A number of e-mail newsletter publishers are complaining that someone is spamming their proprietary
e-mail lists — raising the question of how secure any data really can be in the hands of a third-party
vendor.
The e-mails in question seem to be have originated from one or more mailers operating out of
Raleigh, N.C., known in anti-spam circles as the “North Carolina Spam Gang.” It is not known how the
group obtained the lists; calls to its suspected leader were not returned by press time.
The lists had been maintained by SparkLIST.com, an e-mail services provider that was acquired in
August by Berkeley, Calif.-based Lyris Technologies, which had previously only owned a stake in the
company. According to sources close to the firms, only a handful of SparkLIST’s original, Milwaukee,
Wis.-based staffers were retained through the merger.
Lyris, which services clients including Disney, NBC and other firms, had provided the technology
powering SparkLIST’s ASP. Jupitermedia, the parent company of internetnews.com, is also a SparkLIST
customer.
Speaking with internetnews.com, company officials suggested whatever breach had occurred had
taken place in August, before Lyris fully had taken over control of SparkLIST’s operations.
“Some of the spam was sent prior to the transition of technology to California,” Lyris Chief
Operating Officer Steven Brown said. “That makes the investigation a little more complicated. We’re
dealing with an infrastructure and an employee base that is not entirely our own.”
On Friday, SparkLIST issued a statement to customers acknowledging the breach publicly for the first
time.
“I’m taking this issue very seriously, and I’ve been in contact with all the customers that have
raised their hands about this,” Brown said. “If other clients come forward with spam … I will look
at it immediately.”
Brown added that the company is conducting an internal inquiry while also retaining an outside
security consultant, Word to the Wise.
A number of newsletter publishers affected by the spam were smaller, independent businesses involved
in the online marketing arena, who suspected something was amiss when subscribers began reporting that
spam had come to addresses used only for the newsletters.
Andy Sernovitz, chief executive at New York-based GasPedal Ventures — one of the e-mail marketing
consultancies affected — said he received dozens of complaints from subscribers.
Yet in spite of the apparent misappropriation of data — regardless of how it happened — Semovitz
and others agree that such occurrences are almost a cost of playing the Internet business game.
“Hacking is something that happens — people understand it happens — but the real issue is how a
company responds,” Sernovitz said.
Even e-mail service bureaus agree.
“Security is an ongoing battle, and we have a company monitor our security daily,” said Michael
Mayor, NetCreations’ president. “It’s an evolving process — you can’t just leave it alone and walk
away and think it’ll be okay forever. The hackers get better and better at it. You have to be serious
about your investment in security and think of it long-term.”
“There are people out there who want access to your address, and they’re very creative and diligent
people,” he added. “You just have to know it’s a problem, and follow-through with addressing it.”
While SparkLIST did not comment on this story, the company’s site says its servers are “specifically
insulated against hackers for an added peace of mind.”
Often, e-mail list managers and mailers rely on a number of security procedures, ranging from
changing user IDs and passwords often, ensuring that only a limited number of qualified personnel have
access to client data, and making certain that terminated employees’ access is revoked.
“There’s architectural implementation issues as well,” said John Matthew, vice president of
operations at Bigfoot Interactive. “The database should be isolated, in a sense, from the Internet.
Our database is not accessible to the outside world — all access is only through APIs that we have
internally. That’s the only method to get to the database.”
Steven Gittleson, vice president of technology at NetCreations, said his firm encrypts e-mails in
its database and prohibits a user of its list management and distribution application from
actually viewing e-mail addresses.
“We never, ever, return e-mail addresses to a user that’s in the application,” he said. “A user,
who’s been authenticated twice, in our [internal] network and in the application … will never
be able to [see] actual e-mail addresses in the lists — only information about the lists.”
Gittleson also said the company keeps e-mails in an off-site, secure data center.
But even such efforts aren’t always sure-fire, which is why a number of vendors use processes like
audit trails.
“Every [database] action is logged: the user, the date, as well as the action,” Matthews
said. “So if there is any kind of compromise, we could go back to determine the user ID that initiated
that action, and when that occurred. So, we could limit the impact [of a security breach] just
by viewing the audit trail.”
NetCreations also uses Riptech, a unit of Symantec , to monitor its systems for
hacker intrusion. Similarly to audit trails, monitoring doesn’t necessarily prohibit data loss, but
instead relies on reviews of the system to learn quickly about any sort of attempt to breach it.
Lyris’ Brown said that the company had beefed up SparkLIST’s security after the merger.
“We made some changes to the SparkLIST network since the acquisition, including reformatting all of
SparkLIST’s hard drives with new operating systems, removing all operating system passwords, and
upgrading the SparkLIST servers to the latest version of our hosting software,” he said. “I’m very
confident of the security of our network. I can’t comment on the security prior to the acquisition.”
One of the major hurdles that the average e-mail recipient faces is that some companies — both
vendors and clients — don’t take privacy as seriously as they ought, say players in the space.
“I don’t know if people are taking it as seriously as they should,” Mayor said. “If it’s done
though a third party, or if someone doing their own hosting, I don’t know if it’s something you can’t
take too seriously. [Vendors] need to understand that security is a necessary part of your
expenses here, and you have to include that into your operating expense … If you don’t make an
ongoing commitment to do that you’re not going to have that asset for much longer.”
“It raises a lot of issues, and I think that people that are looking for an e-mail provider or
service bureau should really be asking these questions — how secure is it, what are you doing and what
is your ongoing action plan to protect your lists?” he added. “Those are obvious question for some
people, but not for others.”
Some said that a few marketers, on the other hand, are becoming increasingly savvy about the issue.
Bigfoot Interactive spokespeople said that a number of incoming RFPs that it’s seen have shown a
growing sophistication in asking about the thoroughness of its data security measures.
Matthew also said that increasing customer demand for tight data policies are also prompted by
ballooning e-mail marketing by financial services and other industries in which data collection,
sharing and security are heavily regulated.