next »

[mikeb]

OK, this might well be nothing to do with PN at all and I must say there is a slight aroma of SPAM, hacking or wind-up here but I don't have time just now to investigate further.  I will do so later on tonight as well as checking logs and changing passwd as a precaution etc. but I have received a very very strange and suspicious looking e-mail today apparently from support@plus.net

In fact I received two copies in much the same was as I do for most PN A/C related e-mails - one to postmaster@my_account.plus.com and one (in this case a CC:) to my_usual_name@my_account.plus.com.  The e-mail contains my full name and in all respects other than some 'interesting' looking IPs in the routing appears to be exactly the sort of thing one would expect IF AND ONLY IF one had indeed requested a change of A/C type.  Needless to say I haven't and I haven't even been near the PC all day up until now !!!  No one else has any form of access to my A/C or my hard-wired network - at least not without breaking in either physically or electronically anyway ! 

So can anyone advise if someone at PN has had a recent "oh dear, ooops" moment or if there is a known issue somewhere in or around PN Towers ?  In the meantime I will consider it as being someone playing silly b*ggers until I get the chance to check everything out properly, find out just who this mysterious "Daniel" is and subsequently give him a d@mn good slap

Envelope-to: postmaster@my_account.plus.com
Delivery-date: Fri, 19 Jan 2007 17:45:20 +0000
Received: from ptb-mxcore02.plus.net ([212.159.14.216])
     by pih-sunmxcore12.plus.net with esmtp (PlusNet MXCore v2.00) id 1H7xnh-0003Yu-Kd ; Fri, 19 Jan 2007 17:45:18 +0000
Received: from 84-93-218-87.plus.net ([84.93.218.87] helo=daniel)
     by ptb-mxcore02.plus.net with esmtp (PlusNet MXCore v2.00) id 1H7xjv-00068v-SC ; Fri, 19 Jan 2007 17:41:23 +0000
Received: from localhost (localhost [127.0.0.1])
  (uid 33)
  by daniel with local; Fri, 19 Jan 2007 17:41:13 +0000
  id 0058C4C1.45B102B9.000067E5
To: postmaster@my_account.plus.com
Subject: Your new account details
From: support@plus.net
Old-Return-path: support@plus.net
Reply-to: support@plus.net
Cc: my_usual_name@my_account.plus.com
Message-ID: <courier.45B102B9.000067E5@daniel>
Date: Fri, 19 Jan 2007 17:41:13 +0000
X-Agent-Received: from Plusnet POP (mail.plus.net); Fri, 19 Jan 2007 17:44:47 +0000
X-Agent-Junk-Probability: 0


Dear Mr [my_full_name]

Thank you for choosing PlusNet Broadband Pay As You Go Basic (Annual
Contract, 1 Port Router Modem) with included 450MB bandwidth as your new
account!

To confirm, your PlusNet account details are as follows:

* Your e-mail address is  postmaster@my_account.plus.com, where postmaster
can be replaced by any word you like or any existing mailboxes on your
account.
* Your Web address (URL) is http://www.my_account.plus.com







About your PlusNet Broadband Pay As You Go Basic (Annual Contract, 1 Port
Router Modem) with included 450MB bandwidth account

We hope that you enjoy your PlusNet account, and if you need any
assistance with any of our services you can contact us 24-hours a day,
7-days a week. If you have a question - quickly find your answer in our
Help & Support section - http://www.plus.net/support/

If you require the access number for your account - this can be found in
the Connection Settings section of My Account in the Member Centre.

To enjoy the features of your new account, please disconnect from the
Internet and then re-connect.


My Referrals

Here's a customer referral scheme with a real difference. My Referrals
gives you the chance to get FREE Internet access and even CASH returns when
you recommend our services to your family, friends and colleagues. For
every single person who joins us on your recommendation, you will receive a
reduction on your subscription for as long as they remain a customer -
http://www.plus.net.


Regards,

Customer Support
http://www.plus.net

My Referrals - It pays to recommend PlusNet!

Our reference: E0087

[mikeb]

OK, a quicky check on the Portal shows that I am still apparently on a Premier A/C and that there are no recent support e-mails logged other than the usual billing and BW reset comments etc.

So, assuming that "Daniel" using IP: 84.93.218.87 is not an authorised PN employee with full access to my A/C details or whatever then I consider this user to be 100% guilty of abuse and possibly also of obtaining personal information (either from PN or elsewhere) relating to myself and my PN A/C.  I therefore DEMAND that this user's A/C is suspended with IMMEDIATE EFFECT pending a full enquiry into the circumstances under which this personal information was obtained.

If this particular user is indeed a PN employee then I would very much like to know exactly what he was doing and, more to the point, why he was sending such messages via PN in the name of 'support' without using the appropriate method and procedures. 

Suffice it to say that I am not best pleased and have far better things to do than deal with [Censored] like this but I will be raising a ticket shortly.  Unless I get some serious answers PDQ (with 'quick' measured in terms of mins/hours rather than days/weeks) then I shall be considering this a serious breach of the DPA and dealing with it accordingly through the formal channels 

[scarymonkey]

It might be an idea to forwsrd the email (inc headers) to abuse as well as opening a ticket about it.

