to login as you and thereby also see your home address and telephone number. This is a precautionary measure as PN do not currently believe that this information has been compromised.
I would urge anyone that can contribute to this thread with more help to do so ASAP.
Edited by rsharma (Tue 15-May-07 18:48:09)
|
|
|
In reply to:
Purely as a precaution we advise customers to change their account password
I would also suggest that the passwords for all email accounts are changed as well.
|
|
|
I'd just add that Google has a basic guide to switching here which can be used in conjunction with details on how to setup redirection from PlusNet's support pages.
Please be aware that this will not stop spam. You will still receive the same messages at your new email address (as they are all redirected). What it will do is enable you to move to using a new email address that is not 'known' by spammers as many PlusNet addresses now are. In this way once you've transferred fully to using the new address you can stop the redirection and reduce the spam you receive.
If going to the trouble of setting up a new email account, why not setup two! One for personal email and one to use for signing up to newsletters, forums or those silly emails from friends that are sent to 2000 people with a picture of a cat smiling etc. Nothing will ever stop spam completely but there are steps that can be taken to reduce it's impact. Hopefully others can provide tips in this thread.
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
In reply to:
one to use for signing up to newsletters, forums or those silly emails from friends
I regulary make use of a disposable email address for sites that insist on giving them an email address for verification or site that I am unsure of. Here is the link: http://www.pookmail.com/
You enter your email on a website as [email protected] and then you can go to the above link and enter that 'anything' username to check your emails. They will be automatically deleted after 24 hours. Do not use it where privacy is required etc. as anyone can read the email since it doesn't need a password or setting up an account. More information on the site.
|
|
|
I would also recommend something like spamfighter for those using Outlook, Outlook Express or Windows Mail (OE in Vista). It works by checking with a master database and moving mail into a seperate spam folder. It is possible to black and whitelist mail. Mail is only declared spam if similar is reported by a number of peole and my false positive rate is low. In my case all the spam I have received through my F9 account has been correctly labelled as spam where relevant. BTW it is free for personal use as well.
Vince
15 year olds racing cars - Sponsors needed for 2007 and 2008 - MVRacing.co.uk
|
|
|
|
I don't know about Gmail but in hotmail I use the Custom Filters,
add a filter like "pills" and if it's in the subject i redirect it straight into the junk folder.
At first takes a while, keeping adding new words, but had my hotmail account 10 years and hardly get any junk.
|
|
|
The recommendation to change the password only applies if the user logged in to the webmail server during the "incident" on 9th May. At the time of writing, we haven't been told what time period on 9th May.
See this link for confirmation of this from PlusNet
|
|
|
I also know about Magic Mail Monitor and K9 Spam filter (both free also).
|
|
|
The Service Status say's In reply to:
We became aware of an attack on Wednesday 9th May 2007 and immediately took our Webmail service offline to secure the platform.
It doesn't actually say for how long this vulnerability existed, so it would be prudent to change your password regardless.
|
|
|
I think it's also time the Plusnet changed the accepted passwords that can be used, 5-8 characters - lowercase - starting with a number - it doesn't allow for very strong passwords.
Downstream 4,030.7 Kbps ( = 3.9 Mbps )
Upstream 374.0 Kbps ( = 0.4 Mbps )
(Speedtests performed on a good day with a trailing wind and in the days when decent speeds were possible.)
|
|
|
I would suggest people do this because they might not be aware that they had a trojan on their system, they might have been snooped on without their knowledge and because PN can't confirm for certain that the usernames and passwords haven't been compromised. It will come down to individual preferences, I only stated what I would do under the same circumstances.
|
|
|
I think that suggestion (although good and discussed last time) will have to wait for another thread...
|
|
|
Somebody on the PN forum says that MMM is ineffective against this spam attack for some reason. See here for their post.
I've used MailWasher Pro successfully to filter it
|
|
|
In reply to:
I think it's also time the Plusnet changed the accepted passwords that can be used, 5-8 characters - lowercase - starting with a number - it doesn't allow for very strong passwords.
This is something PUG amongst others have been requesting for quite some time. The suggestion is listed in PUGIT as PUGIT ID29. If current customers haven't voted for this and would like it then they can do so to help show PN how much we want to be able to create stronger passwords.
Vince
15 year olds racing cars - Sponsors needed for 2007 and 2008 - MVRacing.co.uk
|
|
|
In reply to:
I would suggest people do this because they might not be aware that they had a trojan on their system, they might have been snooped on without their knowledge and because PN can't confirm for certain that the usernames and passwords haven't been compromised.
They should make sure they've run a full-sweep of a freshly downloaded/installed virus/anti-spyware solution before they do though - otherwise the trojan will just get their new details as well!
|
|
|
I was going to say that too but completely forgot.
|
|
|
Some of this posted previously:
For combating spam there's a few things I can suggest. If the spam is going to a specific address that you don't use then you can use the Manage My Mail tool on the portal to create a redirect for that address and send it to the blackhole address [email protected]
If the spam is being sent to multiple addresses that aren't in use then you can turn off the catch all address via the portal tool.
