September 04, 2002
How To

SPECIAL REPORT: Is Your Email List ‘Really’ Secure? What We Learned When Ours Was Stolen Recently

SUMMARY: Ok, so we are supposed to be the email marketing experts here. Yes, a few weeks ago our own email list was stolen, partially
because we simply did not pay enough attention to security. We
thought we were safe. We were not.



Is your list really secure?



Check out this Special Report to learn:

a. How we discovered our lists were stolen

b. Three general notes about data security

c. Five actions you can take to make your lists more secure

d. Six things to ask your list host to do to increase
security

e. What is worth doing and what is not

f. Last note: The Reality of (In)Security

This is perhaps one of the hardest issues we have ever written of
MarketingSherpa because we have to admit something ugly: Our list
was stolen by a spammer a few weeks ago.

Contents of Part I:
a. How we discovered our lists were stolen
b. Three general notes about data security
c. Five actions you can take to make your lists more secure
d. Six things to ask your list host to do to increase
security
e. What is worth doing and what is not
f. Last note: The Reality of (In)Security

--
a. How we discovered our lists were stolen
--

We were naïve. We never really worried about list security even
though, like many emailers, our list together with our readers'
trust is our *most* valuable asset.

We did not worry because we have been publishing eight newsletters
for more than two years with no trouble at all. The vendor
we chose to host our lists is also used by hundreds of other
publishers, none of whom we had known to complain about security
problems in the past.

Then one day in early August a reader emailed us, "I've been
spammed by your list."

No! At first we just felt total disbelief. We do not rent or
sell or share names. Ever. How could this happen?

With help from subscribers and advice from experts such as Dr
Ralph Wilson of WilsonWeb, we investigated the problem. Here is
how:

About 1% of our total opt-in subscribers create special email
addresses for each thing they sign up for online so they can send
mail into automated folders and incidentally track how the list
owner uses the list. You can spot people who do this on your own
list by looking for email addresses that start with your own
site, brand or company name, such as "MarketingSherpa@...com"

We pulled those names from our lists and sent them one special
letter that read:

***************
Subject: [Sherpa] Urgent apology from Anne

Body copy:
I need to apologize to you and then ask you to help me.

We've become aware in the last couple of weeks that one or
more of MarketingSherpa newsletter lists was stolen by a
hacker -- who is using them to send spam.

First of all, let me assure you that we NEVER rent,
sell or share names with any other mailer or marketer.
Our anti-spam privacy policy is strict.

We are also very careful about list security here, and
have received repeated assurances from our email broadcast
vendor that they have high security precautions.

Unfortunately those precautions weren't good enough.
So I need your help to catch this spammer and stop them.

Our broadcast vendor has anti-spam expert on staff who
knows how to trace emails to their source using information found
in the email header (usually hidden from view by your e-mail
program). If we can get several of these rogue e-mails we can shut
this spammer down, and, hopefully, prevent this list with your
email address from being abused further.

I noticed that you have a special mailbox set up for Sherpa
mail.

Please help me by watching for any non-Sherpa email sent to this
specific email address and save it for me. Then send me a copy at
AHolland@MarketingSherpa.com

Please don't delete the rogue email -- hang onto it for the present.
We may need further copies of it to catch the spammers.

Let's get this hacker and stop the spam!

Thanks so much for your support,


Anne

Anne Holland
http://www.MarketingSherpa.com
AHolland@MarketingSherpa.com
***************

Before sending the message, we alerted our customer service
manager to make sure that any subscriber replies to this email
were immediately routed to Anne, who was ready to answer each one
personally as quickly as possible.

Most of the response was highly positive. Even if they had not
gotten any spam, readers wrote in to say how sorry they were to
hear about our troubles. Others shared copies of messages so we
could track the spammer.

Also through this letter and word of mouth, we learned we were
not alone.

Turns out more than a dozen other email list owners (many of
them highly reputable permission-only publishers) had their
lists compromised by what appeared to be the same thief at about
the same time. Some publishers contacted us directly to share
info after our own Publisher Anne Holland posted info about our
security breach on her Blog.
http://www.contentbiz.blogspot.com/2002_08_25_contentbiz_archive.html#85393645

We are keeping communication lines open with these other
publishers to track down the problem as a group.

However, the letter also created some negative publicity. When
one reader shared the contents with an email discussion group on
the topic of spam, at least one member of the group leapt to
accuse us of lying and being spammers ourselves.

It is this type of potentially harmful publicity that makes most
email list owners afraid to admit they have a problem. It
must be handled carefully so as not to damage your brand.

In Part II of this report next week we will discuss damage control
for your image and your list, plus if it is possible to track down
and stop list thieves after they steal your list.

In the meantime, here are useful security notes from our Tech
Editor Alexis D. Gutzman.


---
b. General notes about data security
---

There are three things you should know about data security in
general.

1. The most likely source of any data leak is in-house. Whether
that is your own staff or the staff of your list host, a
disgruntled employee is the single biggest threat to all your
data.

2. It is easiest to shoot a sitting duck.

When you work from your office or from home, you are a sitting
duck. Your data sitting on your list host's server is also a
sitting duck. Data in transit is much more difficult to hack.

3. You can never guarantee that any data is going to be
absolutely, positively locked down. You can make every reasonable
effort to lock down data, and you should, but you can not foil a
determined hacker. Your best bet is to make hacking your data
more trouble than it is worth, so hackers move on to easier
pickings.


