Data Breaches and Email List Data Theft

In a comment on another blog, Neil Schwartzman reminded readers that the recent theft of email list data from Aweber wasn't the first time in history that spammers stole email addresses from a service provider. As he points out, something similar happened to Lyris' Sparklist service back in 2002. He also pointed out that convicted felon Jason Smathers stole 30,000,000 addresses from AOL in 2003. The Ameritrade data leak from a few years ago comes to mind, as well. In that case, it may have been an ongoing issue from 2005 through 2007. Yuck.

In 2006, email marketer Datran settled with the New York Attorney General over allegations of misuse of email list and/or subscriber profile data. On that issue, Fox News reported that "Spitzer accused Datran of knowing of the companies' pledges [never to share data with a third party], but [that Datran, as a third party, was] spamming those consumers with unsolicited e-mails anyway, advertising discount drugs, diet pills and other products. [...] Spitzer's staff said they believe it is the largest deliberate breach of Internet privacy discovered by U.S. authorities."

It strikes me that perhaps the Aweber breach wasn't quite the "largest data breach in email marketing history" as suggested elsewhere.

On a semi-related note, this Chronology of Data Breaches, published by the Privacy Rights Clearinghouse, is very interesting. Maybe somebody needs to start something similar for email-specific data breaches? Sadly, there may have been enough of them by this point to warrant a standalone time line.

Mickey Chandler, Deliverability Consultant

My friend Mickey Chandler has finally taken the plunge and hung out his shingle as a deliverability consultant.

Mickey's a sharp guy. We go way back, all the way back to working together at the Mail Abuse Prevention System (MAPS), before it imploded under the weight of many lawsuits. (Ah, to be young and stupid again.) Since then, we've both migrated to the deliverability and email realms. Most recently, Mickey was the director of ISP relations for an email service provider. He and I work together periodically on various industry-related stuff, and I find his expertise and insight to be very strong.

Mickey also runs the blogs Spamtacular and Spamsuite, sharing commentary highlighting his wealth of knowledge and building up a very useful repository of spam-related legal documents.

If you're looking for a consultant to guide you through the complicated world of email deliverability, I'd recommend Mickey without hesitation. To learn more, head on over to Mickey's website at

Top Five Spam Resource Posts in 2009

As the last few days of the year come to pass, I thought it might be fun to revisit the top five most viewed articles this year right here on Spam Resource.

"Herbal King" Spanking Continues

"A New Zealand citizen living on the Sunshine Coast has been ordered by the Federal Court to pay a $210,000 fine for taking part in the world's largest spam operation. The fine comes after the 'spam king' has received fines from all over the world for his actions, including a massive $US16 million fine from the Federal Trade Commission in the United States.

"Lance Thomas Atkinson has been fined and banned from sending unsolicited commercial emails for the next seven years, after he took part in an operation advertising fake prescription drugs such as 'male enhancement' and weight-loss medication."

Read the rest of the story here.

Aweber Hacked; Email Addresses Stolen

As discussed here, here, and confirmed here, the email service provider Aweber was the victim of some sort of cyber-attack that resulted in bad guys getting access to email addresses stored in the Aweber system. This was tracked by way of spam starting to be received at unique addresses only given to various companies using Aweber for their email list management.

Not good news at all, for anyone involved. What can you do about it? I'm not sure, to be honest. There is no easy answer; no way to undo this. If anything comes to mind, I'll be happy to share it here. And to my readers, if you have any ideas on what an ESP's client should do if their ESP gets hacked, resulting in the loss of list data, please feel free to share in comments.

On List Growth and Buying Lists

Today, I'm following up on my last post about how one must be able to have a way to tell the world about their super product and service.

Jonathan writes, "I came across your web-site and I'd really appreciate some help regarding opt-in lists! I'm about to start a email marketing campaign and I want to use 6-7 different firms simultaneously. The issue I've run into is that each of the firms I've found has a plethora of complaints against them! I was wondering if you could kindly recommend some reputable opt-in/double opt-in firms which are cost effective. I look forward to hearing from you."

I can't. Anybody who wants to sell you a list is trying REALLY hard to do you a disservice.

Wahhh, "Just Hit Delete"

Anonymous writes, "If someone can't use e-mail lists for marketing to potential customers how does one then share the message about a super product or service. I enjoy receiving information. If I do not wish to view the e-mail, then I simply delete. Please advise."

I asked around for a bit of feedback on this one, and the universal response seemed to be that nobody cares what you think. My friend Doug Lim provided this reply, my favorite: “You seem like a total douchebag. Please advise.” This was typical of most of the responses.

The Case of the 500-mile Email

I present to you a random email-related geek funny from 2002:

"We're having a problem sending email out of the department."

"What's the problem?" I asked.

"We can't send mail more than 500 miles," the chairman explained.

I choked on my latte.  "Come again?"

"We can't send mail farther than 500 miles from here," he repeated.  "A little bit more, actually.  Call it 520 miles.  But no farther."

Click here to read the whole story.

More Anti-Spamhaus Fun

Yesterday, I pointed you at an anonymous blog, written by some angry random dude who happens to be really upset about Spamhaus. Anonymous ranty blogs are no fun; it's much more fun to mock the person behind them when you have a face go to along with the angry confusion.

Fire up the ROFLCopter!

This hilarious anti-Spamhaus blog has decided that the best way to get the word out is by pirating content from other sites about how people who have been blacklisted for spamming are angry. Yes, it's true. People who have been blacklisted are angry. Shocking.

Receiving Duplicate List Messages?

The other day, somebody asked me what causes a recipient to receive the same message more than once. I run into duplicate message issues perhaps once or twice a year; not too often, but often enough that a recipient gets really angry at the sending ESP, assuming it's they're fault, because it doesn't seem to be happening with other email.

Not How It Works

The context: Over on Laura Atkins' Word to the Wise blog, she talks about the coming changes. The coming storm, if you will. How ISPs are fed up with sender practices. She rightly points out, that the rope ISPs currently give ESPs, is going to be used to hang a bad guy sometime soon, if it's not happening already. In the comments on that post, this reply caught my eye:

SURBL Announces New Experimental Blacklist

Read about it over on DNSBL Resource.

Check Your Rep @ AOL

AOL has significantly updated their Postmaster site today. One thing of particular interest is their new IP reputation checker. You can use this tool to look up the AOL sending reputation of your IP address. Mighty handy, if you ask me. I got to see a preview of this a while back, and I've been eagerly awaiting its official launch.

Is an Unsubscribe Link Required?

A reader contacted me the other day, showing me an email message he had received from his bank.  They had sent him a transactional message, and he took umbrage at the fact that the message did not have a way to unsubscribe from future messages. He contacted the bank, and the bank brushed him off, saying an unsubscribe link was not required.

Did you catch that?

Good ISP info from Annalivia Ford, Christine Borgia, and Laura Atkins.

Permission, Co-Reg Sucks, and ESPs

Here's a good thing to read: Jamie Tomasello from Cloudmark reminding us of the basics. Permission matters. Co-reg is bad. Making assumptions in place of getting explicit permission.


Over on her fancy new blog, Annalivia Ford talks about the supposed "spam/anti-spam racket," like somehow ISPs want spam and find spam fighting to be a fabulous revenue stream (ROFL).