THIS is the man responsible for spamming your inbox

- April 15, 2014 5 MIN READ

Ever wondered why you’re receiving emails from a business you’ve never heard of, whose services you couldn’t care less about? If you’re like me, you’ve probably spent an hour or two going through these emails and clicking ‘report spam’ – in hopes for a less chaotic inbox the following day.

Even the most well-intentioned business can get sucked into a ‘quick fix’ by someone offering a ‘shortcut to success’ via email lists. It’s not that they want to cheat, but growth is slower than they anticipated.

While purchasing email lists isn’t necessarily illegal in Australia, it is ethically suspect if, for instance, they were originally stolen from the databases of established businesses. There are three main implications here: 1) our email addresses are being sold without our permission or knowledge; 2) culpable businesses are quietly benefiting from another’s hard labour; and 3) consumers are being spammed by strangers.

Australia’s grey market data kingpin

A seller based in Malaysia, under the moniker John Lee, has been selling lists of 500,000+ emails for a minimum price of USD$1,500. He has admitted in an email that Australians are one of his top buyers – along with businesses based in China, Hong Kong, Indonesia, Malaysia, Singapore and Thailand.

After reading an exposé on Lee via techinasia.com, and receiving an anonymous tip that revealed his email, Shoe String decided to play undercover cop and get in touch with the man himself.

As per screenshots below, Lee revealed that his offering included a six-month guarantee that all email addresses are valid and active. He also said that businesses should expect a minimum 1.2 percent conversion rate over a period of six months following the purchase. It’s easy to roll eyes at this rate, but it’s not so small once you do the math. For instance, if you purchased Lee’s minimum offer of 500,000 email addresses, then 6,000 would become paying customers – that is, if you’ve got your email marketing down to pat.

Screen Shot 2014-04-14 at 10.05.24 am

Whether or not his numbers are accurate is beside the point. What’s interesting is how he acquired those email addresses. Given he skirted around the question several times, we can assume that the email addresses were acquired surreptitiously. It could be through disloyal internal staff or computer hacking.

He told techinasia.com that some of the data belonged to Deal.com.sg, Groupon, Zalora, Reebonz, CloutShoppe, and Lazada. If such is the case, it’s unlikely that these companies gave up their databases voluntarily, or even for monetary benefit. No companies have responded at the time of publication to confirm or deny their knowledge of the situation.

Lee was also unwilling to reveal which Australian businesses were purchasing email lists off him; and even went ahead to explain his hesitancy, saying that after techinasia.com exposed him, his customers have demanded that he keep things ‘hush hush’ or they will stop buying from him. This is understandable – data broking is Lee’s business and he doesn’t want to commit self-sabotage (although one may argue that he already has). Hopefully, you see the irony.

He did admit, however vaguely, that the Australian companies included online travel agents and ecommerce stores selling luxury bags, clothing and more.

Screen Shot 2014-04-14 at 10.07.05 am


Screen Shot 2014-04-14 at 10.09.45 am

In techinasia.com’s report, it was revealed that the parent company of some of the stores involved in purchasing email lists is Rocket Internet – a venture capital firm and startup incubator focused on ecommerce stores. In Australia, Rocket Internet own The Iconic.

We contacted Rocket Internet who responded, but wasn’t able to answer on behalf of companies accused. The Iconic didn’t respond to our inquiry; and so, there is no evidence at this point indicating whether they have been purchasing email lists off any grey market data brokers, including Lee.

While there are still many gaps in this investigation, it’s not too far-fetched to assume that some Australian businesses may have actively sought for – or have been lured into purchasing – quick fixes.

But there are a number of legal and ethical dilemmas associated with the practice that’s worth discussing. According to ACMA, purchasing email lists is legal in Australia, as long as “consent has been obtained from each recipient on the list”; and it is the buyer’s responsibility to find out whether permission has been provided.

The problem in the ‘John Lee’ scenario is that the data is likely to have been retrieved illegally. Assuming companies hadn’t donated their personal databases to Lee, customers would have purchased stolen property.

If someone stole an iPhone and offered it to someone else at a drastically reduced price, would it be okay for him or her to take it? Many would argue that no legal or ethical dilemma exists until you are aware that the property you’re purchasing is stolen. For the purposes of this article, we will align ourselves with this line of thinking.

From private conversations with ecommerce startups in Australia, we got the impression that ‘John Lee’ is a name many are familiar with; and one founder we spoke to, considers him a ‘random shady character’. This is likely because Lee doesn’t hold back his pitches – trying to convert as many online businesses he can get in touch with into paying customers, even targeting the media (namely, techinasia.com).

Interactions with Lee would at least invite doubt as to whether the lists have been retrieved legally. ACMA suggests one way for businesses to confirm legality is by seeking written assurance from the list provider that consent had been obtained. Therefore, there are two possibilities – businesses purchased the lists knowing they were stolen, or were lied to by Lee after asking the question. Though it seems he’s far from a smart criminal, it’s unlikely that Lee would incriminate himself and admit to theft.

If we go back and revise one of Lee’s responses, it seems that after techinasia.com exposed the practice, businesses got paranoid – threatening to cease their relationship with Lee if he doesn’t keep his customers’ names private and confidential. This suggests that, to some degree or another, they knew what they were engaging in could not only incur a hefty fine for violating the Spam Act 2003 but also reputational damage.

There is no further information we can provide at this stage, but there is a small indication that illegal data broking has become prominent over the past two years. This coincides with the software bug, nicknamed Heartbleed, which has reportedly existed for the same period of time.

Heartbleed is considered ‘the biggest security threat of our time’; and reports suggest that more than 500 million websites could be affected – leaving important data exposed to hackers such as customer email addresses and credit card information.

Sarah-Jane Peterschlingmann, Director of Brisbane-based technology company ATechnology, told us that, “The OpenSSL standard that was affected was in such widespread use around the internet that the likelihood of a business being exposed is very high, so any interaction with encrypted data on a web server could be vulnerable.”

She adds that if customer email addresses were stored on a server that is running the vulnerable version of OpenSSL, a hacker could access the server and incrementally extract information contained within it.

“Already it’s been reported that at least twenty of Australia’s ASX top 200 organisations have been exposed to the dangerous Heartbleed vulnerability in OpenSSL. High profile companies are aware of the vulnerability but the real people in trouble are the ones who self-manage SSL enabled sites and who aren’t yet aware of the OpenSSL vulnerability,” said Peterschlingmann.

“Alarmingly, attacks on affected servers cannot be detected due to the bug leaving no trace that a server has been hacked!”

As such, businesses that have had data extracted from their servers and sold off by data brokers like Lee would have no idea. Even spokespeople from ecommerce brands such as Zalora and Lazada have denied the possibility that their databases have been compromised, according to techinasia.com.

If Heartbleed is in any way related to this, and isn’t another over-hyped hacker story, as many have assured, then businesses need to assume that their data has been compromised and take necessary steps immediately.

The semi-good news is email recipients still have the option to unsubscribe or report spam.

If you have further information, feel free to send us an anonymous tip by clicking the ear icon at the top of shoestring.com.au.

Image: Cartoon created exclusively for shoestring.com.au