SPECIAL REPORT PART II: When a Spammer Steals Your List -- What You Can (and Can't) Do About It

"Your situation is every legitimate, opt-in service's nightmare."

Matt Peterson, President MyWeather LLC was one of many
MarketingSherpa readers to contact us with support and questions
after we published Part I of this Special Report two weeks ago.
(See below for link.)

Luckily, MyWeather's list of almost a million opt-in email names
was not affected by the security breach that we and 4-20 other
list owners were victims of. (All affected list owners were
clients of one particular list host firm as described below.)

However, as we pointed out in our last issue, this could happen
to anyone. Here is the follow-up report we promised you:

a. Survey Results & a Call to Encrypt Email Addresses
b. Additional Security Measures for Your List
c. If somebody is sending spam to your list (or you), how can
you track down the culprit?
d. When you catch a spammer, what are your legal remedies in
the US?
e. Moving forward: How we and our list host firm have
continued dealing with the crisis
f. Links: Useful links for you to continue research and
to get in touch with other list owners and techies

---
a. Survey Results & a Call to Encrypt Email Addresses
---

"What's the big deal? Who cares if their email is stolen by a
spammer?" New York Times reporter Matt Richtel asked our
Publisher Anne Holland when he interviewed her for a story last
week.

We conducted a quick reader survey to find out how much people
care about their email addresses.

The 539 survey respondents were mainly professionals involved in
email marketing, publishing or hosting, so we do not know how
their answers would match up against the overall Net population.
However, their answers were so striking, that we bet this survey
reveals a real trend:

52% said they would rather switch credit cards than switch email
accounts. (Note: this number was about the same both inside and
outside the US.)

Why? We suspected it is because it is such a pain to change email
addresses. You have to notify your family, friends, newsletter
subscriptions, colleagues, etc., and then hope they remember to use
the new one.

Changing a credit card number is fairly easy. Plus, in
the US at least, if your credit card number is stolen the law
protects you from excess charges. If your email address is
stolen, nothing protects you from the spam.

(Note: We have written a Guide for Consumers on stopping spam, see
below for a link to a complimentary copy.)


-> Perception vs. Reality: How Secure is Your List?

We also asked survey participants "How safe do you think your
email address is when you give it to a merchant or publisher?"
and then "How safe do you think your subscribers' [email]
addresses are in your system?"

The results were stunning. Basically most list owners think
their own lists are secure, but they do not trust anyone else's
security.
img| images/list-security-perceptions.jpg |img

Perceptions of Their Own and Others' Email List Security

Others' Lists Own List
Very insecure 15% 5%
Somewhat insecure 45% 10%
Never thought about it 8% 10%
Somewhat secure 30% 33%
Very secure 2% 42%

What is most startling about these results is the fact that the
75% of respondents who said their own lists were somewhat or very
secure had just read our article which detailed why almost
nobody's lists are really secure today.

This tells us that a heck of a lot of list owners are in denial.


-> The Cost and Benefit of Greater Email List Security

In Part I of this Special Report, our Tech Editor, Alexis Gutzman,
suggested email address encryption as a solution.

Since then all the experts we have spoken with about the idea have
agreed.

Having the email addresses on your list encrypted in the same way many merchants have credit card numbers encrypted in their systems
would solve much of the security issue. There is at least one vendor working on this right now, as a result of our call to action two weeks ago.

However, encrypted email addresses will require more hardware and
processing power to host a list and to deliver mail to a list, so
naturally email list owners' costs will rise.

Is it worth spending more?

Well, given rising consumer fears it may be. In fact, you could
turn it into a relationship-building tool just as online
merchants now boast, "We use a secure checkout page."


---
b. Additional Security Measures for Your List
---

As a result of what we've learned with further research, we are
adding this list of security suggestions to our list from Part I:

* Make sure that backups of your lists (either on your own
computer, on that of another authorized user, and on the server) are encrypted or deleted regularly.

* Make sure that your list host has a procedure in place to
destroy the previous (or the previous to the previous) generation
of backups of the database.

* Michael Mayor, President of Postmaster Direct, also suggests
you be very careful about who you and your list host use for
ancillary services, such as merge/purge and email appending.

Mayor told us this chilling story, "We had a client request that
we upload their list to a third-party merge/purge vendor. Our
technician who was supposed to do it, found, when he signed into
the vendor's site, that he could see files containing lists of
four other clients of this vendor. He realized that they had all
their clients uploading lists to the same directory, which meant
that our lists would be visible to anyone else who uploaded to
that directory. We immediately decided not to work with that
vendor."


