cancel
Showing results for 
Search instead for 
Did you mean: 

Spam to plusnet-specific Email address.

Highlighted
Community Veteran
Posts: 26,786
Thanks: 989
Fixes: 10
Registered: ‎10-04-2007

Re: Spam to plusnet-specific Email address.

I'm seeing spam to email addresses harvested from Plusnet - in the 2007 hack. I'm also seeing spam to other emails that have over the last few years have received spam.
There are a lot of other email addresses including actual mailboxes on Plusnet that have received no spam whatsoever in spite of them being used.
So while I've seen a lot of these test messages, nothing I've seen points to a fresh leak on Plusnet.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Community Veteran
Posts: 5,598
Thanks: 361
Fixes: 6
Registered: ‎11-08-2007

Re: Spam to plusnet-specific Email address.

Quote from: jelv
So while I've seen a lot of these test messages, nothing I've seen points to a fresh leak on Plusnet.

THIS topic is regarding SPAM messages recently appearing in customer's mailboxes which were uniquely set up for only receiving communications from Plusnet, and DOES appear to be subject to a fresh leak.
The issue of widespead "Test mesage" emails is different from this topic, and is covered in the other forum topic "Strange test messages",  and as you say looks to be the same old SPAM appearing in mailboxes which were harvested in the 2007 Plusnet hack, and from other hacks including the Adobe attack.
What seems apparent is that the compromised email addresses in THIS topic have come from the Plusnet accounts database,  as the same users are NOT seeing the corresponding SPAM messages appearing in their other email mailboxes.  This would suggest that the email database has NOT been harvested, but the customer account records where their contact information is stored has been harvested or leaked.
Plusnet FTTC 80/20 IPv4/30, Hurricane Electric 6in4 IPv6/48, Pulse8 landline & calls, SamKnows 600N
Vigor 130 modem, pfSense 2.4.5-p1 router, 5 WAPs, Devolo dLAN 500, Gigaset N300A-IP VoIP DECT
Highlighted
Community Veteran
Posts: 3,427
Thanks: 20
Registered: ‎18-01-2013

Re: Spam to plusnet-specific Email address.

Do any of the customers affected access their emails on a mobile device ? I.e. iPhone / Android device / Windows Phone ?
Having seen reports to rogue applications which appear to function normally but actually harvest friends mobile numbers and email addresses it makes me wonder if this could be a cause.
Obviously if there has been a data leak then it needs identifying quickly.
Highlighted
Community Veteran
Posts: 5,598
Thanks: 361
Fixes: 6
Registered: ‎11-08-2007

Re: Spam to plusnet-specific Email address.

Quote from: DomS
Do any of the customers affected access their emails on a mobile device ? I.e. iPhone / Android device / Windows Phone ?

Are you suggesting that Plusnet's lack of SSL encryption on their email platform could allow customers email addresses to be sent as plain text over wireless networks and potentially harvested when using a public WiFi hotspot when accessed via a mobile device?.  
Perhaps someone should start a new topic about that (AGAIN !).   Angry

To answer your question,  no I have NEVER accessed the affected mailbox using a mobile device, AND in my case the mailbox in question is hosted on a secure email platform WITH SSL encryption and is NOT controlled in any way by Plusnet - other than my Plusnet account has the mailbox listed as my primary Plusnet contact email address.
Plusnet FTTC 80/20 IPv4/30, Hurricane Electric 6in4 IPv6/48, Pulse8 landline & calls, SamKnows 600N
Vigor 130 modem, pfSense 2.4.5-p1 router, 5 WAPs, Devolo dLAN 500, Gigaset N300A-IP VoIP DECT
Highlighted
Community Veteran
Posts: 3,427
Thanks: 20
Registered: ‎18-01-2013

Re: Spam to plusnet-specific Email address.

Quote from: purleigh
To answer your question,  no I have NEVER accessed the affected mailbox using a mobile device,

I see your point on the previous rant Wink
One more possibility to tick off on the compromised application theory then Smiley
Highlighted
Community Veteran
Posts: 5,598
Thanks: 361
Fixes: 6
Registered: ‎11-08-2007

Re: Spam to plusnet-specific Email address.

