Webmail Incident Report

alanf · ‎17-10-2007

In the Webmail Incident Report written in May it says "From the suggestions we have received from customers so far we will implement the following:"... seven actions were listed. Then "We will contact all our customers with firm timescales for the above improvements."
Five months on, I raised a ticket asking what the "firm timescales" were. No information was available on planned changes (although some changes were said to have been made already). I find it incredible that SSL is not yet available for POP3 email. Not only has it not been implemented but no target date for its implementation has been announced.
PlusNet does not seem to be taking customers' security concerns seriously.

Mark · ‎04-04-2007

Hi there.
We made several announcements regarding the deliverables post the Webmail incident.
These can be read via these links:
http://community.plus.net/blog/2007/06/07/webmail-deliverables-follow-up/
http://community.plus.net/blog/2007/07/05/more-mail-antispam-improvements/
http://community.plus.net/comms/2007/07/17/emailspam-deliverables-update-part-ii/
Hopefully these articles will address any queries you may have. Dont hesitate to post back if you have any remaining queries.

Quote
PlusNet does not seem to be taking customers' security concerns seriously

.
Nothing could be further from the truth. Security is of paramount concern to us and hopefully once you have read the articles, our actions and approach will prove how serious we view security.

alanf · ‎17-10-2007

Thank-you for the links, Mark. Clearly much has been to combat spam following the exploitation of a security flaw that was present in May. However, PlusNet POP3 email continues to be insecure. The report promised firm timescales for changes including "3) SSL encrypted connections for POP3 and IMAP email and FTP" but, after five months, we have not got them. Thus, it seems that the issue is not receiving the priority it deserves.

shermans · ‎07-09-2007

Quote
It all depends how you use your email. with the anything@ when signing up to a site/suppiler/software registration etc a useful option is to use the company/site name as your sign up email address eg. you could have BT@username and Powergen@username etc etc.

I agree with that. I have used a similar method for years to be able to trace the origin of some spam, and it works well. As a consequence, I managed to undo most of the damage quite quickly. The chief difference is that I have my own domain which redirects my various aliases to Plusnet - at the last count I had about 60 - and means that I only have to change / delete an alias if I suspect it has attracted the attention of a spammer, and then notify the correspondent of my new email address. So for instance there would be :
Plusnet@anyname.co.uk
Water@anyname.co.uk
Electric@anyname.co.uk
Insurance@anyname.co.uk
Shopping@anyname.co.uk etc.
and all of these would be redirected to say :
inbox@anyname.plus.com
That way, I can even still use Atmail without having to log into lots of separate mailboxes or use an email client to receive mail, while still being able to control the distribution of my email address. If I get attacked, I only have to change those that are affected. By doing this, the consequences of the incident for me were fairly short-lived.
On a lighter note, the most recent advance notice of payment from Plusnet got tagged by their own spam filter as spam ! Freudian ?!
Nick

Webmail Incident Report

Re: Webmail Incident Report

Re: Webmail Incident Report

Re: Webmail Incident Report

Re: Webmail Incident Report