If you don't have the spam protection switched on then you can again do this via the portal (on most accounts) and it will scan the mails for spam and mark the subject. Of the spams I'm receiving from this the spam protection is catching almost all of them. You can then use messages rules within you mail client to move emails with [-SPAM-] in the subject to the bin.
If you only use the postmaster@... address for communications from us then you could set up a rule in the mail client to only receive mail from our email addresses and bin everything else.
You can use software like Mailwasher to filter the mails. Some mail clients also will do spam scanning.
The following are worth a read:
http://usertools.plus.net/tutorials/?id=4
http://usertools.plus.net/tutorials/id/28
|
|
|
Gmail has pretty good virus and spam filtering built in  You can also mark messages as spam or not spam to help the system learn and setup whatever filters you want.
|
|
|
In reply to:
gMail and Hotmail allow you to also use the accounts to download from your normal pop3 server
I think Hotmail charge for this, however Gmail and Yahoo do not. Yahoo needs you to opt-in to receive a mail from them every so often.
|
|
|
>I think Hotmail charge for this
They didn't used to but I haven't check recently.
|
|
|
|
It's totally free for gmail and you have obscene amounts of storage (mail is 'archived' by default, even if retrieved using POP3). Servers can also be accessed using SSL to increase security. The one downside is there is not full IMAP access although it's a much requested feature. There are some funky hacks to get IMAP-like behaviour thanks to the archive feature and filtering though.
|
|
|
I dont know which trojan some are said to have got, but it would be wise to resolve that if present before changing or even accessing email to avoid a trojan that has a keylogger attached picking up the old or new password field.
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
|
|
|
|
I use Cloudmark .. seems to work as well
|
|
|
If you've got XP and want an extra layer of security for free, give this a whirl:
download: http://www.nsclean.com/
support forum: http://forums.comodo.com/
I've been using the paid version before it went free.. and it's really good.
Disclaimer: use at own risk... blah blah... etc. etc.
You use it in addition to your current anti-virus product and it don't have much of a performance hit on most machine.
It's very very good at trojans:
http://nsclean.com/trolist.html
And it's saved me quite a few times when most av's missed it, for example:
http://sanesecurity.blogspot.com/2007/05/boclean-saves-day.html
Anyway, I know I'm not a PlusNet user (but I was for a looong time)... so I'll clear off now
Cheers,
Steve
Powered by ZeN
|
|
|
I can vouch for the fact it is a fine program .. used the paid version as well. Also use Adaware which is also free and Spybot.
|
|
|
|
Post deleted by OIMO
|
|
|
Lets try to keep at least one helpful to the people who've been impacted by this
PlusNet don't deserve any excuses, but customers deserve a bit of help.
|
|
|
More info from Dave Tomlinson on the PN forum: full post
In reply to:
From the logs we can see who logged in to webmail and to which server. From that we made a list of those who logged into the affected server during the time and those were emailed.
Many of these customers we emailed wouldn't be affected because they were protected from the trojan by either being up to date with Windows updates, having AV software that picked it up or not using an OS that would be affected.
If you didn't get an email then you wouldn't have logged into the affected server. You may still be receiving the spam because your email address was in the database but your PC itself wouldn't have been affected.
Sounds like you only need to change the password if you get the 'trojan' email. That's if you can distinguish the trojan email from the spam
Edit to Add : Not sure about whether their email was sent to those using webmail back to the earliest reported trojan spotting though or just on the 9tth. 4th-5th May I think is earliest one that I've seen. Maybe better safe than sorry if you've used webmail this month!
Edited by TheFlyingGribble (Tue 15-May-07 22:36:13)
|
|
|
I think it would be helpful if PN can give a step by step guide on how to create and change to a new email address. On how they can import the valid email from the previous inbox and with links to the customer portal where the features are available.
They need to go further too in that there seem to be a lot of people claiming that spam is being identified or that their filter has without intervention turned off. Why is the spam not being caught by existing filters?
|
|
|
In reply to:
Why is the spam not being caught by existing filters?
Can't say that's my experience. I had 11 this morning to the various mailboxes and all of them had been tagged as [SPAM] by the PN filter and then tidied up by Mailwasher.
|
|
|
|
I don't understand the logic of changing the main User Account password!!
So far as I'm concerned, the ONLY mail that has been spammed is the additional mailboxes that have a separate password!!
UNLESS, that is, PN are saying that the actual individual Accounts have been compromised!
|
|
|
If someone has gone in to username, not username+mailbox using webmail on the compromised server they should change their password. If they had used the compromised server at the relevant time they will have had the email from Plusnet.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
In reply to:
From the logs we can see who logged in to webmail and to which server. From that we made a list of those who logged into the affected server during the time and those were emailed.
Either the email hasn't gone out yet - or they've cocked this up as well. I definitely logged into a compromised server and haven't been sent an email
I've contacted them to see what they say ...
In reply to:
Sounds like you only need to change the password if you get the 'trojan' email. That's if you can distinguish the trojan email from the spam
Just to be clear the trojan that's being talked about wasn't delivered in an email - the hacker modified the HTML of the webmail interface so that your browser would try to download a trojan file as part of the page ...
|
|
|
|
I changed my account password yesterday - but this hasn't propogated to webmail - I still have to use my old password to get into webmail - grrrrr
|
|
|
Can you remember what day you hit the compromised server, was it the 9th or before then?
