Wednesday, 10 July 2013

War on spam

As a friend of mine just put it "International 'viagra' spam is fairly easy to smash with SpamAssassin but the recent proliferation of Legitimate UK companies spam is much harder to filter."

I have to agree - it seems UK companies are buying lists from database suppliers and sending spam. The argument, I am sure, is that it is not unsolicited as people have "registered" with the database supplier, but really, does anyone ever actually sign up to get random spam? I'd love to know what people think they are signing up for.

So far I have been sending polite emails like this :-

You have transmitted an unsolicited communication for the purpose of
direct marketing by means of electronic mail to an individual
subscriber contrary to section 22 of The Privacy and Electronic
Communications (EC Directive) Regulations 2003.

This is not a Data Protection Act issue, or an issue with your
"unsubscribe" link - the regulations have been breached by sending an
email without having had a sale or negotiations with me and without my
consent to the email being sent.

You now owe me damages as per section 30 of those regulations. If you
promptly pay £10 in damages I will not pursue you for damages as per
the regulations or report your breach to the ICO so that they can
consider fining you.

I look forward to payment of £10 within 14 days or I will issue a
county court claim against you without further notice.

For your information I have issued county court claims for such
damages in the past, and I have collected damages from other spammers.

Send payment to ...

In general I am not getting a reply. However, sending the same as a letter to registered office has managed one response, from someone offering to send the £20 (oddly, he offered to send to a charity if I wanted?!). So another win.

The problem is that it just means one of my email addresses has been removed. It has not stopped them sending spam generally. What we need is the ICO to set up a few domains with wildcard email addresses, for individuals, and see how much UK spam they get. Then they can threaten the spammers with fines properly.

9 comments:

  1. I recently tracked the source of spam received by an address, that I've never used myself (but the previous domain owner did about 10 years ago).
    It's a German domain and receives German spam. But the database in which it's listed is apparently sold by someone living on Majorca...
    I'm pondering to contact Spanish authorities, but don't have very high hopes.

    I wouldn't be surprised if you'd be able to trace back the spam to some conveniently 'foreign' database. BTW: In that context German data protection and privacy law is quite convenient, as it mandates, that a company has to inform you, upon request, of where and how they obtained data relating to your person. Enforcement can be done through local authorities and is free of charge to the claimant.

    ReplyDelete
  2. I'm increasingly getting spam from companies that I have dealt with in the past; so rather than buying in lists of email addresses, they have presumably decided to start making use of their own customer list. Of course, when I buy stuff online, I always look for the "don't send me crap" checkbox and tick it, but there's clearly no way for me to prove that I did that, and no way to know (for my own peace of mind) that I actually managed to find all the appropriate boxes and tick them (especially when I last had dealings with the companies in question either months or years ago).

    I think I will have to start making a list of these companies and consulting it before I buy anything to ensure I'm not buying from one of them in the future.

    My stock email response to them is:

    ----
    This is an unsolicited communication by means of electronic mail transmitted to an individual subscriber for direct marketing purposes. This is contrary to section 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003.
    http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made

    Please do not send any further unsolicited emails. A charge of £25 per email will be made for any further unsolicited emails received and your sending of any such emails will be deemed as acceptance of these terms.

    I am also making a request under Section 7 of the Data Protection Act 1998 for all the data / information you hold on me and from where you obtained it.
    http://www.legislation.gov.uk/ukpga/1998/29/section/7

    I suggest you remove me from your list and review your marketing methods with a qualified lawyer.

    Please confirm the receipt of this email. Failure to respond will result in your organisation being reported to the Office of the Information Commissioner.
    ----

    So far I've had no responses (in theory the DPA request should require a response if nothing else), but I suppose after 30 days I will report them. If enough people started charging the spammers then we wouldn't actually need the ICO to take action, because sending spam would itself become too expensive.

    ReplyDelete
    Replies
    1. This annoys me.. Even if I permit companies to send me emails as a recent or current customer (which is fairly benign, IMO) I definitely don't give permission for 'partners' to do it and also when I've not been a customer for a long time, they need to shut up and go away.

      Play.com are doing that right now.. I haven't been a customer for years, and their unsubscribe does *not* work (I was generous and tried multiple times). They continue to send me crap. SWMBO gets it too and she only ever bought one thing many years ago..

      Delete
  3. Is there some definition of "individual subscriber"

    Does my work email account count?

    ReplyDelete
    Replies
    1. I am not expert at reading laws, but my reading of it is that the "subscriber" part means the person that pays for the service, presumably in this case and email service, so an individual subscribe is where an individual rather than a company pays for the email service. To that end I now personally pay for all email services provided on the work email domain. The emails themselves are used for company use only as you would expect, but I am the "subscriber" as I pay for them. I am hoping that brings all work emails within the scope of the act. One day maybe a judge will agree or disagree on that point.

      Delete
    2. I hope it does, but so far I have the impression ICO don't understand and/or don't care about spam as an issue, as well as taking a very narrow (hence spammer-friendly) view of "individual subscriber". I'm inclined to think that artificial distinction is a mistake in itself: is sending spam to sales@example.com really any more legitimate than sending it to fred.smith@example.com, or sending to adrian@work.example.com somehow better than sending the same message to adrian@home.example.com?

      For that matter, how can they tell? Is a hypothetical adrian@example.com "corporate" since you work there, while james@example.com is individual and bobtheplumber@hotmail.com a grey area which depends on who and where Bob the Plumber is and if he's incorporated or not?

      Meanwhile, I just answered yet another spam phonecall peddling solar panels. "Out of area" on CLID, which is presumably their current trick for evading TPS enforcement.

      Delete
  4. If I receive a spam email and it is automatically redirected to a spam box and then automatically deleted 2 weeks later, then someone else isn't getting that spam. The more that happens, the less spam there is annoying people.

    I once wrote a short, outline proposal for cooperative spam fighting, http://clifford.ac/cooperativespamfighting.html.

    ReplyDelete
    Replies
    1. Sounds a bit similar to what Project Honeypot offers: stick a piece of code on your website and it'll generate coded email address with the visitors IP address and other details recorded. If that email address is then emailed, the details are recorded as a spammer. You can also assign unused MX entries to them.

      Now if the ICO actually took a "zero approach" to spam and teamed up with Project Honeypot for all IPs allocated to the UK, then it'll be interesting...

      Delete
  5. I've just been spammed from VistaPrint (via http://businesssender.org/ who say "Businesssender.org can ONLY market for companies and ONLY with generic addresses, i.e addresses not a physical person" but will allow you to spam .me.uk address) and I've used this post as a template in my "complaint" from them (see http://blog.rac.me.uk/2013/08/07/vistaprint-spammers/ ) - hope you don't mind.

    ReplyDelete