SparkLIST Questions Highlight Web Security Woes

A number of e-mail newsletter publishers are complaining that someone is spamming their proprietary

e-mail lists — raising the question of how secure any data really can be in the hands of a third-party

vendor.

The e-mails in question seem to be have originated from one or more mailers operating out of

Raleigh, N.C., known in anti-spam circles as the “North Carolina Spam Gang.” It is not known how the

group obtained the lists; calls to its suspected leader were not returned by press time.

The lists had been maintained by SparkLIST.com, an e-mail services provider that was acquired in

August by Berkeley, Calif.-based Lyris Technologies, which had previously only owned a stake in the

company. According to sources close to the firms, only a handful of SparkLIST’s original, Milwaukee,

Wis.-based staffers were retained through the merger.

Lyris, which services clients including Disney, NBC and other firms, had provided the technology

powering SparkLIST’s ASP. Jupitermedia, the parent company of internetnews.com, is also a SparkLIST

customer.

Speaking with internetnews.com, company officials suggested whatever breach had occurred had

taken place in August, before Lyris fully had taken over control of SparkLIST’s operations.

“Some of the spam was sent prior to the transition of technology to California,” Lyris Chief

Operating Officer Steven Brown said. “That makes the investigation a little more complicated. We’re

dealing with an infrastructure and an employee base that is not entirely our own.”

On Friday, SparkLIST issued a statement to customers acknowledging the breach publicly for the first

time.

“I’m taking this issue very seriously, and I’ve been in contact with all the customers that have

raised their hands about this,” Brown said. “If other clients come forward with spam … I will look

at it immediately.”

Brown added that the company is conducting an internal inquiry while also retaining an outside

security consultant, Word to the Wise.

A number of newsletter publishers affected by the spam were smaller, independent businesses involved

in the online marketing arena, who suspected something was amiss when subscribers began reporting that

spam had come to addresses used only for the newsletters.

Andy Sernovitz, chief executive at New York-based GasPedal Ventures — one of the e-mail marketing

consultancies affected — said he received dozens of complaints from subscribers.

Yet in spite of the apparent misappropriation of data — regardless of how it happened — Semovitz

and others agree that such occurrences are almost a cost of playing the Internet business game.

“Hacking is something that happens — people understand it happens — but the real issue is how a

company responds,” Sernovitz said.

Even e-mail service bureaus agree.

“Security is an ongoing battle, and we have a company monitor our security daily,” said Michael

Mayor, NetCreations’ president. “It’s an evolving process — you can’t just leave it alone and walk

away and think it’ll be okay forever. The hackers get better and better at it. You have to be serious

about your investment in security and think of it long-term.”

“There are people out there who want access to your address, and they’re very creative and diligent

people,” he added. “You just have to know it’s a problem, and follow-through with addressing it.”

While SparkLIST did not comment on this story, the company’s site says its servers are “specifically

insulated against hackers for an added peace of mind.”

Often, e-mail list managers and mailers rely on a number of security procedures, ranging from

changing user IDs and passwords often, ensuring that only a limited number of qualified personnel have

access to client data, and making certain that terminated employees’ access is revoked.

“There’s architectural implementation issues as well,” said John Matthew, vice president of

operations at Bigfoot Interactive. “The database should be isolated, in a sense, from the Internet.

Our database is not accessible to the outside world — all access is only through APIs that we have

internally. That’s the only method to get to the database.”

Steven Gittleson, vice president of technology at NetCreations, said his firm encrypts e-mails in

its database and prohibits a user of its list management and distribution application from

actually viewing e-mail addresses.

“We never, ever, return e-mail addresses to a user that’s in the application,” he said. “A user,

who’s been authenticated twice, in our [internal] network and in the application … will never

be able to [see] actual e-mail addresses in the lists — only information about the lists.”

Gittleson also said the company keeps e-mails in an off-site, secure data center.

But even such efforts aren’t always sure-fire, which is why a number of vendors use processes like

audit trails.

“Every [database] action is logged: the user, the date, as well as the action,” Matthews

said. “So if there is any kind of compromise, we could go back to determine the user ID that initiated

that action, and when that occurred. So, we could limit the impact [of a security breach] just

by viewing the audit trail.”

NetCreations also uses Riptech, a unit of Symantec , to monitor its systems for

hacker intrusion. Similarly to audit trails, monitoring doesn’t necessarily prohibit data loss, but

instead relies on reviews of the system to learn quickly about any sort of attempt to breach it.

Lyris’ Brown said that the company had beefed up SparkLIST’s security after the merger.

“We made some changes to the SparkLIST network since the acquisition, including reformatting all of

SparkLIST’s hard drives with new operating systems, removing all operating system passwords, and

upgrading the SparkLIST servers to the latest version of our hosting software,” he said. “I’m very

confident of the security of our network. I can’t comment on the security prior to the acquisition.”

One of the major hurdles that the average e-mail recipient faces is that some companies — both

vendors and clients — don’t take privacy as seriously as they ought, say players in the space.

“I don’t know if people are taking it as seriously as they should,” Mayor said. “If it’s done

though a third party, or if someone doing their own hosting, I don’t know if it’s something you can’t

take too seriously. [Vendors] need to understand that security is a necessary part of your

expenses here, and you have to include that into your operating expense … If you don’t make an

ongoing commitment to do that you’re not going to have that asset for much longer.”

“It raises a lot of issues, and I think that people that are looking for an e-mail provider or

service bureau should really be asking these questions — how secure is it, what are you doing and what

is your ongoing action plan to protect your lists?” he added. “Those are obvious question for some

people, but not for others.”

Some said that a few marketers, on the other hand, are becoming increasingly savvy about the issue.

Bigfoot Interactive spokespeople said that a number of incoming RFPs that it’s seen have shown a

growing sophistication in asking about the thoroughness of its data security measures.

Matthew also said that increasing customer demand for tight data policies are also prompted by

ballooning e-mail marketing by financial services and other industries in which data collection,

sharing and security are heavily regulated.

News Around the Web