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
|
9th - I have the saved source ...
|
|
|
|
While you may have logged into webmail on the 9th, you may not have logged into the infected server (1 of 6 I believe).
PN will have checked the logs for the affected server and emailed all those that actually logged into it. If you want it to be checked I suggest you raise a ticket and ask (if you have not already done so).
|
|
|
If he saw the hacked webpage he must have hit the compromised server!
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
In reply to:
While you may have logged into webmail on the 9th, you may not have logged into the infected server (1 of 6 I believe).
I did - I have a saved copy of the modified HTML if you don't believe me
In reply to:
PN will have checked the logs for the affected server and emailed all those that actually logged into it. If you want it to be checked I suggest you raise a ticket and ask (if you have not already done so).
I have raised it to PlusNet as well as posting here - just making people aware that not everyone affected may know just yet ...
|
|
|
Perhaps more than one server was hacked and Plusnet are not aware?
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
|
really wouldnt suprise me - if the compromise was indeed through @mail and web based attack, the load balencer may have thrown the attacker on a number of the different backend hosts.
|
|
|
In reply to:
Just to be clear the trojan that's being talked about wasn't delivered in an email - the hacker modified the HTML of the webmail interface so that your browser would try to download a trojan file as part of the page
Thanks for the clarification. When I said 'trojan' email, I meant the one from PN telling you that you may have been exposed to the trojan!
|
|
|
Ah - ok
|
|
|
In reply to:
Perhaps more than one server was hacked and Plusnet are not aware?
Do you not think such statements are inflammatory and unnecessary. Plusnet have already stated that the matter has been dealt with. Even I give them credit for being professional and ensuring other systems have not been breached.
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
|
Until we understand why not everyone who accessed a compromised server then I think it's a fair question to ask. PlusNet have stated that they've emailed everyone they believe is affected - however they clearly haven't ....
Ball's in PlusNet's court to explain the conflict ...
|
|
|
Isn't an investigation still ongoing???. Isn't it possible more information may come to light?. If the answer to either question is yes the stratergy would surely change in line with the circumstances.
As I understand it, PN are working on evidence which currently suggests the breach was via web mail. If more evidence comes to light suggesting a possible alternative scenario, I fully expect PN to amend their notification stratergy. But either way give them a chance and stop badgering them for answers!.
PS Unfounded speculation doesn't help anyone.
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
Edited by wingco1 (Wed 16-May-07 10:29:10)
|
|
|
|
"If they had used the compromised server at the relevant time they will have had the email from Plusnet. "
What truly simple blind faith in the company who let all the information out. I bet they can't even get this right.
|
|
|
In reply to:
I changed my account password yesterday - but this hasn't propogated to webmail - I still have to use my old password to get into webmail
Seems PlusNet are on top of this one
|
|
|
|
It's an added precautionary measure.
As others have said it is particularly recommended if you may have been hit by the trojan. But passwords should only be changed once you have ensured your system is clean (i.e. run virus checks and software updates).
We're trying to provide practical advice here, not analyse what may or may not have happened, what exactly has been compromised, etc.
|
|
|
When Plusnet have said everyone who could have picked up the trojan has been emailed and that is not the case I think he is right to badger. Investigating his case could unearth some highly relevant information.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
Quite right - it appears from elsewhere in this topic that some have not been emailed.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
So by implication you don't believe PN are telling the whole truth?.What possible reason would they have not to do so?.
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
Definitely. But can it be discussed in a different thread  I know it's probably too late but it would be nice to try to keep this one more focussed on useful and practical advice on what affected users can do.
to be honest the subject of who has and has not been advised is almost important enough to merit it's own discussion.
|
|
|
|
Maybe the e-mails have been classed as spam, so check any junk folders.
(wouldn't that be ironic!)
|
|
|
I believe they are telling the truth as they understand it now.
The possibility is that there is more to be uncovered and investigating that I think should be a higher priority than working out how to deal with the extra spam.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
Good point - I agree it merits a new thread.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
As stated here; http://bbs.adslguide.org.uk/showthreaded.php?Cat=&Board=plusnet&Number=3002706
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
|
Just to make something clear.
There is a further batch of this email going out right now to potentially affected customers.
In addition, we absolutely will be emailing the customer base with regards to the Webmail Issue.
|
|
|
In reply to:
There is a further batch of this email going out right now to potentially affected customers.
My bold. It's all a bit wooly Liam. Firstly we are told all affected customers have been emailed. Now we're told more emails to potentally affected customers. This implies that PN doesn't really have a clue who has, and has not been affected.
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
|
PN won't know who's systems may have the trojan.
It will depend on the users anti-virus etc.
|
|
|
In reply to:
We're trying to provide practical advice here, not analyse what may or may not have happened, what exactly has been compromised, etc.
Your intentions are clear & are very much appreciated! I certainly was not intending to imply otherwise!
However, without understand some of the "Who-Why-What-Where-When", there is a danger of taking various unrelated actions & then missing the important ones!
|
|
|
|
No PN e-mails here. Only spam, naught to plenty in the past few days.
|
|
|
Such is the level of poor communications
An email to the whole customer base pointing out the circumstances and suggested remedies would have prevented misunderstandings.
