Column: Anti-Spam Culture Helped Spawn List Theft

If it weren’t for eight years of hysterical vitriol from the anti-spam camp, whoever apparently stole some e-mail lists from hosting firm SparkLIST Corp. and made them available to at least one well-known spammer probably wouldn’t even have thought to commit this particular act of what looks like revenge.

At least five and possibly as many as 21 list owners whose files are hosted by SparkLIST claim some subscribers began complaining about receiving unsolicited pornography e-mail in August, about the time SparkLIST was acquired by Lyris Technologies and moved operations from Green Bay, WI, to Lyris’ headquarters in Berkeley, CA.

Spam received at some single-use e-mail addresses specifically set up to track such things tipped off the list owners that their files either were copied and stolen or hacked and made available to at least one spammer.

If it weren’t for these self-appointed spam cops, the list owners wouldn’t even have known their files were hijacked.

“This is every CEO’s worst nightmare,” a CEO of another e-mail firm told me after the story broke. Worst nightmare? Folks, these aren’t the codes for launching U.S. nuclear warheads. They’re e-mail addresses. To be fair, e-mail lists often represent their owners’ whole business. But the question no one is asking is why someone thought to steal them in the first place.

Word-to-the-Wise LLC, the company Lyris hired to investigate, has identified the source of the resulting spam as Gaven Stubberfield, a name listed on anti-spam site as the contact person for a “Raleigh North Carolina Spam Gang.” But Stubberfield may not even be a real person. What’s more, Stubberfield probably thinks he came by the names legitimately.

Also, he’s famous in anti-spam circles, so Internet service providers already are on the lookout for his e-mail to filter it out. As a result, many people on the lists in the SparkLIST caper probably didn’t even receive spam.

All evidence in the SparkLIST case suggests an inside job. Many close to the situation think a former SparkLIST employee may have made the files available to the spammer as revenge for the loss of jobs when SparkLIST’s operations were moved. Some former SparkLIST employees are understandably bristling at this suggestion.

In any case, it would do us all some good to stop and think of why hijacking e-mail lists would occur to someone as revenge.

It certainly wasn’t the money. One second before this sentence was written, I received a spam offering me 17 million e-mail addresses for $247. The SparkLIST incident reportedly involved maybe 2 million addresses.

Anti-spammers have been foaming at the mouth ever since two Arizona lawyers in 1994 sent the first unsolicited commercial pitch into a Usenet discussion group for their immigration services. To give anti-spammers their due, they correctly predicted that because e-mail lacks the economic governors that postal mail has – the cost of postage, paper, etc. – spam left unchecked would begin to render e-mail boxes unusable. With 1,313 messages sitting in my e-mail box right now, I can vouch for their predictions.

But they have made spam such an emotional issue that rational debate on the subject is practically impossible.

For example, when Anne Holland, publisher of, brought it to the attention of an anti-spam discussion group that her files had been compromised, one participant accused her of lying to cover up for spamming to her own list. Accusations like this aren’t remotely uncommon in the anti-spam camp. This lynch mob has a lightning-fast accusatory finger, and the person who hijacked lists from SparkLIST knows it. Spam to SparkLIST-hosted files would assuredly be a PR nightmare for Lyris – a smear job made possible by anti-spammers’ hang-’em-first, ask-questions-later culture.

Anti-spammers have every right to be as outspoken as they want to be, but this issue is not about spam, it is about an apparent theft aiming to damage a company’s reputation.

Understandably, some list owners are calling for more e-mail list security measures from their service providers.

But common sense says that there is no such thing as a foolproof security system for e-mail lists. If the list is to be used, the addresses at some point must be in deliverable form. At that point they are vulnerable to theft. No number of bureaucratic hoops will 100 percent protect against an employee with malicious intent who has access to the files.

Take reasonable security measures, certainly. But be aware that every bureaucratic hoop a service provider must go through – even something as simple as filling out forms – costs money, and e-mail hosting and delivery is a bottom-dollar business. Meanwhile, find out who is responsible for the SparkLIST incident and legally steamroll him until his only job qualification is the ability to ask, “you want fries with that?”

Then maybe the next twit will think twice before hijacking an e-mail list as an act of petty revenge.

Related Posts