Skip Navigation

PlusNet publishes Web Mail Incident Report
Sunday 27 May 2007 10:08:14 by Andrew Ferguson

Plusnet ( has recently re-instated its webmail platform with a temporary solution running SquirrelMail which has previously been used by Metronet, a company PlusNet acquired. It has also released details of its investigation into the previous security incident which can be read in full on

A brief timeline of the incident:

  1. 4th May to 8th May: Start of the incident with tickets being raised by customers, which was finally identified as a webmail platform issue on 9th May.
  2. 9th May to 12th May: A priority problem created and an incident response team formed. Modified HTML files were found on one of six Linux webmail servers, with the intention of trying to open a pop-up window linking to a Russian website which would try to activate a trojan. Where PlusNet was able to identify people who the trojan had affected, it contacted them to advise on remedial action.
  3. 13th May to Tuesday 15th May: A malicious file was found that contained code that allowed an attacker to run commands on the web server itself. This allowed someone to run queries against the webmail database and transmit the results to a remote location. This was found after customers started to complain about receiving spam to e-mail addresses that were previously spam free. The data obtained included customer e-mail addresses, entries in customer address book and e-mail addresses with which customers had exchanged messages with using the webmail platform. This included some old data from before the Atmail solution was implemented in 2004.
  4. 16th May to 21st May: PlusNet worked closely with the BT security team during this time to improve security across their network. The temporary webmail solution using SquirrelMail was tested and went live on Saturday 19th May.


Posted by CARPETBURN over 10 years ago
hmmm this is a hard one to comment on, on the one hand it shouldnt of happened in the first place, on the other you have to respect Plusnet for issuing statements and informing users whats being done, which is more than some ISPs would do
Posted by fusen over 10 years ago
sounds like a remote shell script was uploaded
Posted by pr100 over 10 years ago
Such a lengthy delay in alerting customers to the risk. It looks like PlusNet were hoping to get away with sweeping the Trojan under the carpet, ie playing fast and loose with customers' security.
Posted by CARPETBURN over 10 years ago
cant agree with it being a lengthy delay, if you look back on here at the news stories they did regular issue updated statements, im not defending them i still say it shouldnt of happened but dont critisise a company for informing customers and updating users with statements, would you sooner they behaved like some and not bother at all?
Posted by paulmacpai over 10 years ago
"six Linux webmail servers" - says it all. If they used a secure Unix operating system for their public facing servers, this would never have happened. There are plenty of ISP's that I do not like because their customer support sucks, or they conduct packet shaping in the extreme (or both), but they at least use FreeBSD for public facing systems. I am a Plusnet customer who never used their webmail, but I am still getting a lot of nasty spam. I am fed up with them, and am going to move to Zen.
Posted by pr100 over 10 years ago
@ CARPETBURN: PlusNet knew about the Trojan for over a week before they announced it and starting contacting customers. In security risk timeframes, that is a lengthy delay which would have exposed (tens of) thousands of customers to the Trojan unnecessarily. The only possible beneficiary of the delay was PlusNet who presumably hoped they would be able to get away with keeping it quiet.
Posted by CARPETBURN over 10 years ago
"PlusNet knew about the Trojan for over a week before they announced it and starting contacting customers"
Can yo point to your source of that information, maybe i missed reading that.
IF its true then yes i agree they could have contacted customers sooner, i still would not in the world of broadband providers consider that a 'lengthy' delay though, others would have never notified the customer, or done it months down the road when they sorted the problem.
Posted by CARPETBURN over 10 years ago
Also to add, obviously they had to find out what customers were affected before they could contact them, and obviously that cant be done over night.
Posted by pr100 over 10 years ago
PlusNet themselves have said that they received tickets from customers dating back to May 4 alerting them to a Webmail Trojan. Some of the people who sent those alerts to PlusNet have posted in the TBB and portal forums including a transcript of their very specific alert notification. It isn't good enough for PlusNet to hang around for many days trying to identify which customers were exposed to the risk. The only correct and responsible action would have been to notify _all_ customers immediately to the possibility that their PCs had been compromised by the Trojan. This they failed to do.
Posted by CARPETBURN over 10 years ago
quote "...possibility that their PCs had been compromised by the Trojan..."
Highly doubtful, it was an attack on Plusnet equipment not users.
A week turn around to identify, and notify hundreds of thousands of customers is not that long, i can name several ISps that wouldnt have notified users. In fact to back up what i said previously... There is a new news story on here today about Tiscali having email issues and they completely deny technical issues, at their end, at least Plusnet took action.
You must be logged in to post comments. Click here to login.