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
In reply to:
it appears from elsewhere in this topic that some have not been emailed
Very true!!
Certainly, some mailboxes of mine have been compromised & my daughter's account (under a totally different account) has also been compromised - NEITHER of us have received the alledged email!
|
|
|
|
>An email to the whole customer base pointing out the circumstances and suggested remedies would have prevented misunderstandings.
Yes but that would mean every customer knowing about this screw up, and PN (and nearly every other company) would be looking to avoid this if poss.
|
|
|
The screw up has happened. It's how PN respond that matters in customers eyes. As can be seen a lot of customers are annoyed that they haven't received the email PN say went to ALL affected customers.
Details of the screw up are on The Reg. Customers are informing other customers that it was PN's screw up that caused a massive increase in spam. I wouldn't think many are unaware of the situation.
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
In reply to:
PN won't know who's systems may have the trojan.
It will depend on the users anti-virus etc.
Sorry really don't understand this!!!
Both myself & my daughter have had our mail-boxes compromised & our systems are behind double Fire-Walls, Anti-Virus, etc etc.
tbh, I'm starting to get very concerned!! This is stating to give me the feeling that there is an attempt to blame all of the recipients of these spam messages!
|
|
|
In reply to:
An email to the whole customer base pointing out the circumstances and suggested remedies would have prevented misunderstandings.
...and that is going to happen (in addition to this).
Edited by deleted (Wed 16-May-07 11:42:03)
|
|
|
I think this thread is way off on a tangent. If you have time perhaps it might be a good idea to collate all the relevant information for the various posts and put then into a new thread. I can try and do that too but not just now I'm afraid.
|
|
|
|
>wouldn't think many are unaware of the situation.
I disagee, how many customers read forums, the reg etc. Maybe some have got it from word of mouth.
But if you aren't getting the junk mail, you aren't going to know to look anywhere for info.
Many people just use an ISP to send e-mail and a bit of surfing and will never know.
|
|
|
In which case the email to the whole customer base is the way to go. Liam has already confirmed this will be done. The only remaining question is when. I'm sure some customers are wondering where all this spam is coming from.
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
|
Then you should be getting a mail.
PN should know that your mail box was compromised, but won't know if you have a trojan on your system.
|
|
|
There are two very distinct issues that occurred starting around 5 May.
The first was a compromised webmail server that had its code changed (one out of eight PN claim). This would try to download and install a trojan to the customer's PC when he/she logged in using only that particular server for normal webmail. If your machines had all the updates for windows and/or an anti-virus you are probably safe. It would be a good idea to run a new antivirus scan and update of Windows to be sure. If the trojan was successful in installing itself it could have compromised your username and password being used not only for accessing your email but any other logins that you might have performed elsewhere on the internet. Even if the trojan wasn't installed, there is a possibility that the hackers were snooping and thereby got access to your username and password but only if you use the webmail feature. Changing the password is therefore a good idea. If you don't use webmail to access your email (or you didn't do this between 5-11 May) the problem shouldn't affect you at all. An email is being sent to those PN have identified using the service. It goes without saying that those that didn't will not be getting this email.
Secondly, and in addition to that, when the hackers managed to compromise PN's servers to change the code to download the trojan, they also managed to steal email addresses from their database. This includes those that have used the webmail feature, the people in your address book and people you have sent an email to using webmail. Those emails addresses have been compromised and there is nothing you can do to salvage the issue. A separate email will be sent to everyone about this.
Edited by rsharma (Wed 16-May-07 12:31:17)
|
|
|
|
I agree and I do think PN has made the correct decision.
Other companies have tried to hide the fact with issues like this.
|
|
|
A good clear post. The only thing that is missing is that PN have or are in the process of emailing everyone that could be affected by the first problem. They have not started emailing people affected by only the second.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
If you didn't visit the webmail website on the dates when it was compromised you are not at risk of having the trojan. That is what the email is about.
PN have not (yet) emailed people whose email addresses have been harvested - so it sounds like you shouldn't be expecting an email yet.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
I believe that he means by compromised that his email address has been harvested - not that he used webmail while the webmail server was compromised.
If that is the case he will not be getting an email yet.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
Thanks. I have updated my post now to include your suggestion.
|
|
|
|
It's getting hard to keep up !
As I understand it now, anyone who as logged into the webmail on the server that is affected will be getting an email ASAP (about poss having a trojan).
Those who have had their email address taken (but not logged in), so may be getting junk mail will be getting a email later.
Is that correct?
|
|
|
yes, that's the way I read it.
Paul
Plus Net - maxDSL - premier....or whatever its called now
Draytek Vigor 280VG running 2.7_E38 firmware
|
|
|
That's my understanding.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
|
Hopefully that will make it clearer for anyone expecting a e-mail.
|
|
|
Very true
|
|
|
Nice concise post, although I wish people would not call them hackers  It's a common and unfortunate perversion of the word. The same way pirates are not people who breach copyright, but people who board ships
|
|
|
Unfortunately there does seem to be a lot of confusion floating around.
The way I read it so far is:
If you don't get an email from the first batch then you never used to webmail service during the timeframe the hack occurred unlikely to be affected by the trojan.
