As of September 1, 2009, MD5 hash suppression file encryption will be required for all ESPC members. Stolen suppression files and lingering cases of suppression list abuse have long plagued marketers, who are required by CAN-SPAM to share suppression lists with affiliates and these sometimes end up in the hands of third parties. In the past, these lists have been shared in plain text formats, which has allowed for future mailing and abuse.

MD5 is a one-way encryption tool that has long been used for password encryption to secure login info and protect against corrupted files. It is particularly useful for suppression list management because encrypted files cannot be transmitted back into original email addressess. However, because each address will have a dedicated line of hash, publishers and affiliates can still use the files for compliance when scrubbing send files against suppression lists.

Although MD5 is a needed improvement in the standard for protecting suppression files, it has become somewhat outdated and is vulnerable to decryption and hacking.  According to the ESPC Best Practice Guideline for ESPs,  newer hashing methods such as SHA-256 provide much greater levels of security and require far more time and resources to hack. A brute force attack is another way to gain information about hashed email addresses. This is where a person gathers a list of email addresses, hashes them, and compares them to the hash of an email list. The hacker would not gain new email addresses, but would be able to find out more info about the email addresses that match their list.

Additional precautions should be taken along with hashing, especially during data transfer in order to secure your lists. For example, storing a list on an FTP site that allows anonymous login could be insufficient security for data transfer (ESPC 2008).


Link to original post