We’ve heard this story before.
Someone gives an email address to a company. That company sends them email via an ESP for several years.
Hackers break in to the ESP and steal a bunch of email addresses.
The original address owner starts getting targeted and random spam to that email address.
The reality is rarely quite that simple. Here’s my version of this story. The names have been left in, but some of them are quite innocent.
In July 2009, I gave a unique email address to Dell as part of a purchase of some servers. Over the following two years, Dell sent me quite a lot of email, sometimes from their own systems, sometimes through their main ESP (Epsilon / Bigfoot Interactive), occasionally through a subcontractor who handles customer surveys for them.
In mid-May 2011, I started receiving spam from Intervision – a local company that does Enterprise IT integration – to that unique email address. Then, on June 3rd, I started getting a stream of spam from Russia for replica watches and viagra.
Epsilon were compromised back in October, and had a bunch of email lists stolen, and “we” started noticing spam going to some of those addresses at the end of May. It really looks like Intervision were one of the early purchasers of the stolen email addresses, and so might be able to point the finger at someone closely connected to the Epsilon breach.
Intervision were very responsive, and open about how they work. They do buy lists from list vendors – jigsaw was the name that was mentioned – and acquire them from partners, but they keep a reasonable trail of when and where. They were much more professional than many companies who are caught with their hand in the cookie jar.
They’d acquired my (unique to Dell) email address over a year ago, in March 2010, as part of a list labeled “Dell Sales Leads”. But they hadn’t had anyone in-house handling email marketing, so they hadn’t started to send “email blasts” until they hired someone to do that, this May.
So the real story doesn’t involve a data breach at Epsilon at all. A more accurate version of the story would be something like this.
Dell’s sales team or one of their sales associates is trading or selling lists of Dell customer addresses.
Intervision acquired those lists via a route that may be a bit dubious, but certainly doesn’t have the drama of hacking.
When they started sending mail to the old lists they’d acquired, either Intervision or their ESP (Jangomail) had a data leak of some sort, which lead to those old lists ending up in the hands of the usual criminal spammers with .ru domains.
It’s still an interesting story, but entirely different from what I was expecting. Some of the people I thought were probably responsible for the spam, aren’t. Some of those I thought were innocent of any bad practice are probably up to their necks in it. You just can’t tell until you find the real story.
RSS - Posts
Thank you for writing up the story, because as an ESP, we see it all the time too.
In fact, this is exactly why we don’t permit purchased lists with JangoMail and suspend the ability to send for anyone caught using a purchased list. Here’s what I tell my customers: If an address has been purchased by you, no matter from how “legitimate” a source, it can be purchased by many others. You are then sharing your reputation with all of these unknown groups, any one of whom can have a different motive or objective. Email is an excellent follow-up tool, but an abysmal cold call tool.
To be clear here, JangoMail is one of the named innocents, and has had no breach in security. We do form a part of the necessary chain of education to marketers so that we perpetuate good practices while stamping out the bad. The more this message gets out, the better for everyone!
Kim Wright
Director of Operations, JangoMail