The second batch of emails is along the lines of you didn't use webmail during the timeframe but have had you email address harvested hence the spam
And finally an email to everyone saying sorry, hopefully with this is what went wrong, this is what damage it has done and this is how we are going to manage the risk in the future.
Paul
Plus Net - maxDSL - premier....or whatever its called now
Draytek Vigor 280VG running 2.7_E38 firmware
|
|
|
|
Can I please please suggest that there is no spin and no 'we take your security seriously' mantras in this. There is enough misunderstanding and confusion around the issues here without marketing speak being added. Customers need a clear and open explanation of what has happened and what steps they can take to protect themselves. Nothing more, nothing less. Some of what has been sent out so far has only added to confusion.
I think this can be done without PlusNet looking stupid, admitting liability or even admitting their security problems, so what have the company got to lose.
|
|
|
In reply to:
If you don't get an email from the first batch then you never used to webmail service during the timeframe the hack occurred unlikely to be affected by the trojan.
Unfortunately not. Not everyone who used webmail while it was compromised were in the first batch. From reading other posts it appears there will be another set of emails going out to those people (We'll call it "1a").
I agree with your summary of the other emails.
|
|
|
The copy of the email was posted by me yesterday. Not a good email IMO. Secondly, they seem to be sticking to the notion that it was only a few customers that were potentially affected on 9 May when it is clear the problem was in place even as early as 5 May and maybe as late as 11 May.
|
|
|
In reply to:
Not everyone who used webmail while it was compromised were in the first batch. From reading other posts it appears there will be another set of emails going out to those people (We'll call it "1a").
I've just received an email - let's hope this has reached all affected customers now. It's good to see PlusNet acting quickly to make the most of a bad situation ....
|
|
|
In reply to:
If you didn't visit the webmail website on the dates when it was compromised
tbh I don't recall seeing any info on the alledged times/date, therefore I wouldn't know!!
Additionaly, assuming I'm NOT one of those who visited at that time, why are my mail-boxes (& those of my daughter's, who has never used Web-Mail) being sent this sudden in-rush of spam??
Edited by deleted (Wed 16-May-07 13:18:43)
|
|
|
In reply to:
If you don't use webmail to access your email (or you didn't do this between 5-11 May) the problem shouldn't affect you at all.
I can confirm that I was out of the country, for the whole period, & didn't attempt to use the Web-Mail once!
Additionally, my daughter has NEVER used the Web-Mail.
All of which would suggest that neither my daughter's, nor my own, accounts would be affected!
Simple question, therefore, just why are my mailboxes (& my dauter's email account) receiving floods of the extra spam??
|
|
|
|
You've misunderstood. A nasty 3rd party compromised the PlusNet webmail server and did 2 things:
1. Edited the HTML to try to get people to download a trojan virus
2. Stole a list of email addresses
If you've ever used webmail - or been sent an email by someone through webmail then you will be affected by item (2) and will likely be seeing increased amounts of spam.
If you used webmail while it was compromised then you may be affected by item 1. You should run a full anti-virus/anti-spyware sweep and ensure you're up to date with Windows patches etc.
From your post I think you're solely affected by issue 2.
|
|
|
As per my previous post, if you didn't log in to webmail during those dates you shouldn't be affected by the trojan issue.
However, the people that circumvented PN's security or wide open hole managed to harvest the email addresses. That you have used the webmail feature anytime in the past is enough (even if only once). If your daughter has never logged on to webmail but you sent her an email from your webmail that too has been stolen and now in public domain.
Does that help?
If you are positive that your daughter has never logged into webmail and that you haven't sent her an email from your account it might be an idea to send the name of the account to the staff, but it is pretty much guaranteed that is what happened.
|
|
|
Because using a code insertion exploit, the contents of some webmail database tables were obtained by the spammers.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
Can you confirm that you have in the last few years:
a) never used webmail
b) never received an email sent by another Plusnet user using webmail
If either of those have happened your email address will have been in webmail and it has been harvested.
I have started receiving spam to email addresses which were used in webmail around 18 months ago, and the mailboxes deleted around 15 months ago. The email addresses have not been used in any shape or form since then. They were created to do some very specific testing of some forums I was working on.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
I note your points, but the statement was made concerning useage between 5th & 11th May - NOT within the last few years!!
However, just in case it is not apparent, I do wish to thank you for your (as well as rsharma's) very obvious efforts in trying to help myself (& lots of others)!!
|
|
|
In a separate post I have thanked jelv & rsharma for their help, may I also add my thanks to yourself??
|
|
|
In reply to:
I've just received an email - let's hope this has reached all affected customers now. It's good to see PlusNet acting quickly to make the most of a bad situation ....
Glad to hear that and it is good to see plusnet have attempted to take the bull by the horns so to speak
Paul
Plus Net - maxDSL - premier....or whatever its called now
Draytek Vigor 280VG running 2.7_E38 firmware
|
|
|
No need for thanks, although it is appreciated. If there are other questions you might have please feel free to ask.
|
|
|
5th & 11th May relates solely to the risks of you having been hit by the trojan which is a much, much smaller group of users than those whose emails have been harvested.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
I have a request to make for some advice from those that know the PN system and use it.