---
c. If somebody is sending spam to your list (or you), how can
you track down the culprit?
---

Laura Atkins, a Partner at Word-to-the-Wise (the consulting firm
currently investigating our own list theft), is one of the experts
who built SamSpade.org, a collection of network diagnostic and
spam tracking tools used by hundreds of thousands of people every month.

We asked her to explain the steps behind tracking down a spammer
in order to prosecute them:

Step 1. Get as many copies of the spam as you can. More copies
give you more evidence of when the lists were stolen and
how they are being used. When possible, get them with
complete "headers." Get your list host expert to give
you instructions to hand out to s*pam recipients.

Step 2. Publicize what happened. This sounds counterintuitive,
but all the publicity we have received for the list theft
has resulted in Atkins receiving many additional pieces
of evidence related to the theft from unexpected
sources.

Plus, as crisis communications experts will assure you,
confessing a problem can win you points with customers
while a cover-up could damage your reputation
irrevocably.

Step 3. Investigate what the spam has in common. In the case of
our lists, and the others that were taken, it quickly
became clear that no subscribers who subscribed after
March 2002 were getting the spam. This helped the
investigators determine that the list that was stolen
was probably a backup from that period, which was
recently sold to a spammer, rather than a recent hack.

There are probably two parties you will want to pursue:
the thief and the spammer, which are probably different
people.

Step 4. Contact ISPs from which the spam originated as quickly
as possible, asking them to save the logs from that
mailing.

Spammers typically buy domain names with forged
information. The ISPs they use are most likely to have
their correct contact information. In order to prosecute
them, you have to find them. ISPs log all network
activity, but they reuse log media, so if you wait too
long to ask them to hold the logs, the logs might be
overwritten.

Step 5. Get all the evidence together to get a lawyer to file
for a subpoena to get the data from the ISP. The ISP is
usually happy to cooperate, but they do need the
subpoena before they can transfer the log files to you.

Step 6. Realize that you are not going to get your list back.
This is reality.

Step 7. If you are considering hiring an outside firm to help you
track a spammer down, do it quickly. Time is not on
your side.

---
d. When you catch a spammer, what are your legal remedies in
the US?
---

Anne P. Mitchell, Esq. is one of the top anti-spam lawyers in
the world. She's CEO & President of Habeas, Inc. a new company
that is trying to combine technology and the law to stop spam.
Previously she served for two years as Director of Legal and
Public Affairs for Mail Abuse Prevention System (MAPS), a
pioneering anti-spam service.

We are fortunate to have her private email address so we popped over our two biggest questions. Here are her answers:

MarketingSherpa Question #1:
If a spammer is using a stolen copy of your list to send out
spam, what legal remedies do you have in the US?

Mitchell:
"That really depends on the circumstances of how they acquired
it, and what exactly they are doing with it.

Under most scenarios, provided that you can demonstrate that it
is in fact your list, and that they acquired it wrongfully, you
should be able to file an action for conversion (which is when
someone improperly takes your property, and 'converts' it and
treats it as if it were their property).

In addition, you may well have valid causes of action for such
business torts as negligent and intentional interference with
business relationships (your listees), interference with
prospective economic advantage (if your list produces revenue for
you, and your listees are upset about the list being compromised,
they may no longer be willing to give you their patronage), and
interference with contractual relationships (if you have
something which can be considered a contract with your listees).

Finally, if the spammer is using your list and in any way using
material trademarked to you, or in which you have copyright, in
the mailings (such as your domain name), you may have an action
for copyright or trademark infringement."

MarketingSherpa Question #2:
What's the reality-likelihood of being able to nail the spammer
in court because so many of these people hide behind false names,
addresses, etc. Aren't they close to impossible to catch in
person?

Mitchell:
"There are certainly some spammers who are very hard, to nearly
impossible, to find, but for the most part, if you have the
resources, and, at least as important, the resourcefulness, you
can find them.

It is true that it is fairly easy to disguise the origin of
spam, but most of the time a competent spam investigator can
follow the transit trail, and determine from where the spam was
actually sent.

One of the reasons that finding the individual who pushed the
'send' button often seems difficult is that, due to privacy
concerns, ISPs are unable to share information about their users,
even ones who are spamming, with the aggrieved recipients of that
spam.

However, there are tools which can be employed in the course of a
lawsuit, such as subpoenas, which require the ISP to divulge that
information (and in truth, most ISPs are happy to be able to
legally tell you who their problem s*pammers are, once served
with a demand which legally requires them to share that
information).

