Protecting customer data

There have been a number of reports recently about customer lists leaking out through ESPs. In one case, the ESP attributed the leak to an outside hack. In other cases, the ESPs and companies involved have kept the information very quiet and not told anyone that data was leaked. People do notice, though, when they use single use addresses or tagged addresses and know to whom each address was submitted. Data security is not something that can be glossed over and ignored.
Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

  1. Limit employee and subcontractor access to data. Keep data machines separate from other machines and limit employee access to those who must have access.
  2. Subcontractors who must have access to data should be under contract and under NDA. Make it very clear that data leaks will be treated seriously and may result in legal action.
  3. If employee or business issues mean that employees will be terminated, remove access to data sources before the employee is notified of termination. Some employees who would not consider stealing data from a company they work for will take data after they are terminated.
  4. Institute secure audit trails for access to data. Track every time an employee accesses data from a console, web interface or client.
  5. Prevent, as much as possible, the ability for anyone to download data. If there are reasons someone needs to download email addresses, remove @ signs and replace with another symbol to make it less likely that trojans on employee laptops will steal the addresses.
  6. Prohibit employees from storing customer data on laptops or downloading over wireless.
  7. When providing data to subcontractors seed addresses in the lists. This way, if the list is leaked or sold, then you will know when that happens. Provide unique seeds to each subcontractor in order to identify which subcontractor is responsible for the leak.
  8. Occasionally search all machines on your network for the seeded addresses to identify places where data may unexpectedly end up internally.
  9. Occasionally punch seed addresses into search engines (Google or Bing) to see where address lists may have leaked.
  10. Run current and up to date anti-virus software on all machines. Use hardware firewall and VPN software to limit external access.
  11. Block outbound port 25 across the network. Ban any peer to peer software on any machine that has access to address lists, including employee laptops.
  12. Securely store and/or encrypt any backup tapes to prevent employees from walking off with them.
  13. Don’t put email lists or log files within a webserver directory; htaccess protection is not sufficient to prevent access.
  14. If you are shipping files around with email addresses, use good encryption to prevent unauthorized users from having access.

None of these things will guarantee data will not be stolen or leaked. But limiting access to the data, and having a clear audit trail and consequences will make anyone think twice before stealing it.

Related Posts

Reputation as measured by the ISPs

Part 3 in an ongoing series on campaign stats and measurements. In this installment, I will look a little closer at what other people are measuring about your email and how that affects your reputation at the ISPs.
Part 1: Campaign Stats and Measurements
Part 2: Measuring Open Rate
Reputation at the ISPs is an overall measure of how responsive recipients are to your email. ISPs also look at how much valid email you are sending. Anything the ISP can measure and use to distinguish good mail from bad is used in calculating reputation.
Some of the major metrics ISPs use include the following.
Invalid Address Rates
The ISPs count how much mail from any particular IP address is hitting non-existent addresses. If you are mailing a large number of email addresses that do not exist (550 user unknown), this is a suggestion that your address collection techniques are not very good. Responsible mailers do have the occasional bad address, including typos, expired/abandoned addresses, but the percentage in comparison to the number of real email addresses is low. How low is low? Public numbers suggest problems start at 10% user unknowns, but conversations with ISP employees show they consider lower levels a hint there may be a problem.
To calculate bounce rate ISPs take the total number of addresses that were for invalid accounts and divide that by the total number of addresses that the sender attempted to send mail to. Rates above 10% may cause significant delivery issues on their own, rates lower that 10% may still contribute to poor delivery through poor reputation scores.
Spamtraps
ISPs pay a lot of attention to how much mail is hitting their “trap” or “bait” accounts. There are a number of different sources of these trap accounts: old abandoned email addresses, addresses that never existed or even role accounts. Hits to a trap account tells the ISP there are addresses on your list that did not opt-in to receive mail. And if there are some addresses they know about that did not opt-in, it is likely that there are other addresses that did not opt in.
Spamtraps tend to be treated as an absolute number, not as a percentage of emails. Even a single spamtrap on a list can significantly harm delivery. According to the ReturnPath Benchmark report lists with a single spamtrap had nearly 20% worse delivery than lists without spamtraps.
This is spam clicks (FBL complaints)
Complaints from users are heavily used by ISPs. This tells them directly how many people are objecting to your email. In this case, permission is removed from the equation. Even if a sender has permission to send email, the recipient can say “no, I don’t want this, it is spam.” The ISPs put more weight on what their users tell them than on what the senders tell them.

Read More

ESPs leaking email addresses

Two of my tagged email addresses started getting identical pharma spam over the weekend. It is annoying me because I am now getting spam in a mailbox that was previously spam free. The spam is overwhelming the real traffic and I am having to make some decisions about what to do with the email addresses and their associated accounts with the companies I gave them to.
One thing I did notice, though, is that both companies use iContact as their ESP. A cursory check of my other mailboxes shows that none of my other tagged addresses are mailed through iContact. I don’t think it’s very likely that these two individual, unrelated companies made deals with the same spammers to sell address lists at the same time. It’s much more likely that there was a compromise somewhere and address lists were stolen.
Edit: Checked my other account and, likewise, I’m getting the same spam to a 3rd address serviced by iContact. I’ve sent mail to all 3 companies involved and we’ll see how they react.
And, as I was thinking about this, iContact just laid off a bunch of staff about the same time they announced their partnership with Goodmail. Based on past history with companies in this situation, it seems possible this is a disgruntled former employee. I’ve also seen reports from other people noticing spam to addresses given to iContact customers.

Read More

Best time to send marketing email

Pages and pages have been written about the best time to send email. Marketers spend significant amounts of energy discussing and researching the best time of the day and the best day of the week to send email. I have long thought that these discussions do not put enough attention on individual end users and how the recipients interact with email.
Researchers recently developed a model for email user behaviour that splits email users into two classes “e-mailaholics” that send, and presumably read, email all the time and “day labourers” that send, and presumably read, email during standard business hours. There is very little transition between groups, 75% of users stayed in the same usage group over the 2 years of the study.
What does this mean for senders? Senders need to know know how their recipients use email and which user group recipients are. By analyzing clicks and opens, senders can classify recipients and use that data to send mail that is more relevant and better targeted.
h/t arXiv blog at Technology Review

Read More