The spam crisis at PlusNet has taken its webmail service offline indefinitely after security auditors found unpatchable flaws in software provided by @Mail. It has announced that it is replacing the offending software and has apologised to customers. A service update (posted here) tells customers the emergency measures have …
'White Label' package...
Could this be rebadged version of one of the various popular open source PHP based webmail interfaces? (ie Horde/Squirrelmail)
I'm running Squirrelmail on my FreeBSD box, and the port security auditing has been squealing about 'multiple' vulnerabilities in PHP4.x for weeks now. Nothing to be done about it though because Squirrelmail doesn't run under PHP5 and there doesn't seem to be a patch for the vulnerabilitie(s).
In the meantime I'm trying to find a decent alternative Webmail client.
update? what update?
"A further update including plans for restoration of service will be provided by 3pm today..."
it's now 15:55 and guess what? nothing. shoddy service does not even begin to describe the service at the moment. They have blamed everything from trojans to previous management, anything except accept responsibility (there hasn't even been announcement to subscribers yet!) all we see is more spin than an Alistair Campbell press conference...
Just don't replace it with Yahoo! Mail
BT owned could mean... Yahoo! Mail !!!
Sean - It's not rebadged SquirrelMail or Horde unless @Mail that PlusNet uses is rebadged itself, but I don't think so.
@Mail offers a nice advanced UI that's AJAX based and Outlook in style, but I've not seen this in PlusNet's implementation (which is pretty awful), though maybe that's because I use Firefox and can't use the advanced UI bit.
I suspect the fault here is simply in not patching. Usual caused by smug superiority attitudes of unix/linux guys who spend more time mocking Windows users for flaws and patches than actually noticing that their Apache/PHP based web server applications have more holes than swiss cheese and Windows combined and needs regular updates.
They say it's in @Mail
The problem is in http://atmail.com/ software, which is easy to rebrand and pretend it's your own. It's normally a pretty good piece of software, so perhaps the problem lies in PlusNets own edits, rather than in @mail itself.
Ex plusnet member
I have started receiving the same spam emails reported even though I removed my domain from plusnet some months ago. This leads me to suspect that far more has been compromised than they are letting on. This is clearly not just an issue with webmail. Maybe one of plusnets reps could answer in this forum as they seem reluctant to answer in the plusnet forums. This is typical of the reasons I left them in the first place. Looks like there is no escape from their incompetence. Anyone who has had a domain registered with them in the past should be worried.
"Squirrelmail doesn't run under PHP5 "
Yes it does - been running it under PHP5 on my server for a few months now - you just need to make a slight tweak to imap_messages.php.
I've just realised how sad that sounds.... I'll shut up now!
Yahoo and PlusNet
"BT owned could mean... Yahoo! Mail!!!..."
"...@Mail offers a nice advanced UI ...PlusNet's implementation (which is pretty awful)"
Re the first quote, I'm loathe to defend Yahoo but the BTimplementation of Yahoo webmail has always seemed much worse than the native Yahoo version (and, as a former BT customer, I have had accounts with both).
Taken with the second quote, that leads me to the conclusion that ISPs are crap at providing webmail services. Well, OK, just crap full stop.
My own experience with PlusNet as an ISP has been pretty dire generally. In particular, after a brief initial flirtation, I stopped using their crap webmail service so the fact that it's gone offline is no loss to me. But it must be a real pain in the arse for those customers who rely on it.
In my view, the worst aspect of this whole fiasco is PlusNet's typically inept response and it's gutter-level of customer service. Bastards.
Former PlusNet customer
This doesn't suprise me, as a former PlusNet customer.
The whole operation seems like a joke.
Glad I left them.
One gaffe too far for me I fear
Thanks for the heads-up on all the cockups at PlusNet. I've been with them for 3 years or more, and until this year they filled the niche I needed them to; a full-function ISP for the tech-savvy punter. However, in 2007 I've been affected by all the following:
1. Constant unavailability of email, even after the supposed NetApp upgrade;
2. Appalling performance of CGI server;
3. Now, my wife and daughter's email accounts (previously spam free) both inundated. Interestingly, so is an email account I deleted some time ago (I still get the emails to my main account under a catch-all setting). Fortunately, I use Bigfoot forwarding and those addresses are unaffected - so PlusNet does actually give me the tools to recover, I simply set up new mail accounts and change the forward, plus turning off the catch-all feature.