---
c. Five actions you can take to make your lists more secure
---

There are several steps you can take to increase your data
security, and list security is really an extension of data
security.

1. Do not use the same password everywhere. It is easier for a
hacker to find out your password if you are typing it into many
forms.

2. Make sure you have a firewall protecting your work computer.
If you work from home on an always-on broadband connection, make
sure you have a firewall in place there. Within the first 20
minutes that my own broadband connection was turned on, I was
contacted by no fewer than four hackers, testing to see whether
the computer was vulnerable.

3. If you or your people use a wireless network anywhere behind
the firewall, make sure to enable data security via a password.
The default installation for wireless networks is no password
protection. This means that if you or one of your people or your
list host's people have a wireless network at home, then by
default, your neighbors with wireless cards will be able to sign
onto your corporate network *behind the firewall*! They will have
the same security clearance as the person whose connection they
are sharing.

4. Do not open attachments. Viruses often come as attachments and
a trojan horse software that sits on your computer and sends
out data about your activity to the hacker that would expose your
passwords in short order.

5. Make sure you have all the latest security patches for your
operating system, Web server, Web browser, email client, etc.
This is not really enough, though, since patches lag discoveries
of security holes. Hackers can attack during that brief interval.


---
d. Six things to ask your list host to do to increase security
---

Some marketers, including those with high-security-risk lists
such as those containing personal information such as personal
finance lists and pharmaceutical company lists, visit their email
vendors personally to make sure the following protections are in
place.

You will have to decide if it is worth a trip for you, or if you can
take the vendor's word for it.

If you keep lists in-house, then these precautions apply to your
IT team.

1. Make sure they have a firewall in place to keep hackers out.

2. Encrypt administrator passwords on their own systems.

3. Encrypt the email addresses of all subscribers on their own
systems so that the list without their key would be useless to a
hacker.

[Note: We do not know of any vendors who offer encryption
services at this time, but it is a good idea to ask. We will let
you know when someone does offer it.]

4. Perform automated encrypted backups of your list to backup
devices in the same facilities, so your list does not travel
outside the list host's secure server room, and does not have any
value when it's backed up unless the key is also available.

* If a copy of your subscriber list can walk away on a CD, and be
usable to the person carrying it, then all the rest of your
security is probably in vain. *

5. Restrict access to their servers. If your list host has his
servers co-located then all the list-host issues apply to the co-
location center. I have worked in many offices where the server
console room was unsecured. Do not assume things are locked down.

6. Log transaction against all lists. The list host should be
able to tell you in chronological order exactly what actions have
been taken on a list. If an administrator requested a list of all
subscribers' email addresses then that should be in the log.
Logging all actions on a list will allow you to determine which
actions pose potential danger to the security of the list.

If you have an employee who downloads your lists from home weekly
to backup to CD, but then keeps a copy of the list on his hard
drive, and does not have a firewall, then all the other
precautions are for naught.


---
e. What is worth doing and what is not
---

-> What Is Optimal?

The very best security is biometrics security based on a mouse
that recognizes the fingerprint of the user. This permits the
system to track who accesses a list, not just by ID and
password, which can be stolen, but by an actual person. Many
organizations share one admin account with one ID and password.
With biometrics, that is not possible.

-> What Is Not Worth the Effort?

There are other security terms that are bandied about online,
such as SSL, dedicated lines, and VPN. None of these address the
sitting duck issue.

* SSL is great for protecting a credit card in transit, but to
date, there has never been a case of a credit card stolen in
transit, which could be interpreted as being a very successful
type of security. The real reason that hackers do not intercept
data in route (very often) is that it is just too much work for a
hacker to try to intercept data in transit. If grabbing email
addresses in transit were easy, why would anyone bother with your
database when so many addresses cross the wires of the Internet
every nanosecond. Credit card numbers (and other data) are
usually hacked off the databases where they reside.

* SSL encryption is slow. You would never want to deal with an
online interface to get your newsletter or marketing piece
published on deadline via an SSL connection.

* In theory, you could install a dedicated line so that
visitors who came to your site and subscribed would have their
subscription requests travel via a dedicated line to the list
host's server. It is extremely unlikely that a hacker would take
this approach to collecting your opt-ins. More likely, he would
plant a trojan horse on your Web server and collect them
simultaneously with your collecting them.

* Finally, a virtual private network (VPN) could be used by you
to access your list, but unless you first lock down all the
potential security holes outlined above, this will do more to
make you feel good about security than it will actually do to
create it.


----
f. Last note: The Reality of (In)Security
----

Gutzman says, "In reality, the bad news is that security is like
a sieve. Want to lock it down? Take it in-house. Host the server
from your own office. Put a firewall around that server and don't
give anyone else access to the server, the room, or the list.
Realistic? No way!"

If you do take your list in-house you then will have to hire
a privacy officer, and staffers with expertise in filters,
handling bounces, various email inbox programs, etc. It gets
complicated and messy very fast. In fact we do not tend to
recommend you take list hosting in-house unless you are a fairly
large emailer who can afford to invest in such a staff.

FINAL NOTE: Here is the link for Part II of this Special Report:
http://www.marketingsherpa.com/sample.cfm?contentID=2148

Improve Your Marketing

Join our thousands of weekly case study readers.

Enter your email below to receive MarketingSherpa news, updates, and promotions:

Note: Already a subscriber? Want to add a subscription?
Click Here to Manage Subscriptions