back to article Plusnet could face DATA BREACH probe over SPAM HELL gripes

BT-owned Plusnet faces a possible data breach investigation by Britain's Information Commissioner's Office, after complaints from the ISP's customers about their email accounts being swamped by spam were dismissed. As The Register reported last week, an unknown number of subscribers expressed concern that their email accounts …

  1. AMBxx Silver badge
    FAIL

    Never really understood

    Why would anyone use an ISP provided email account? Just makes it more difficult if you change ISP. Depending upon your personal preferences, MS, Google, Apple, plus more provide perfectly usable portable email accounts if you don't want to have your own domain.

    1. Ben Tasker Silver badge

      Re: Never really understood

      As I understand it, that's not what's been breached/leaked here.

      The addresses receiving spam are the addresses that were provided to Plusnet for their billing database (i.e. where they send 'new bill available' emails and the like). Some of those might be ISP provided mailboxes, but most (of the complainers) are not.

      But yeah, agree with your point regarding ISP mailboxes

    2. Anonymous Coward
      Anonymous Coward

      Re: Never really understood

      Most of the complaints (mine included) are unconnected with PNs email, but concern unique email addresses on other domains/snail servers that were used exclusively for Plusnet billing registration. In most cases the aliases are sufficiently obscure as to be very unlikely candidates for a dictionary trawl.

      Like most others I'm far more irritated by plusnets legalistic, studied denials and blame shifting than I am with the spam.

      1. Captain Scarlet Silver badge

        Re: Never really understood

        I haven't noticed any increase in spam myself to my personal email address (I left PlusNet about 2 months ago)

        1. Anonymous Coward
          Anonymous Coward

          Re: Never really understood

          @ Captain Scarlet

          If you want to check specifically, try searching for 'Vineland, NJ 08360'. It appears in an 'unsubscribe' message at the bottom of all of the spam I've received from this.

          The spam is more like the really greasy end of marketing than the classic penis pills and casinos variety, which makes me wonder if one of plusnets 'trusted 3rd party marketing partners' mentioned on their forum got their lists crossed up.

          1. Anonymous Coward
            Anonymous Coward

            Re: Never really understood

            I've had a similar thing happen to TWO email addresses I use exclusively with Santander. Of course their customer service wonks denied it could be them when I contacted them about it...

            1. Alan Brown Silver badge

              Re: Never really understood

              "I've had a similar thing happen to TWO email addresses I use exclusively with Santander. Of course their customer service wonks denied it could be them when I contacted them about it..."

              Make sure the ICO knows.

              You do have a right of private action under UK law should as company leak your address. If more people were willing to take this course then companies might sit up and take notice (It's easy to bullshit the ICO, but facing a few hundred court cases is expensive even if you manage to get them dismissed)

          2. Frankee Llonnygog

            Re: Vineland, NJ 08360'

            So that's how Thomas Pynchon makes his real money

          3. Captain Scarlet Silver badge

            Re: Never really understood

            'Vineland, NJ 08360'

            Oddly that's on another email account I use at work but not one I have used with PlusNet/BT.

            My account with PlusNet was setup in 2012, you can check my posts as I whinged about Virgin Media and BT Infinity being in the next street but not the one I was on.

        2. Anonymous Coward
          Anonymous Coward

          Re: Never really understood

          Neither I or my two daughters have received any spam on our separate Plusnet only billing addresses.

          1. Alan Brown Silver badge

            Re: Never really understood

            "Neither I or my two daughters have received any spam on our separate Plusnet only billing addresses."

            When did you setup your accounts?

            Judging from comments in various threads what leaked was old data - possibly as recent as 2009 but more likely sometime before that. The spammers either just got hold of it or have been sitting on it.

    3. jonathanb Silver badge

      Re: Never really understood

      People have supplied something along the lines of plusnet@mydomain.example as the billing email address for Plusnet. They only use that email address for Plusnet, and have other email addresses for other suppliers that send them emails. That is the email address that is receiving the spam.

  2. gerryg

    How big a problem and why?