I'm glad you took that the right way !   Cool
In addition to the insecure mobile theory, can also categorically say that my mailbox has never been accessed using any device with an insecure or vulnerable Operating System such as Microsoft Windows !.
Plusnet FTTC 80/20 IPv4/30, Hurricane Electric 6in4 IPv6/48, Pulse8 landline & calls, SamKnows 600N
Vigor 130 modem, pfSense 2.4.5-p1 router, 5 WAPs, Devolo dLAN 500, Gigaset N300A-IP VoIP DECT
Highlighted
Dabbler
Posts: 15
Registered: ‎31-03-2011

Re: Spam to plusnet-specific Email address.

I also don't access my email wirelessly and I was not with Plusnet in 2007 so the email address I use didn't exist then.
I only ever recieve 1 mail a month from Plusnet advising billing unless there is a support issue when it is also used.
I can't see any other obvious way for the address to have been obtained other than by hacking Plusnet systems or a rouge employee.
If it was only my address I might be inclined to believe that it had been obtained by interception via the ISP that I host my domains with but none of the other addresses that I use on a daily basis for recieving and sending dozens of emails has been affected so I think that very unlikely.
My broadband has today coincidentally(?) stopped working and is apparently a disconnect in the exchange on the phone line according to the diagnostics run by Plusnet support, despite the fact that the phone both makes and recieves calls perfectly.
As I am on FTTC this seems a bizzare diagnosis.
Dear old Openreach have consented to drag their bones to the exchange to investigate next Wednesday.
Meantime my 3G router/modem is working quite well - just as well really.
Happy days!
Highlighted
Community Veteran
Posts: 19,107
Thanks: 450
Fixes: 21
Registered: ‎31-08-2007

Re: Spam to plusnet-specific Email address.

Hi aich, I was going to send you a PM with some information which I don't want to put in a public domain, but you have PMs blocked.
Highlighted
Community Veteran
Posts: 1,136
Thanks: 2
Registered: ‎30-07-2007

Re: Spam to plusnet-specific Email address.

Quote from: purleigh
To answer your question,  no I have NEVER accessed the affected mailbox using a mobile device, AND in my case the mailbox in question is hosted on a secure email platform WITH SSL encryption and is NOT controlled in any way by Plusnet - other than my Plusnet account has the mailbox listed as my primary Plusnet contact email address.

I've got an idea of a possible source of the 'leak', can you check the headers of the messages you receive FROM Plusnet to your PN specific address and see if they pass through their spam filters?
My idea is that cloudfront (or whoever is doing the spam-scanning for PN these days) has had the breach and is keeping lists of the addresses that it sees pass through their devices and they've not a) noticed or b) notified their clients or c) have notified their clients under a NDA.
Just a wild theory, that may or may not be eluded to on the presence of cloudfront's headers in PN's outgoing mails.
F9 member since 4 Sep 1999
F9 ADSL customer since 27 Aug 2004
DLM manages your line the same way DRM manages your rights.
Look at all the pretty graphs! (now with uptime logging!)
Highlighted
Dabbler
Posts: 15
Registered: ‎31-03-2011

Re: Spam to plusnet-specific Email address.

I've just had a look at the headers on some of my mails from Plusnet and the monthly billing advice and the support ones all appear to come directly from servers on plus.net.
However one sent on 17/07/14 about changes to phone packages comes from "mx1.bt-plusnet.trclient.com"
Googling "trclient.com" doesn't fill me with a lot of confidence about them especially when following a link to them causes Firefox to throw a wobbly about the sites security certificate!
Highlighted
Community Veteran
Posts: 5,598
Thanks: 361
Fixes: 6
Registered: ‎11-08-2007

Re: Spam to plusnet-specific Email address.

@'avatastic' - Thanks for another theory for consideration  Cool

Firstly on my Plusnet email settings I have SPAM filtering disabled, as I prefer to do it myself and I don't like the idea of -
[quote=Member Centre / My Account / Manage My Mail / Spam]With spam filtering turned on, emails sent from mailservers with a bad SenderBase reputation will be rejected and bounced back to the sender. Emails that pass this first check are scanned and given a spam rating. What happens then depends on the settings which follow.