Anyone from PlusNet reading this will have noticed that I had no email-induced loyalty anyway - my ISP will be switched shortly, anyone got a recommendation?
Here's the e-mail I got. I recently changed my e-mail address due to spam reasons. All of a sudden from Sunday, I got my first spam e-mails. Here's the Plus e-mail statement on the whole cock-up...
It's piss poor. I'm off to find me a new ISP.
This email contains important information about a problem with our Webmail service which may have lead to your email address being exposed to a spammer.
If you are affected by this, you may have noticed an increase in the amount of spam received since Sunday 13th May. This includes spam to email addresses that were previously spam-free. This increase in spam is a result of a security issue on our Webmail service. You can read about this on the Service Status pages of the Usertools website:
I would like to make it clear that the Webmail platform is separate to the systems we use for storing personal information such as credit card numbers and none of this type of information has been exposed as a result of this issue. However, purely as a precaution we would advise you to change your account password by visiting the Member Centre then clicking Account Details then Change Password.
Please note if you change your account password this will need to be updated in your router or modem as well as your browser and email software.
I am extremely sorry that a malicious third party has managed to gain a list of email addresses from one of our Webmail servers. On behalf of PlusNet I would like to sincerely apologise to you for this security breach and the increase in offensive spam emails that may now be affecting your email address. We understand how annoying and upsetting spam email can be and we are treating this with the utmost seriousness. My team and I will continue to work round the clock to reduce the inconvenience caused to you by this problem as much as we can.
When we learned of the attack on our Webmail service, we identified the source of the vulnerability and implemented a fix as quickly as possible. However, following a full audit of our Webmail service we identified a number of additional security vulnerabilities that it has not been possible to patch. While these potential vulnerabilities have not been exploited, we are not prepared to compromise on customer security so we have removed our Webmail service.
We intend to replace our current Webmail system as quickly as we can, and this is one of the next priorities for my team at this time. In the meantime, if you use Webmail to check your PlusNet email from your own PC, you might find it more convenient to use an email program which runs on your PC instead. You can find information about setting up most popular email programs at
If you have been receiving spam email to any of your mailboxes, then you could also reduce this by taking some or all of the actions recommended here: http://www.plus.net/support/security/spam/spam_problem.shtml
This incident has highlighted the importance of keeping systems as secure as possible. It is important to ensure that you always have the latest operating system updates and patches installed. Windows users can obtain these by visiting Windows Update, which is linked to from the Tools menu of Internet Explorer. We always recommend the use of fully up-to-date third-party anti-virus, firewall and Internet security software, particularly for Microsoft Windows users.
Again, I would like to be clear that we fully recognise the impact this will have on our customers and indeed the internet community in general. All of us here are taking this week’s security breach extremely seriously and we are doing everything possible to resolve all outstanding issues. We will be publishing a full incident report and plan on what we intend to do next to our website before the weekend. This will explain exactly what has happened and how.
As you might imagine at this time, our Customer Support Team is extremely busy. I would be most grateful if, during the next few days, you could avoid contacting us unless you have an urgent issue that is not answered by any of the FAQs or elsewhere on our website. You can also find more details on our recorded information line 020 7517 8754 (please note that our Customer Support team are not available on this number).
This email has been sent as it contains important information about your service from PlusNet. Please do not reply to this email, as this is an unmonitored address.
Registered Office: Internet House, 2 Tenter Street, Sheffield, S1 4BY
Registered in England no: 3279013
I note that they promised an email to customers "this afternoon" - i haven't got it. I do however have 15 offers of what look like very resonably priced "male-enhancement utensils" and some quite affordable horse viagra - i just dying to pick up my mail later and learn how to win a free PS3.
As echo'd above it wouldn't be so bad if they communicated, but they just circle the wagons and hide. I bet they'll be lots of whooping, high fiving and "aren't we awesome-ing" going on when they do return to service. It seems adversity just spures them on to new depths of ineptitude.