Can you please provide a step-by-step guide on how to use the aliases, catch-all and blackhole features please? Is it possible to describe how to setup filters and the inclusion of the links too?
I think PN needed to do this a few days ago and the answers are spread over 3-4 forums and very hard to collate. I would do it but I don't have access to the portal, nor a true understanding of the PN email settings as I never used them when I was a customer. I would really appreciate the input from people.
I have only found reference to these:
http://www.plus.net/support/email/mailboxes/mailboxes.shtml?supportb=email_t5mailboxes
http://www.plus.net/support/security/spam/spam_protection_guide.shtml?supportb=email_t5spamprotection
Edited by rsharma (Wed 16-May-07 15:13:56)
|
|
|
|
nothing new there then. plusnet have had security problems that have plagued them in the past - you would have think they would have learned by now.
I remember a very discussion in this (and metronet) forums about webserver security. this could *easily* have been prevented.
|
|
|
I'm not certain if I can give you a "good" reply, but rather an understanding of what I have done!
As you are aware, with PN, you have a default mailbox (to which EVERYTHING goes to, UNLESS you have instructed otherwise)!
You can then set up additional mailboxes (via the portal) of the form [email protected]. These would be used by additional users, each using (if necessary) their own Email Clients.
You can also set up re-directs (but NOT from the additional mailboxes) of other email addresses (again of the form [email protected]) - this can also be done for "default" names such as [email protected].
Providing every email address that you use (or orhers use) is covered by the additional mailboxes or by re-directs, then the original default mailbox becomes redundant.
Once you have established that your default mailbox is NOT/NEVER used (it is always worth checking & double-checking first), then you can request PN to "blackhole" (basically auto-delete) anything that goes into this mailbox (NB none of these are recoverable). It is this action that reduces the risk of receiving "bounces" from non-deliverable spam messages where the spammer has used your domain.
With respect to aliases, I'm assuming this is where you have your own domain registered & are using the PN mail-servers. These are handled in the same way as the normal PN accounts. In other words, fred @mydomain.co.uk is handled the SAME way as [email protected].
Apologies if my explanation is not particularly clear, but I hope it helps!!
|
|
|
im not even sure if its such a good idea right now - i suspect webmail is still in an unknown state - change your password now you run the risk of it being grabbed.
the whole platform should be rebuilt from scratch.
Edited by deleted (Wed 16-May-07 15:55:02)
|
|
|
|
A sticky may even be a good idea for a FAQ on the forum
|
|
|
Thanks for taking the time to write it out. Seems like some very complex options there but hopefully that explains it all.
|
|
|
Shouldn't be a problem - webmail has been taken off-line.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
|
|
|
|
"This implies that PN doesn't really have a clue"
Like that as a sentence better with this fiasco.
|
|
|
|
Betcha there is no blanket email to people who have not had an increase in spam.
|
|
|
|
And that would be wrong because?
|
|
|
|
wasn't it a sort of unfounded speculation that brought this to light. Did they find this for themselves and issue a statement when it was found? With PN's track record II trust them about as far as I can throw them. Their past record is deceipt and spin and cover up, I haven't seen anything to make me believe different yet.
So why should we begin to trust their comments now?
|
|
|
Put a fiver on it?
From a post on the portal forums by neilarmstrong:
In reply to:
An email to all customers will start going very shortly.
jelv
Plusnet ADSL PAYG Jan 2004 -
Plusnet Dialup Nov 2001 to Jan 2004
Previously Compuserve, BT & LineOne Dialup
Edited by jelv (Wed 16-May-07 17:01:39)
|
|
|
Let's keep it on topic chaps. Nothing more annoying for someone trying to glean the information to get sidetracked.
|
|
|
|
"
And that would be wrong because? "
Pipex promised it, but we have seen those before about emails, now what was that promise that Carol Axe made...?
|
|
|
|
Not the time or place for anti pn for the sake of it... stay on topic. by all means open another thread.. all sides have been constructive in helping ... stating the obvious or repeating your mantras aint helping.... a different thread is a more suitable place.
|
|
|
|
And where is the comment saying, please don't say that Pn have chosen the right path? Or is it that I have very serious doubts about how Pn will perform from past history that get you?
|
|
|
Both of you- Cut it out now please. Both h0tblack and I have requested this on numerous occasions. Take your discussion into another thread please.
|
|
|
|
Not at all... the thread is "Things you can do to mitigate the email proble,"
you are free to say what you like, is this the place.. (this thread) - no issue about whether I agree or not... current issue is indefensible in any case...
|
|
|
I forgot to give out some other links. If you don't have a proper anti-virus solution already installed I would recommend you buy one ASAP.
In the meantime here are two that are free:
http://free.grisoft.com/
http://www.avast.com/eng/avast_4_home.html
If you are using the online scanner with Trend make sure you use Internet Explorer as it doesn't seem to like FF.
Also you can use antispyware (all free):
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://www.safer-networking.org/en/index.html
http://www.lavasoftusa.com/products/ad-aware_se_personal.php
Firewall:
Zone Alarm
Windows Update:
http://windowsupdate.microsoft.com/
|
|
|
|
concise and very helpful post many thanks.
|
|
|
I could say something about a lot of help coming from an ex customer, but I won't
+++++++++++++++++++++++++++++++++++++++
"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
Abraham Lincoln
16th president of US (1809 - 1865)
|
|
|
I have a PlusNet email about the SPAM deluge but according to my diary I was out and about that day and certainly never used the webmail then. I only use when at the office!