Looking at the received headers (from Plusnet billing emails) for the affected email address (hosted elsewhere with an independently registered domain), I can see no trace of any filtering results being added before the message was received at my email hosting provider.
However this now gets a little more complicated !
Looking at the email headers, what actually happens to billing emails, is that two copies of the emails are sent -

  • The email is actually sent "To:" the Plusnet account's default email address - i.e.  <username@username.plus.net>

  • and also by "Cc:" so a copy is sent to the specified email address held on the account


Unfortunately this means that both emails contain the other target emails address - so there is a potential vulnerability there !.
Looking at the other copy of the same Plusnet billing emails sent to the <username@username.plus.net> mailbox, there is nothing obvious that looks (to me) like Cloudfront, but there are these lines -
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.1 cv=O8i3vXNW c=1 sm=1 tr=0
a=WPTklmkeA0lf4ztKFIiyww==:117 a=0Bzu9jTXAAAA:8 a=7HIFeAphMSMA:10
a=mrHjP8x4AAAA:8 a=lwZ3Ad6_j2Gb7XwZnmMA:9 a=PWqJf_0N3X8Ey6Cz:21
a=oZAOq0xajU3HTwh8:21 a=pn7XOFuvdOUA:10
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)


The other thing that I have noticed, is that despite receiving two copies of billing emails to different mailboxes, that I am only receiving these SPAM emails to my independent email address named in my Plusnet account, but NOT to the default Plusnet email address !.

Since I last posted in this topic I have received another SPAM email to my named email address -
Quote
Subject: 20/20 Vision Can Be Yours. Learn More - News
From: "ClinicCompare News" <news@liveuknews.co.uk>


So the fact remains, that those of us reporting this problem, we are receiving SPAM messages only to the email address specified in our Plusnet account settings, to unique email address mailboxes on differing email hosts, that have been specifically set up to only be used to receive Plusnet billing messages.

If someone has hacked or leaked our account settings to get these very specific email addresses, then what else has been stolen ?
Does someone now have our home addresses, phone numbers, credit card details, account passwords ?
Why has Plusnet not made a statement about this ?
There may be major security implications for all customers if our details have been stolen.
This was reported three days ago, and nothing seems to have been done other than Bob looking at some headers two days ago.
Is anyone working on this NOW ?

Cry
Plusnet FTTC 80/20 IPv4/30, Hurricane Electric 6in4 IPv6/48, Pulse8 landline & calls, SamKnows 600N
Vigor 130 modem, pfSense 2.4.5-p1 router, 5 WAPs, Devolo dLAN 500, Gigaset N300A-IP VoIP DECT
Highlighted
Community Veteran
Posts: 19,107
Thanks: 450
Fixes: 21
Registered: ‎31-08-2007

Re: Spam to plusnet-specific Email address.

I was told someone was looking at this. I would fully expect a statement from CRT tomorrow on what the current situation/state of the investigation was.
Highlighted
Rising Star
Posts: 87
Thanks: 9
Fixes: 1
Registered: ‎04-02-2011

Re: Spam to plusnet-specific Email address.

No update on this?
I just received the "EcoExperts news"
Highlighted
Community Veteran
Posts: 19,107
Thanks: 450
Fixes: 21
Registered: ‎31-08-2007

Re: Spam to plusnet-specific Email address.

This isn't the only thread that wasn't picked up either Sad
Highlighted
Community Veteran
Posts: 5,598
Thanks: 361
Fixes: 6
Registered: ‎11-08-2007

Re: Spam to plusnet-specific Email address.

I got that too  Angry
Quote
From: "EcoExperts News" <news@liveuknews.co.uk>
Subject: 50% cut from your energy bills - news
Plusnet FTTC 80/20 IPv4/30, Hurricane Electric 6in4 IPv6/48, Pulse8 landline & calls, SamKnows 600N
Vigor 130 modem, pfSense 2.4.5-p1 router, 5 WAPs, Devolo dLAN 500, Gigaset N300A-IP VoIP DECT