Out of interest, are all the URLs pointing to the right location?

[biondani]

Maybe this user has a virus and has a mail relay that he is unaware of. Suspending the account immediately wouldn't be the way i would do things. I would make sure that I had proof that the email was knowingly sent first.

Ian

[mikeb]

Been there done that: general ticket raised as well as one for abuse both including raw message including all headers etc.

What you see quoted above is what you get - I don't use HTML so the links in the plain text message quoted above are indeed what they claim to be.

There is something very odd going on somewhere and even if it is a genuine mistake somehow then appropriate action needs to be taken.  The e-mail contains relevant personal information on myself as well as my PN A/C and this information is unlikely to have been obtained from anywhere other than PN.  Answers and action needed real quick please Mr.PN.

[cogilvie]

Got a ticket number / username?

[mikeb]

Maybe this user has a virus and has a mail relay that he is unaware of. Suspending the account immediately wouldn't be the way i would do things. I would make sure that I had proof that the email was knowingly sent first.

Having had to deal with abuse problems from users on other (foreign) ISPs it is exactly the right thing to do IMHO.  Abuse depts. poncing about doing very little apart from e-mailing the customer several times over a period of several weeks does nothing to stop the abuse. Suspending the A/C in the first instance forces the user to recognise and deal with the problem before they can continue using the A/C. 

I don't care in slightest whether the abuse is malicious or accidental it's irrelevant. The point is, the abuse should be prevented immediately. Suspending an A/C in the first instance forces a solution of a problem in a timely manner no matter what the problem is. In previous instances I was receiving 1000's of several MB emails virtually continually day/night for weeks because abuse couldn't/wouldn't take action.

Suspend first and ask questions after - the only sensible route to resolving an abuse problem !

[mikeb]

Got a ticket number / username?

21115783 (general from following change of A/C)

21115800 (abuse)

Both tickets basically the same but I thought it might speed up the response if they were routed to relevant depts.

username: [edited] <dot> plus <dot> com  but I'm not that comfortable with it being left hanging around in full view on here so please eat after reading or whatever !

Many thanks for wandering past and taking a look Colin

[chillypenguin]

This reminds me of a problem that I had about two years, whereby another customer logged into the portal to make some changes to their account, but due to a security problem they had logged into my account, giving them access to my account details.

They spotted the mistake and inform me, as well as PlusNet.

After exposing the security flaw on the forums, PlusNet said that they had fixed the problem. But a very similar issue came up again before Christmas. This makes me think that there are still problems authenticating users on the portal.

The same thing could have happen to you, and the other user did make changes to your account, but if this is the case it should show in your ticket history.

The explanation given at the time was a problem with auto login cookies, where two users could be issued with the same cookie. and the odds of it happen are very slim, but possable.

Chilly

[chillypenguin]

Reference thread;
http://portal.plus.net/central/forums/viewtopic.php?t=21622

[chillypenguin]

Ok, last replay to myself

This issue occurred around 10-11 October 2004, as confirmed by my forum post.

I have just tried to look at my account ticket history from that time, as there was correspondence between PlusNet and myself about this issue, but none, gone, missing.
There are older tickets in the history but I could not find any detailing this issue.

Very odd, if I was a conspiracy theorist, I would say that PlusNet shot Kennedy.

Chilly

[mikeb]

Hmmm, I remember all that (and similar events later) but I don't think this is the same kinda thing. This doesn't appear to be a standard PN e-mail advice sent through the 'normal' channels and it most certainly isn't recorded on the portal logs.  An (apparently) fake 'support' email has been sent from a PN-dial-adsl IP by an unidentified PN user using the normal mail servers and this e-mail contains relevant personal information obtained from somewhere. 

If it is related to some portal problem with auto-login or whatever then the user has clearly obtained relevant personal information and then crafted/sent the e-mail to me. Either way and whatever the source of the data or identity of the perpetrator, it's all well dodgy !

[dtomlinson]

Hi,

I've been speaking with Colin and one of the guys in the CSC and we believe this isn't a problem with the portal, as chilly suggest. It looks as though the email has been generated from one of our developer's machines (the IP is one of our internal IP's) which will mean it will have come from the alpha platform (part of the development platform where the developers write new code and test problem fixes) rather than the live code base and so is absolutely nothing to worry about.

Of course the alpha platform shouldn't be sending out emails to customers, which I can assure you further investigations will be done on Monday.

I'm sorry for any confusion that's been caused here but would like to reassure you that in no way has you account or personal data been compromised and it looks like a simple error in our development area.

[mikeb]

Thanks for the swift action guys, mucho appreciated   And sorry for getting a bit heated earlier on but I *really* wasn't looking forward to taking everything off-line and spending the next 'n' days doing full virus/spyware checks on all machines on the network plus changing no end of passwords and so on after a real bad day !

Panic over it would appear which I think must make it beer o'clock or something strangely similar .... and time for 'Daniel' to be on the receiving end of a real good slap sometime soon