List Owners: Spammers Stole Our E-Mail FilesSome e-mail list owners are claiming that pornography spammers have gained access to their files in what could be the biggest theft of e-mail lists ever.
At least three and possibly as many as 21 publishers whose files are hosted by SparkLIST Corp. think that their subscribers have begun to receive spam that can be explained only one way: Their lists were somehow hijacked.
Anne Holland, publisher of MarketingSherpa.com, became aware of the possible theft of her e-mail files in August when she received an e-mail from a subscriber to one of the organization's eight newsletters who claimed to have been spammed by MarketingSherpa.
"We don't rent our lists," Holland said. To investigate, she sent an e-mail to certain addresses explaining that she believed her lists had been stolen, asking whether they had received spam. The addresses were those of subscribers who set up special e-mail addresses for each newsletter. The folks who do this are often anti-spammers tracking how the list owner uses their address, and are often easily identifiable because they start with the list owner's company name, DMNews@Don'tSpamMe.com, for example.
As a result, they could receive spam only if MarketingSherpa's lists were hijacked, Holland said. Twenty-five percent of them responded that they had been spammed at those addresses.
"I'm extremely lucky that we've got a strong brand and that our readers trust us," Holland said.
Andy Sernovitz, CEO of e-mail consulting firm GasPedal, New York, claims that owners of single-use addresses on his lists are claiming to have been spammed as well.
"The lists that we were hosting at SparkLIST are definitely being used by spammers, and based on the addresses that are receiving spam, there's no other possible way this could happen," said Sernovitz, who also founded the Direct Marketing Association's Association for Interactive Marketing.
Since going public with the problem this month, Holland claims she has been contacted by 20 other list owners whose files are hosted by SparkLIST.com and who think someone stole their files and has been selling the names to spammers. She estimates that as many as 2 million e-mail addresses may have been swiped.
The timing of the incident coincides with SparkLIST's acquisition by Lyris Technologies and the move of its operations from Green Bay, WI, to Lyris' headquarters in Berkeley, CA. Some publishers believe a disgruntled former SparkLIST employee may have stolen the files.
Lyris claims five list owners have contacted the company to say they suspect someone is spamming their files.
"If we had a pissed-off employee, it would seem that we would get a lot more complaints," Lyris programmer Phillip Thorne said.
The company has hired anti-spam consulting firm Word to the Wise LLC to investigate.
"They're going to help us sift through this information to identify the origin of the spam," Lyris chief operating officer Steven Brown said.
As for the possibility of theft by a former employee, Brown said, "That is a touchy issue, but one that we have to look into."
Brown said he has not called police because he has nothing concrete to tell them.
"If you were the authorities and I called you and said 'some of my list owners got spammed,' what could you do about it? Everybody gets spam," he said. "I will be on the phone to the proper authorities in two seconds as soon as we can clearly indicate who sent the spam or what Internet service provider they were using."
Among the list owners who think their lists were hijacked is Dr. Ralph Wilson, author and publisher of marketing Web site WilsonWeb.com and various newsletters including Web Marketing Today.
Wilson declined to talk on the record, saying he'd rather deal with the problem personally than in the press, but said in part in a statement to his 130,000 subscribers: "I am sorry to report that recently my list was stolen by a spammer, though I'm hard at work tracking down the criminal and have enlisted some of you to help. I am taking renewed steps to protect all of our privacy."
Meanwhile, tracking who may have stolen the files may not be the most important next step, Holland said.
"To some degree, the damage is done," she said. "At this point, the most important thing is [for list owners to ask themselves] 'what have we learned from this, and how can we make sure our list is more secure?' "
Holland is calling for list hosting firms to begin encrypting e-mail addresses, similar to the way credit card addresses are encrypted. However, though encryption would make it harder to steal addresses, it would not be foolproof, Thorne said.
"The basic problem with e-mail addresses is [at some point] they've got to be available in their plain form to be useful," Thorne said.
"But at least it would make a difference," said Holland, adding that what happened to MarketingSherpa could happen to anyone. "Chances are your lists are not as secure as you think."