The suppression list problem no one likes to talk about

  • Gosia Petlińska-Kordel

    Małgorzata Petlińska-Kordel

    Marketing Ringmaster

AI Powered

Article partially generated by artificial intelligence.

Suppression lists are databases of email addresses that have opted out of marketing communications, often including hard bounces, spam complaints, or unengaged contacts. These addresses are considered “live” because they represent real, active email accounts, even if the users have chosen not to receive certain communications. 

Suppression lists exist to protect user privacy. They’re essential for compliance with privacy laws like CAN-SPAM, GDPR, and CCPA.

Here is where it gets juicy:
All it takes is one bad actor with access to a suppression list, and boom! Your data is out in the wild.

Let’s say you’re an advertiser working with 40,000 affiliates (not unusual in large AdTech networks). You share a suppression list via an intermediary system (say, Optizmo or similar). Even if it’s hashed (most often with MD5), it’s not truly secure.

Why is this risky?

  1. Suppression lists have value on the black market. Ironically, emails on suppression lists are more valuable than regular email leads – because they’re real, active, and were once part of verified lists. That’s gold to spammers and scammers.
  2. Large-scale affiliate networks amplify risk. When an advertiser collaborates with a large number of affiliates the suppression list must be shared with all affiliates to ensure compliance with regulations like CAN-SPAM and GDPR. These laws require that opt-out requests are honored across all marketing partners. However, distributing the list to such a vast network increases the likelihood of unauthorized access or leakage. All it takes is one rogue affiliate, disgruntled employee, or compromised system to extract the list.
  3. MD5 hashing is insecure. Many suppression list management platforms use MD5 hashing to protect email addresses during distribution. MD5 converts email addresses into a 32-character hexadecimal hash, intended to anonymize the data while allowing affiliates to scrub their lists against it without seeing the actual addresses. However, MD5 is outdated (MD5 was introduced in 1991… Ah, the computers from those days – do you remember them? ^^) and cryptographically broken algorithm:
    • Vulnerability to reverse engineering: MD5 is susceptible to rainbow table attacks, where precomputed tables of hashes can be used to reverse-engineer the original email addresses. Since email addresses often follow predictable patterns (e.g., unsubmeplz@veryrealemail.com), attackers can generate tables for common email formats and quickly crack the hashes.
    • Collision weaknesses: MD5 is prone to collisions, where different inputs produce the same hash, potentially leading to errors in list scrubbing or exploitation by attackers.
    • Industry recognition: As noted in sources, MD5’s insecurities have been known for years, with stronger algorithms like SHA-256 recommended for better cryptographic security. Yet, MD5 remains a common standard in email marketing due to its simplicity and compatibility, despite its risks.
  4. Weak access control and human error. The more entities that have access to a suppression list, the greater the risk of human error or malicious intent. For example an affiliate might inadvertently share the list with unauthorized parties. A poorly secured system at an affiliate’s end could be hacked, exposing the list. An insider with access to the advertiser’s or platform’s database could intentionally leak the list for profit. Platforms offer centralized management and automation, but they rely on affiliates to maintain secure practices, which may not always be enforced.
  5. Compliance and reputation risk.  If a suppression list is misused, it can lead to significant consequences like sending emails to addresses on a suppression list violates CAN-SPAM, GDPR, or other privacy laws, potentially resulting in fines or legal action. Consumers receiving unwanted emails may mark them as spam, harming the advertiser’s sender reputation and deliverability rates. Affiliates and customers may lose confidence in the advertiser or platform if data breaches occur, weakening partnerships and brand integrity.

The reliance on MD5 and the widespread sharing of suppression lists reflect a broader issue in the email marketing industry: a trade-off between compliance and security. 

While platforms aim to streamline compliance with laws like CAN-SPAM, their dependence on outdated technologies and the sheer scale of affiliate networks create significant vulnerabilities. The industry’s slow adoption of stronger cryptographic standards and failure to address the black-market value of live email addresses suggest a prioritization of operational convenience over robust data protection. This leaves advertisers, affiliates, and consumers exposed to risks that could be mitigated with modern security practices.

So, what are mitigation strategies?

Critical perspective:

  1. Ditch MD5. Move to SHA-256 or SHA-3, which offer greater resistance to reverse-engineering and collisions. Adding salt values to hashes can further enhance security. Even then, consider zero-knowledge protocols or token-based suppression systems.
  2. Use access control and logging. Know who accessed what, when, and how. Use platforms with strict access controls, regular security audits, and automated monitoring to detect unauthorized access or suspicious activity.
  3. Segment suppression sharing and limit list distribution. Don’t share one mega list with everyone – use dynamic, affiliate-specific slices. Use tokenized access systems that restrict data exposure.
  4. Encrypt lists in transit and at rest. Always. No excuses.
  5. Invest in real suppression privacy tech. Blockchain-based suppression sharing or decentralized compliance tools offer better transparency and auditability.
  6. Educate affiliates: enforce strict security protocols and training for affiliates to prevent mishandling of sensitive data.

Keep in mind: one leak = massive legal & brand risk.

We at Sandev see the elephant in the server room. We understand the risk, the misuse, and the shady corners of email suppression that no one likes to discuss. That’s why we’re building a smarter, safer way – a privacy-first tool designed to keep your opt-outs truly out of reach from fraudsters.

So while others keep pretending MD5 is “secure enough,” we’re rewriting the playbook – bringing sun and sanity back to suppression.

If you enjoyed this roast, check out our other work in the trenches.

More footprints in the Sand(dev)

  • AdTech
  • Blockchain

Blockchain in AdTech: riding the bull, dodging the bear, and cashing in on the real wins

AdTech has an $84 billion bot problem, and blockchain was supposed to be the bouncer. The pitch was simple: a tamper-proof ledger to end the black-box guessing games. But in the high-stakes world of sub-10ms RTB, can a ‘transparent chain’ actually keep up with a million-dollar fraud machine, or is it just a slow-motion solution to a light-speed heist? We break down the blockchain trend.