    Not happening with me or the few people I know that use Plusnet. I even use their squirrel mail as my client. I'd shout at them about various but not this.

    I'd be curious to identify common factors among those affected.

    1. Chewi

      Re: How big a problem and why?

      You're missing the point. Unless you used a specific address (read up on mailbox aliases) then you wouldn't have noticed this spam amongst all the other spam you normally get. The fact that it arrived on these addresses that have *never* been shared with anyone else is really a smoking gun.

      1. jabuzz

        Re: How big a problem and why?

        Yes I would because it is a very specific form of spam that they are complaining about and I don't have any matching spam in my inbox or anywhere on three PlusNet accounts that I have checked.

        So the question is if said database has been breached why has the spam not been delivered to the none PlusNet email addresses for these three accounts?

        My Occam's razor is at this point telling me the spammer got them from somewhere else.

        1. Vince

          Re: How big a problem and why?

          I think you're missing the point.

          If multiple people suddenly start receiving spam TO an address that was exclusively given to one place, then either that place has had a breach, OR that place gave the address to others and THEY have had a breach.

          It's unlikely that multiple people would randomly start getting mail to otherwise wholly unconnected addresses which is spam when in each case, a unique address was given to the one common provider.

    2. AndrueC Silver badge
      Boffin

      Re: How big a problem and why?

      Not happened to me either as far as I can tell. I did use my Gmail address rather than one hosted by my own server but almost no-one else knows that address so the account is quiet as the grave apart from the monthly billing invoice from PN.

      Unfortunately trying to investigate spam by looking at mail headers is not really reliable as they are easy to fake. It'd be better if someone getting spam to their own server could take a look at the logs and see exactly which remote machines are issuing the RCPT.

      1. Alan Brown Silver badge

        Re: How big a problem and why?

        "Unfortunately trying to investigate spam by looking at mail headers is not really reliable as they are easy to fake. "

        It's pretty easy to see where real Received: lines give way to fake ones. Beyond that point everything is suspect (And probably forged).

    3. Doctor Syntax Silver badge

      Re: How big a problem and why?

      "I'd be curious to identify common factors among those affected."

      They were the ones copied before the USB drive filled up?

  3. Lee D Silver badge

    I get about four or five of these incidents a month.

    I use unique addresses for EVERYTHING. I'm very careful to always press the buttons to NOT send me third-party email etc.

    Yet four or five times a month, some email of mine that I've entrusted to a company will get spammed. It's not some evil conspiracy of PlusNet, but it only takes a single rogue employee with access to the database. Those kinds of things sell very well, you know.

    Just this month:

    cheapflights@

    macromedia@

    pizzagogo@

    e-frag@

    securityfocus@ (likely a Usenet scrape)

    bitcoin-24@

    huntersscan@

    PlusNet don't have my business any more, since the BT takeover, but I'm sure I wouldn't be surprised to see their name in there either.

    Once had a guy from a company spam me to rm@ (I work in schools, RM are a major supplier for some places). When I dug into it, he was a former employee that had left the company to start his own selling IT furniture to schools... someone obviously decided to just walk off with the RM company database to start their own company with those contacts.

    I complained, nothing much was done. Nothing much CAN be done. Once your address is out there, it's out there.

    If you want to control it, buy the cheapest domain from the cheapest registrar, set up email forwarding (literally one click usually) and then start using companyname@yourdomain.com for everything. When one gets spammed, block anything sent To: that address in whatever account you forwarded it to.

    Hell, I even write in the SMTP reject message why:

    Recipient address rejected: Account has been spammed by the company given that email. All emails blocked.

    Don't have just one email. Have an infinite number of throwaway ones.

    1. AndrueC Silver badge
      Childcatcher

      I get about four or five of these incidents a month.

      That's why I ended up only doing business only with Tesco and Amazon. Pretty much every other retailer ended up leaking the email address I'd given them(*). It seems (strange/sad to say perhaps) that only the really big boys can keep personal information safe.

      Hmmm.