I use AdAware Pro, Spybot S&D and I run ZA freeware behind a hardware firewall.
I intend to install and run BOclean as recommended above as an added layer.
And based on what I have read it seems a good precaution to change my primary account login password which if I understand correctly will be the same as my 'original' default mailbox password.
I like others have had far more spam than usual and in at least one mailbox which has never previously had spam BUT I have had spam in to the default box before this event.
PN really should find a more robust filtering system!!!!!
|
|
|
|
This is a problem with the way in which the two related problems (Trojans and Spam) have been communicated by PlusNet.
On the one hand people who accessed webmail during a certain period of time (last week, around the 9th of Ma but possibly as far back as the 5th) may have been redirected and had a Trojan downloaded to their system.
On the other is the issue of harvesting of email addresses from the webmail platform. This has hit far more people and email addresses not actually hosted by PlusNet are involved. This is the source of the spam as the list of email addresses has been past onto spammers.
Both problems seem to be related to flaws in the webmail software which had not been noticed or addressed by PlusNet.
|
|
|
This thread is now being linked by Comms staff over on the official forums
A couple of links from there which look useful:
Security terminology and software - petervaughan/csogilvie
Spam FAQ - stewnorris/csogilvie/acarr
|
|
|
|
Can anyone tell me, is it possible to bounce all this lot back to Plusnet, like one of their email addresses and make them deal with it? Sort of stop using my email and set up something to redirect all the emails to some embarrassing place at PN? We could each pick our own target.
|
|
|
Not unless you basically want to be accused of being a spammer yourself
I can understand your frustrations but any sort of focussed attack unfortunately wouldn't help anyone and is very unethical. Let's not lower ourselves into the area of morals where the spammers and PlusNet dwell.
|
|
|
As posted about briefly here there are two distinct but related problems. Communication of this obviously hasn't been as clear as it could.
|
|
|
I still get a goodly number not marked as spam so use the [email protected] addy as previously (a long time ago) advised.
|
|
|
.... really necessary?
All my scans etc so far have been clear with the exception of what looks like a false positive "Trojan program Trojan-Downloader.Java.Agent.c" detected by Kaspersky AV
|
|
|
There's couple of useful links on the right hand side of this page from the Beeb:
http://news.bbc.co.uk/1/hi/technology/6657677.stm
Also, not sure if it's been included here but if anyone wants username@username.. blackholing then you can do this by raising a ticket.
I would suggest setting up a new mailbox first and point any aliases you want to use (e.g. postmaster) at it and either assign the catch all to it (or switch it off), and just use this mailbox rather than the default address.
For Force9 customers, email addresses have the format of either [email protected] or [email protected] so if only one of these is being spammed you could switch to the other and set a rule within your mail client to delete the mails sent to the other address automatically (or put them in the bin to scan).
Same for Free-Online in that there's [email protected] and [email protected]
|
|
|
|
When was the last time you logged into webmail? If you are one of the people that received the first email we sent then we would say to do so just as a precaution, same with any mailbox passwords.
|
|
|
|
Thanks Dave.
I hope that some of the ideas regarding easier ways for people to change accounts/mailboxes talked about here and on the official forums come to fruition. As well as some of the suggestions concerning communication with customers. There's still far too much confusion about the two issues and how they effect people.
I know that not a lot in terms of details of what and how can be said now due to the seriousness of the investigations, but I hope more practical steps can be given in the short term as well as honest answers longer term.
|
|
|
..either on the 24th April or the 11th May but this would normally be for one of my sub mailboxes.
The email I got from PlusNet was dated the 16th May at 21.44 hours
What is the official advice based on the above info as the criteria? Bearing in mind that BOClean, Spybot & AdAware come up clean and KAV has apparently found a false positive at the point I opened a Google search page when I was searching for a program called "Loadorder" (this is the one developed by Sysinternals).
Oh, it is about time PlusNet allowed stronger passwords as they used to do & currently allow for older ones such as I have in place now for my primary and most of my mailboxes!!!! I found it a real pain when I made a mailbox change earlier this year to find my old password failed.
TIA for further guidance
|
|
|
>over on the official forums
Remember there is no such thing as an 'official' forum.
I collated all the relevant information yesterday and posted it on my blog. It allows all the information to be in one place and to be added to should it be needed without someone having to trawl through hundreds of posts. Hopefully I have covered the most essential bits and it can be found here: http://pn-the-truth.blogspot.com/2007/05/help-against-recent-security-problem.html
I won't have much time on my hands today but will catchup with any progress tonight.
Edited by rsharma (Thu 17-May-07 05:23:45)
|
|
|
Dave, was the trojan present on the system as early as 5 May? If you confirm this to be true have PN sent the first email (trojan issue) to all those that accessed the infected server?
