Customers blame spam on filched lists

At least three current and former customers of Lyris' SparkList service this week complained that recipients of their e-mail newsletters have been receiving spam. MarketingSherpa.com, a publisher of online marketing newsletters, suspects that all eight of its mailing lists have been compromised, said Anne Holland, the company's founder. More than 20 other publishers, who combined have more than 2 million e-mail addresses on their lists, have also contacted Holland saying their Lyris-hosted lists have been compromised.

"We contacted Lyris immediately," Holland said. "Anytime you get a spam complaint from readers, you have to take it very seriously. It could kill your entire company."

About five of the 1,000 customers who have their distribution lists hosted by Lyris have contacted the company with spam concerns, said Steven Brown, the company's chief of operations. The company has hired Word to the Wise, an outside consulting firm, to investigate the matter, Brown said. So far the company has no evidence that the lists on its servers have been compromised.

"We're trying to be as responsive as we can," Brown said. "We try to take this stuff pretty seriously."

Word to the Wise is sorting through the data it has, including the spam messages that have been forwarded by Lyris customers, said Laura Atkins, the company's chief executive officer. So far, the company doesn?t know whether the spam was the result of a compromise of Lyris' servers, Atkins said. Atkins said she expected to have some initial conclusions by early next week.

"There's no clear picture as to what it is. It's hard to tell," Atkins said. "We are head-down investigating as fast as we can."

Security vulnerabilities on the Web are not a new thing. A hack at Amazon.com-owned Bibliofind last year compromised nearly 100,000 customer records, including credit card numbers. A security breach at Egghead temporarily exposed the records of 3.7 million of its customer records in late 2000.

But hackers targeting servers just for their mailing lists is a novelty, said Jason Catlett, president of Junkbusters. Spammers can buy millions of e-mail addresses on a CD, although many of them are stale or wrong, he said. Additionally, much spam is sent through attacks where spammers send e-mail to a number of similarly spelled addresses at a particular domain, hoping their message will reach a good address, Catlett said.

But mailing lists with good addresses of a targeted audience are a valuable item.

"In the envelope world of marketing, lists are routinely stolen by employees that are moving to another company," Catlett said. "I don't have any evidence that that happened in this case, but it's happened in the offline world, and it wouldn't be implausible if it happened online."

Lyris is investigating whether a disgruntled employee stole its lists, Brown said. Lyris bought rival SparkList.com last month and hired only three of SparkList's 20 to 25 employees, he said.

"That's always a touchy issue," Brown said. "The fact of the matter is that one business bought another, and some people were brought along and some people weren't."

The customers who talked with CNET News.com said their lists had been hosted by SparkList before Lyris bought the company.

Canning spam
Spam, or unsolicited e-mail, has been overwhelming the servers and in-boxes of many Net users, forcing some companies and organizations to take drastic measures to block it. Last month, Yahoo found its stores site blacklisted by Mail Abuse Prevention System, an organization whose lists of suspected spammers are used by other companies to block Web or e-mail access.

Holland and Andy Sernovitz, a former customer of SparkList and chief executive officer of e-mail marketing firm GasPedal ventures, said they became aware that their lists had been compromised in early August. Both received e-mail from people on their mailing lists saying that they had received spam. Both said they had not sold their mailing lists.

Both Holland and Sernovitz, whose mailing list has some 10,000 subscribers, said they were frustrated by how Lyris responded to their reports of the compromise. The company didn't start trying to address the issue until the last several days, Holland said.

"I do understand they?ve been extremely busy with the merger," she said. "But did they take this as seriously as they should have? No."

Lyris first started receiving reports of spam being sent to recipients of its hosted mailing list in early August, Brown said. The company hired Word to the Wise "a couple days ago," he said.

Still, Brown said that it was unclear from the messages sent by the company's clients that there really was a problem, especially considering how few of its customers had reported spam.

"The information we've been given is pretty spotty," he said.

Still, Lyris should have come forward immediately and acknowledged the problem, Sernovitz said.

"Every time a high-tech company tries to hide, they always get busted," he said. "The longer they hide it, the worse it gets. People understand if you get hacked. The question is how do you respond."

Ralph Wilson publishes four e-business newsletters. He suspects the two mailing lists that are hosted by Lyris were compromised. He warned his subscribers to that effect in an e-mail message earlier this month.

Wilson declined to talk about his conversations with Lyris about the compromise. But he said that his subscribers thus far had received few spam messages as a result.

"I'm not saying that I'm not concerned about it," Wilson said. "I'm very concerned about it. But at this point, I don't think people are receiving huge amounts of spam as a result. That makes me feel good so far."