      (*)The worst offender is LinkedIn. I've configured four addresses for them now and have given up completely. Seems like it only take a month for spam to start coming in to any address I give them.

      1. Alan Brown Silver badge

        "(*)The worst offender is LinkedIn."

        Linkedin not only spam prolifically, they WON'T stop when told to. I still don't know how they've avoided legal action.

    2. AndrueC Silver badge
      Happy

      I complained, nothing much was done. Nothing much CAN be done. Once your address is out there, it's out there.

      That's very true. Many years ago (eight or nine at least) I was a member of Borland's TeamB and that address became compromised. I immediately switched to a new address and blacklisted the old one but I've just checked and this morning alone I've had four messages sent to that address. So perhaps a dozen messages sent every day for the last eight years with my server rejecting every single one and yet still spam comes in.

      It looks like that and other addresses will be my lasting legacy to the world when I die.

    3. Warm Braw Silver badge

      Don't use <companyname>@yourdomain...

      Spammers are actually wise to that one and will specifically target well-known company/brand names @exhaustive-list-of-domains (along with common first names, last names and combinations thereof) because they're more likely to hit an active mailbox that way.

      The first thing I'd be checking if I were the ICO would be how many of these people being spammed had unique addresses beginning "plusnet@".

      1. Lee D Silver badge

        Re: Don't use <companyname>@yourdomain...

        I'm sure they will.

        When I notice even the first one, I'll start adding random numbers to the end, or some kind of mental-arithmetic-compatible checksum on the end (number of vowels in the company name prefix?).

        That's not a problem. And if it really comes to it, there's software that will create SHA hash-named accounts for you and let you trace to within 1 in 2^160 uncertainty that the email was given out by the company you gave it to.

        But, to be honest, I highly doubt no-one tried to spam "e-frag" until the month after I signed up for a gameserver from them, or pizzagogo just 2 weeks after I ordered my first pizza online and yet NOT ONE OTHER company name was guessed at my domains (plural).

      2. AndrueC Silver badge
        Unhappy

        Re: Don't use <companyname>@yourdomain...

        Spammers have some odd name generation strategies. Here's two entries from today's server log:

        15/12/2014 12:32:42.539 - Client:85.155.129.122 State:RcptTo Action:Reject Rule:Reject general crap Size:0 MAILFROM:Do_Not_Reply@vitacress.co.uk Recipients:(ce5dd7553@xxxxx)

        15/12/2014 12:32:43.054 - Client:188.51.24.147 State:RcptTo Action:Reject Rule:Reject general crap Size:0 MAILFROM:Do_Not_Reply@vitacress.co.uk Recipients:(ed780a549@xxxxx)

        Clearly some spammers have way too much CPU time available to them.

        1. VinceH Silver badge

          Re: Don't use <companyname>@yourdomain...

          "Spammers have some odd name generation strategies. Here's two entries from today's server log:

          ce5dd7553@xxxxx

          ed780a549@xxxxx

          Clearly some spammers have way too much CPU time available to them."

          Those probably haven't been 'generated' by the spammers; they're probably Message-IDs (or part thereof). Because I have a catch-all on each of the domains on which I receive email, if I look in the spam folder, I can often see messages with recipients of that form, which have (usually) been lifted from usenet posts.

        2. Alan Brown Silver badge

          Re: Don't use <companyname>@yourdomain...

          "Recipients:(ce5dd7553@xxxxx)"

          That's a message-ID of some description (it looks like a hexadecimal utime stamp)

          Spamware is notorious for hovering up anything resembling an email address.

  4. Fuzz

    No spam for me at my designated plusnet address so I don't think this is an across the board problem but it's a poor effort.

    The only big company I've ever found leaking my email is snapfish who, being backed by HP, you'd think would do better. Plenty of small companies though

    1. John Miles

      No spam for me at my designated plusnet address

      I haven't see any to mine - it might be data breach was not directly from system but an old copy of their database.

  5. Anonymous Coward
    Anonymous Coward

    none for me...