Was the fix for the trojan changes made on the 9th or later? I ask because there was another thread in the portal that was showing similar problems on the 11th.
|
|
|
Hi,
Few more items to add to the software list, in case this helps:
Avira AntiVir (free version doesn't have email scanner):
http://www.free-av.com/antivirus/allinonen.html
SuperAntiSpyware (alternative to AdAware and much better)
http://www.superantispyware.com/superantispywarefreevspro.html
F-Secure BackLight (Rootkit detection: beta: expires October)
http://www.f-secure.com/blacklight/try_blacklight.html
Panda AntiRootkit:
http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx
Comodo BoClean: (anti-trojan/malware, winxp only at the moment, use with AV software)
http://www.nsclean.com/
Cheers,
Steve
http://sanesecurity.blogspot.com/
Powered by ZeN
|
|
|
|
"but any sort of focussed attack unfortunately wouldn't help anyone and is very unethical."
Twould help those feeling that PN deserve all they get for not protecting us. Somewhere this company has to be taught a lesson ans lying back and rolling over does not do that.
|
|
|
|
TBF its a free world, if you want to drop to the standards and ethics you claim for plusnet feel free. To a lot of readers such an attitude and outlook would diminish the respect they may or may not have for your posts!!
|
|
|
Can someone from PN please answer the following questions please (they are highly important)?
In reply to:
Was the trojan present on the system as early as 5 May (or even earlier)? If you confirm this to be true, have PN sent the first email (trojan issue) to all those that accessed the infected server during that period?
Was the fix for the trojan changes made on the 9th or later? I ask because there was another thread in the portal that was showing similar problems on the 11th.
|
|
|
|
I don't personally know the exact date the trojan was first present but can confirm that the first email sent regarding the trojan was sent based on a dataset that included everyone that had logged into webmail from a date prior to the trojan being there.
The dataset would therefore include customers who were logged in before the trojan was there and also those that logged into one of the unaffected webmail servers but will ensure that every customer that could have been affected even if some were under no danger.
When the trojan was identified the whole webmail platform was disabled, this was on the afternoon of the 9th. Only one of the servers was identified as having the trojan and this remainded out of service from that point on. I've not seen the post about the problem on the 11th, do you have a link?
|
|
|
|
I would say that in this case there is nothing to worry about, but if you are in any way concerned then change the passwords on your mailboxes to be absolutely sure.
We are looking at the stronger password issue, it's a lot of work on our backend system to do it so isn't going to be an instant change but it's certainly on the list to do.
|
|
|
In reply to:
I don't personally know the exact date the trojan was first present but can confirm that the first email sent regarding the trojan was sent based on a dataset that included everyone that had logged into webmail from a date prior to the trojan being there.
Does that mean someone at PN does know the date when the trojan appeared? Can you please confirm the inclusive dates used for the dataset that were used to send out the email about the trojan?
In reply to:
I've not seen the post about the problem on the 11th, do you have a link?
http://portal.plus.net/central/forums/viewtopic.php?t=55833
One new question. Did the attackers manage to only steal the database of email addresses or could they have read the contents of the emails too? If it is the latter, have any of those been stolen too?
|
|
|
Liam's just posted this to service status which concerns a mail platform change we are implenting to stop the spam from arriving into customers' mailboxes. The same change on MXlast cut the spam received on that platform by a good margin.
http://usertools.plus.net/status/archive/1179414534.htm
This is an update to the previously reported issue regarding the increased volume of unsolicited email being sent to some customers' mailboxes. A copy of the last update can be seen here:-
http://usertools.plus.net/status/archive/1179398781.htm
In light of the recent Webmail incident, we are bringing forward a number of planned improvements to the way we handle unsolicited email (Spam) on our incoming mail platform.
Last month, we announced changes that we were making to the secondary portion of our incoming mail platform (known as mxlast). This work was announced via Service Status here : http://usertools.plus.net/status/archive/1175800498.htm
Following the success of this implementation on our 'mxlast' servers, we are now making similar changes to our primary incoming mail platform (known as mxcore).This measure will remain in place until new functionality, which we hope to develop by the end of next week, is developed. From that point, customers will have more options to choose how email identified as spam is handled.
What this is means for now is that less email is being accepted onto our platform and email meeting the following criteria is being rejected.
- Email that is detected as spam by our 'ClamSpam' filter (one of the detection solutions we use)
- Originating IP address of the sender is blacklisted on an RBL (list of known spammers). For more information on this method of blocking spam, see here: http://en.wikipedia.org/wiki/DNSBL This particular method of spam blocking has always been implemented on our incoming mail platform.
We are confident that these methods will only block email which is spam. Other email passes through our 'dspam' bayesian filter which will continue to deliver potential spam tagged as [-SPAM-]. For more information on bayesian filters, see here : http://en.wikipedia.org/wiki/Bayesian_spam_filtering
A further email will be sent to all customers explaining this functionality in the next few days.
Kind Regards,
Liam Martin
Customer Support
|
|
|
Thank you for the update but I must state something that seems obvious to me. Although the changes you are making might well be for the better, if I was a customer I would want to know what you are doing to ensure that no future breach of the system was possible. A spam problem is indeed a big issue, but it has been created because of the former. The FAQ on making changes to accounts and emails is of far greater importance at this stage.
|
|
|
I would be grateful for answers on these points.
|
|
|
......primary password? Or have felt the need to do so?
|