Latest update from PlusNet

Just seen this on Service Status:

17/05/2007 @ 11:46 Reports of Spam Email (42837) - UPDATE
This is an update to the previously reported issue regarding the increased volume of unsolicited email being sent to some customers' mailboxes. A copy of the last update can be seen here:-

http://usertools.plus.net/status/archive/1179326830.htm

We have now emailed all PlusNet customers in relation to this incident. The email is continuing to be sent to Force9 and Free-Online customers.

Because the incident is still ongoing and we are continuing to take remedial action, we will not be able to publish the incident report on Friday 18th May as planned. We now plan to publish this on Tuesday 22nd May 2007.

We are publishing an FAQ this afternoon which will answer many of the questions which have been asked.

Overnight we built new Webmail servers which will be used to host a temporary Webmail solution. We hope to make this available tomorrow. This temporary solution is based upon the tried and tested SquirrelMail.

We apologise for the inconvenience the lack of a Webmail Service is causing to our customers but wish to reiterate that the security and stability of our systems is of paramount importance to us.

We will be emailing all of our customers later today to detail our plans for dealing with Spam in the future. One of the most frequent requests from our customers is to have the ability not to download Spam. Next week, as part of our ongoing improvements, we will offer our customers this option, thus reducing the impact of Spam.

We would like to thank our customers for their continued patience and once again apologise for the inconvenience caused.

Kind Regards,

Mark Kelly
Manager Comms & Referrals

In reply to:

---

Overnight we built new Webmail servers which will be used to host a temporary Webmail solution. We hope to make this available tomorrow. This temporary solution is based upon the tried and tested SquirrelMail.

---

Fine providing they don't mess around with it too much. After all isn't that why this whole mess happened in the first place.

In reply to:

---

Overnight we built new Webmail servers which will be used to host a temporary Webmail solution. We hope to make this available tomorrow. This temporary solution is based upon the tried and tested SquirrelMail.

---

SquirrelMail is good... fast... and patches are very up-to-date:

ANNOUNCE: SquirrelMail 1.4.10a Released
May 09, 2007 by Thijs Kinkhorst

"The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.10a.

The 1.4.10 release contains multiple fixes for cross site scripting issues triggered by viewing HTML mail. Besides that it contains bug fixes and stability enhancements. "

Source: http://www.squirrelmail.org/

Tests:
http://secunia.com/search/?search=squirrel

"We apologise for the inconvenience the lack of a Webmail Service is causing to our customers but wish to reiterate that the, security and stability of our systems is of paramount importance to us" My Bold

If that was true, would PN be in the mess it is in now?

In reply to:

---

If that was true, would PN be in the mess it is in now?

---

Maybe - if this was a new vulnerability then I'm not too sure what else they should have done. If it turns out that this is an old one that hadn't been patched then the blame sits squarely with PlusNet.

I'm not sure we'll ever know which it was ...

When yesterday it was a legacy of underinvestment at the firm
I can't see how it can also be "security and stability of our systems is of paramount importance to us"

To me it's one or the other, certainly not both.

One's talking about past behaviour - the other about current - they can easily both be true.

Whether I think they are or not is another issue ....

I'm also reminded of an earlier email which said that since the breach they had done an audit and found a number of other vulnerabilities in the WebMail platform. If security of the platform is of paramount importance why wasn't this audit done previously and acted upon? If they are serious enough to close the platform down now, they must have been serious enough before.

The trouble is instead of holding their hands up, and just getting on with the fix, they want to play the blame game, it's lack on investment in the past, it's @mail etc.

In another post I pointed that out.
What needs to be asked (and answered) is when was the last full audit before this weeks one.

Or did it take this trouble to made them do an audit!