    I've been a plusnet member for well over 10 years, and my plusnet billing email is not getting these spam emails.

    I suspect its maybe their forum database thats leaked or something like that as I've never used their forum.

    1. Anonymous Coward
      Anonymous Coward

      Re: none for me...

      You may be on to something there...

      I'm in an unusual(!?) position in that I control several plusnet accounts (non-tech family members / friends), each with a unique plusnet-only email address to <<a domain>>.

      Thought it weird that only some were receiving said spam - thinking about it, only those on which I have ever raised a ticket...

      Needless to say, I've moved, soon to be followed by the rest. They were always budget, but "good" budget. That seems a long time ago now. I wonder what could have happened?

      Oh, and if anyone is interested, their security is so good (aside from aforementioned plain-text password storing mentioned in comments in previous article) - that if any "restriction" is put on your account (over-quota -see how long I've used them, thanks for rewarding loyalty - or late payment) you can simply change your router settings to ANY active account, and your quota will be attributed accordingly, and simultaneously. Top work.

      1. Anonymous Coward
        Anonymous Coward

        Re: none for me...

        " thinking about it, only those on which I have ever raised a ticket..."

        Not the forums - the address in my case was never used for anything beyond billing. But oddly enough that particular account (my parents) was cancelled just a week before the spam started, so presumably was associated with a ticket generated by the cancellation. It was then changed to my own email for any final admin needed on the account, and that hasn't had any of the quite distinctive spam titles associated with this.

      2. Alan Brown Silver badge

        Re: none for me...

        "thinking about it, only those on which I have ever raised a ticket..."

        You should let the ICO know that. It helps them zoom in on where Plusnet's databases have leaked and gives BT less wriggle room.

    2. Anonymous Coward
      Anonymous Coward

      Re: none for me...

      Not forums I'm afraid. The email I use with plusnet is completely virtual and I have never sent or posted a single message from it.

      It's also not plusnet@<domain>.com

      Cheers, T.

    3. lorisarvendu

      Re: none for me...

      My Plusnet email account gets no mail whatsoever, other than one per month from PN telling me they're going to take some money out of my bank account (unless I've raised a ticket and then I get a few more).

      Now I don't know whether it's relevant but I'me one of the old Force 9 brigade, so my email account is username@username.fs9.co.uk.

      The secondary email PN has is my work address, which also gets copies of all PN mail. However we have a cast-iron spam filter here, so if I was getting the PN-related spam I wouldn't know.

      As an aside, each day our organisation rejects 90% of all mail arriving at our gateway...approximately 900 mails.

      1. jonathanb Silver badge

        Re: none for me...

        90% is actually quite low. Mine blocks about 97%, and if it was working effectively, it would probably be more like 99%.

      2. Alan Brown Silver badge

        Re: none for me...

        "As an aside, each day our organisation rejects 90% of all mail arriving at our gateway...approximately 900 mails."

        Only 90%? Most sites are closer to 99% of connections (DNSBL hits) and 95-98% of incoming mail (spam corpus)

    4. Simon Reed
      Thumb Down

      Re: none for me...

      I have never used the email address I gave PlusNet for anything. I had no PlusNet forum account until I felt I needed to comment in that thread about also receiving the spam.

      The ONLY place I ever used that email address was to provide it as the billing address.

  6. Anonymous Coward
    Anonymous Coward

    Not just email - but some voicemail too!

    I used Plusnet about 10 years ago, but found that their QOS was unfair and their Support was appalling. (We had about 25 clients using it too at that stage) Long since migrated away a long with that of all our clients...

    HOWEVER a couple of weeks ago I started receiving a splattering of emails from Plusnet Customer Support - "New Voicemail message received" - along with WAV attachments!!

    I can only imagine that they finally re-used my old number and my email was still assigned to that voice-mail box! Crazy. I forwarded to support and the email stopped, but they didn't reply.

  7. Mark Eaton-Park

    This seems to be a BT problem

    I too have been very careful with my ISP email addresses and with the change from BTyahoo I started receiving spam on my ISP address.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019