Finally, just a quick word of advice: if your mailing list has
been stolen, be sure to alert your ISP and any mailing service
provider right away, so that if they start getting complaints
they will know what is going on, and that you are an innocent
victim, not the perpetrator."
http://www.habeas.com


---
e. Moving forward: How we and our list host firm have continued
dealing with the crisis
---

Loads of you have contacted us to ask who our list host firm was.
We did not publish their name initially because we wanted to focus
on the bigger picture that affects all email list owners today.

No matter who your list host firm is, or even if you host in-
house, your list can be stolen.

Since our last issue, reports in DM News, CNET, the New York
Times and apparently soon WSJ.com, have named our list host firm
SparkLIST, which is owned by Lyris. Lots of people started
writing in asking, "Oh gosh, are we affected too?"

Here is the scoop: If you were a SparkLIST client as of March
2002, there is a chance your list was among those affected. 20
List owners representing more than 400 lists have contacted us to
say they suspect they were victims. According to Lyris, just
five owners including ourselves have contacted them.

If you suspect you are among the affected lists, but you do not
want to contact Lyris for some reason, you can still help the
investigation move forward by speaking with Word-to-the-Wise, the
consultants who have been called in to research this. These
consultants say they can guarantee privacy. See link to their
site below.

If you are a Lyris.net list host customer or a SparkLIST host
customer, you can contact Lyris directly for a memo of the most
recent security precautions they have put in place to shield lists
from further incursions.

If you are an enterprise user of Lyris software, you are not affected. This security breach was related to the SQL server that stored the database of addresses, not to the Lyris technology. Congratulations, your lists are just as (in)secure as the rest of the world's.

Everyone wants to know what we will be doing next.

Well, we are dealing with business reality. We have turned over as
much information as we can to the proper authorities, and
we are letting them handle the investigation from here on out. It is time to focus on our core business, which is publishing
practical newsletters on marketing and the publishing industry.

However, we did do one thing to help ourselves and our readers
relieve some of the frustration that spammers are adding to our
lives. We invented a new online game called: Torture a Spammer

http://torturegame9.MarketingSherpa.com

It is a fun game (you make your choice of six most-despised
spammers feel your pain with four different fun tortures,
including our favorite, Flying Killer Monkeys) with a serious
message (permission-based opt-in email is the responsible way
to go).

Game players also can also get their choice of two complimentary
educational booklets:

#1. "The Consumer's Guide to Reducing Spam"
#2. "The Marketer's Guide to Permission Email Marketing."

We hope you find them valuable. (Note: If you are already an
MarketingSherpa subscriber, pop us an email at
subscriptions@marketingsherpa.com for a copy of #2.)

---
f. Links: Useful links for you to continue research and to
get in touch with other list owners and techies
---

1. Email Technologists: We are starting a new private email
discussion group for those who are directly involved in the day-
to-day process of seeing to the delivery of thousands or millions of email messages.

If you are interested, please send a note to our technology
editor, Alexis Gutzman (alexisg@marketingsherpa.com), who will
send you the link to the application form. Only qualified
individuals will be accepted to this closed list. All posts to
the list will be considered "off the record" and not for
publication.

2. Lyris Software Enterprise-Level users: There is an unofficial
email discussion group already in existence that we have heard is
pretty good (although we are not members). It is run by Glen
Davis, who was unavailable for comment at our deadline. Learn
more at: mailto:lyris-discuss@lyris.displaypack.com

3. SpamNews: Neil Schwartzman publishes S*pamNews
http://www.petemoss.com daily. It's a compendium of the day's
s*pam and anti-spam-related news from hundreds of sources. Very
little escapes Schwartzman's watchful eye. We definitely enjoy
glancing at it every morning.

4. Gavin Stubberfield, the notorious spammer who may be in
possession of SparkLIST's stolen lists is described here:
http://www.spamhaus.org/rokso/spammers.lasso?-database=spammers.db&-layout=detail&-response=roksodetail.lasso&recno=1117&-clientusername=guest&-clientpassword=guest&-search

5. Word-to-the-Wise - Spam-security consultants
http://word-to-the-wise.com
SamSpade.org - Tools for you to track down s*pammers
http://samspade.org

6. Torture a Spammer Game: http://torturegame9.MarketingSherpa.com

7. Part I of this Special Report: "Our List Was Stolen"
http://www.MarketingSherpa.com/sample.cfm?contentID=2139