As the vendor of @Mail we'd like to give our feedback
* Plusnet had been using an older unpatched version of @Mail, based on the 4.X branch of the software. Their install was over a 12 months old, and was not kept updated with our latest versions
* @Mail has not been identified as the security breach for their database, this is to be confirmed. We are not aware of any bugs that do so.
* Our company takes security seriously and regularly updates the software, and are working with Plusnet to have their systems running the latest version of @Mail.
Once a cowboy, always a cowboy
I left the Sheffield shafters about six years ago: remember the original 'unlimited access' fiasco?
For those looking for an outstanding ISP, try www.idnet.net where you will find customer service akin to pre-Egyptian Harrods.
Blaming other people ?
So, Plus.Net are trying to blame @Mail, when their own inability to update their own software is to blame, that is the actual cause of the problem ?
Bye bye PlusNet
If I'm going to get p*ss-poor customer service, I might as well pay for it. Hello Talk Talk!
Wasted years of spam free service and a fair bit of work
I have a system of a different mailbox for every company i register with online. I then blacklist all other addresses to my account. Using this method I have been spam free for some time, and can also catch out companies illegally selling on my address and make serious complaints. This has all been ruined by this fiasco.
Each of my mailboxes have received the same amount of spam so I have been absolutely bombarded. It is relatively quick to set up a mailbox when registering with a service online, but the collective time for all added together probably amounts to hours of work to put this right!
I'm going to look for a different provider...
1) Get compensation
2) Use hotmail
3) Change ISP
*dont* use hotmail or any other 'non-ISP' webmail!
Try this test - switch on your 'security level' marker, and look at hotmail, yahoomail, googlemail, whatever... it should show 'high security' at the login screnn...
login, and now check your 'security rating' .... and note that if this is low, or zero, then **anyone** can look at your mail, by many ways....
Bit bleedin' rich of plus.net
"This incident has highlighted the importance of keeping systems as secure as possible. It is important to ensure that you always have the latest operating system updates and patches installed. Windows users can obtain these by visiting Windows Update, which is linked to from the Tools menu of Internet Explorer. We always recommend the use of fully up-to-date third-party anti-virus, firewall and Internet security software, particularly for Microsoft Windows users."
Who's telling porkies ?
According to various key PN personnel on the PN User Group Forum, the statement as made above by Calacode is:
1) Not true - Dan Kirkland: "As Software Manager in PlusNet, I can assure you that what is stated here is not true."
2) Not a genuine response from Calacode at all but a fake. Neil Armstrong: "We have reason to believe that the post on El Reg is not actually a genuine post from Calacode ... [snip] ... We have proof that someone has been spoofing my email address and contacting Calacode claiming to be me in order to get information. So it's just as likely that someone is pretending to be Calacode.
Hmmmmm, now I wonder just who is being slightly less than 100% honest here ?
Also, PN have now apparently set up SquirrelMail (as used by Metronet) as a "temporary solution - for around 6 months" for customers who want webmail access while they consider other options. SPAM filtering and silent deletion on receipt has now been stepped up with other significant SPAM handling changes coming soon. I wonder how many genuine messages are going to disappear or be incorrectly tagged due to aggressive filtering in order to try and hide the problem they created ?
I've had a go with the new (temporary) SquirrelMail solution, and it's about a million times faster than the @Mail one. Make it permanent!
It's always been poor...
I always had loads of spam (tens thereof daily for a business-use-only mailbox) - which started even when the mailbox was fairly new... Webmail message list showed invalid dates for many messages, e.g. 70/01/12 or something (NOT just US-standard reverse date format).
I sent constructive criticism to Plusnet, but it must have been their monkeys who read it, not someone who gave a toss...
ALSO, their email is back up, but my account doesn't work!
- gives the following error:
ERROR: Connection dropped by IMAP server.
Over a period of days (including when it's supposed to be up) this error is still there. They haven't deleted my account have they? I would LOVE to get some debate practice with their lawyers!
plusnet/force9 accounts still not accessable from outside the UK
The Plusnet and Force9 portals are *still* not accessable to users accessing from non-UK IP addresses. This is a pain in the a*se for people (like me) who live abroad. Spoke to Plusnet support - apparently non-UK IP addresses will be blocked indefinitely. They didn't acknowledge that it is possible to have a secure website that is accessable from outside the UK.
Their latest incident report is at the below URL by the way: