I've filled two formal complaints to an EU regulator regarding spam (one is a company, another an individual). The first complaint was made back in early 2014, and a few weeks ago I got a response from the competent authority. They fined the company with just over €30,000. I'm still waiting on the second complaint.
On both occasions I was receiving emails/spam I never signup for, and on both occasion I tried (several times) to contact the sender directly asking to be unsubscribed. Neither responded to my emails (and I've tried various different email addresses).
When the path of least resistance is filling a complaint, senders should expect no less. And if you decide to spam people, make it easy to unsubscribe, because the next fastest option is to file a complaint, and fines don't come cheap.
They ask to send them the spam emails (with headers) to them, all communication from and to. I guess it's the same around the EU, just the relevant national agency.
This likely means that the spamming will now become a dedicated off-shore service in Canada.
Meaning that the next time Compu-Finder will quietly hire a one-man shop in some other country and it will just spam on their behalf. It will be nearly impossible to (legally) pin this on them, because of the possibility that it was a hostile move on part of their competitors. Spammers gonna spam, just from a non-Canadian IP.
I don't think it works that way. One might be sending emails from abroad, but if you sell a product/service where you are suing, the company can still be liable, regardless of the geographical origin of the email.
GP is suggesting that the spam might be a joe job[0]. Don't like your upcoming competition? Work with some foreign spamming company to send emails looking like legit emails from them in the hopes that their real emails are penalized.
I'm seeing a lot of spam by companies that purport to be legit startups.
1. I make an account on their service, or buy something.
2. There is no newsletter signup box.
3. They send me lots of newsletter emails.
4. They often keep coming after unsubscribes.
I consent to transactional emails, but I'm not consenting to newsletter and marketing emails. It's spam. I hope laws like this help deter such behavior.
Meanwhile, I've been marking non-consented emails as "spam" in gmail. If enough people do this, the companies will get blacklisted, which is another form of deterrence.
At this point, I'm convinced LinkedIn is literally paying Google to whitelist their spam.
I have yet to find a single person who actually appreciates the emails LinkedIn sends them. That includes business people who got their job through LinkedIn, and the recruiters who use it.
When it gets to the point when TV shows are casually taking jabs at LinkedIn for their abusive email policy, I think that's a sign that they're not wanted. Anywhere.
Edit: To clarify, the recently released Simpsons episode poked fun at LinkedIn, as has John Stewart (multiple times), and John Oliver.
Usually, emails I don't ever click on or explicitly mark as spam end up in my spam box automatically. Gmail is smart enough to do that. Even Quora emails land directly in the spam box.
Not so for LinkedIn. I've never clicked through on an email from LinkedIn. I don't even have a profile on the site - just an account that's sitting empty.
One of the benefits of running your own email server: You can block all LinkedIn spam at the gateway.
All LinkedIn email is banned at my gateway. As is any vendor who considers me purchasing from them to be an agreement whereby they can send me unsolicited email. 0 tolerance.
Funny thing about LinkedIn emails: some years ago I got sick of it and tracked down everything I could turn off. I then got no LinkedIn email. Now, I've been looking for jobs and such and wanted to turn on inbox notification emails and maybe some job search results, and they've changed their settings around enough that I can't figure out how to turn these things back on. A+ work!
This kind of spam actually deters me from signing up for much of anything anymore for the purposes of quickly test driving the service. I feel like just putting in my email address and a password is now more often than not considered an invitation to start emailing me useless marketing material once a week until I eventually get frustrated and open one of the emails to proceed with whatever their unsubscribe process is.
I have notification "fatigue" as it is and I don't need my attention drawn once a week to an email "ding" from a company I tried once.
If I were creating a new service I'd explicitly state on the signup prompts that I will not be send you marketing material, or at least have a checkbox.
Wishful thinking. The law in Canada, to my understanding, says that if you have conducted business with someone, then it's fair game for them to contact you with offers for some period of time (either 6 months or 12; I can't remember which.) Spam is defined as unsolicited bulk mail. If you bought something or subscribed to a site or whatever, then it's not unsolicited regardless of any opt-in or opt-out mechanism. The "do not call" registry of phone numbers similarly only applies to unsolicited callers; companies you've done business with can spam you with calls if you give them your phone number.
For these throwaway subscribes and transactional e-mails, I use an e-mail of them form <user>.<pin>@<mydomain>. When my mail server receives mail for this pattern, it changes it to <user>@<mydomain>, and bypasses all filters. Thus I'm sure to get important transactional e-mail. From time to time, and when I start seeing spam, I simply change the value of <pin>, which is a global in my mail server's config file.
Some people have date-based approaches, which can work well. E.g. if it is March 2015, your mail server might recognize an e-mail of the form you.201503@yourdomain, and map it to you@yourdomain. When April comes around, it stops working.
And then filtering is often your only option because the unsubscribe link doesn't work right with the plus character in it. Also, Gmail helpfully prevents us from creating filters that pipe the messages in question to /dev/null.
That kind of depends entirely on who/what you are unsubscribing from, and how intelligently they encode e-mail addresses through URL's, surely?
Maybe the problem you're running into is that the + character is special in URL's and must be escaped, otherwise it is treated as the representation of a space character. E.g. the URL parameter in <http://foo.example.com?unsubscribe&bob+whatever@domain> looks, after URL decoding by the server, like "bob whatever@domain". The software which inserted the e-mail into the URL didn't treat the plus properly, but the software which is decoding the URL is treating it like it is supposed to.
If that's the issue, the workaround could be as simple as manually fixing the URL in your browser, replacing the unescaped + character with its percent-encoding equivalent, %2B, as in <http://foo.example.com?unsubscribe&bob%2Bwhatever@domain>. The URL parameter bob%2Bwhatever@domain should now decode into bob+whatever@domain.
Try it next time.
It's easy to see how this could happen because the insertion of e-mail addresses into unsubscribe links in e-mail bodies is done by ad-hoc software probably cobbed together in house, whereas whereas URL parsing is done by generic URL handling code in a web server.
(But anyway, the whole point of this exercise is that we don't trust the unsubscribing. If unsubscribing could be trusted to be honored, we wouldn't need this extraneous e-mail address that we can recognize and junk.)
One problem with this is that this suffers from lack of obscurity, being implemented by a very popular mass mailer. It help against obnoxious, but otherwise honest sites that you have a relationship with, but it won't hamper real spammers, who can easily encode in their spamming software the blanket rule that any e-mail matching the pattern <x>+<y>@gmail.com should always be filtered to <x>@gmail.com.
You could not, for instance, widely publicize your "plus armored" gmail address in ways that make it susceptible to harvesting, and the scheme won't safeguard against situations where that e-mail address, once given legitimately, ends up sold to spammers.
Basically, everyone should have their own mail domain with a different trick. :)
Here is something you can do to bootstrap your own trick: make a "plus armored" gmail address your main one. For instance "bob.smith+rocks@gmail.com", such that "bob.smith@gmail.com" is considered invalid and thrown to the bit bucket. Do not give the "+rocks" version to anyone other than close contacts. Since "rocks" is a personal suffix, a spammer who has the address "bob.smith+junk003@gmail.com" cannot guess that "junk003" must be replaced with "rocks".
Actual spam filtering is as good as I could ask for on gmail. Maybe a few per month get through to my inbox, and I can't complain about that at all. I am also not at all worried about parsing x+y to ditch y. The real spam filter works really well, and despite public knowledge of '+', it's very uncommonly used.
My email address isn't Fort Knox. Email I don't want just doesn't get past the spam filters; even at peak spam a few years back when I was getting 4000+ illicit messages a month. Complex schemes aren't going to benefit me any because despite publicly posting my email as above, I just don't have a problem with unwanted messages.
If I sign-up for something just to get through a paywall or to use the service one-time, I will usually use something like guerrilla mail: https://www.guerrillamail.com
The company I work for just got hit with an Amazon SES probation for having too high of a bounce rate.
Investigating into this, I learned that you can set up SQS queues for SES bounces or complaints. Complaints? Yeah, SES somehow gets information back when you hit the "Spam" button in gmail. An acceptable complaint rate is below 0.1%, and if you go above it you can get banned from SES, from other emailing services like Mandrill, or if you're emailing directly to ISPs they can block you at their level.
So hit those spam buttons! Make email senders pay for bad email!
(My story had a happy ending-- I cleaned up what segment of users my company is sending service emails to and now our bounce rate is below 5% like it should be.)
> Yeah, SES somehow gets information back when you hit the "Spam" button in gmail.
This is called FBL (feedback loop)[1]. It's a standard[2] adhered to by all of the bulk message senders (SES, Mandrill, marketing providers like Mailchimp, Emma, etc) and the big account providers like Gmail, Yahoo, etc. When you hit the "report spam" button that triggers an FBL message back to the Return-Path address in the message. Complying with FBL reports is super important to staying on the account providers' good sides.
Does anyone know how to manually send these complaints to Google? Eg if you run your own mailserver and some Gmail account is spamming you?
Thank you for the link to the wikipage, I didn't know about FBL. It's disappointing that the page can't provide more information on how feedback loops are established between mailbox providers though.
Based on the links zrail mentioned, it looks like it is just a standard for sending abuse reports. The RFC looks pretty comprehensive, but there is also more information at https://en.wikipedia.org/wiki/Abuse_Reporting_Format.
This company was in flagrant violation of the law indeed. I was receving 2 e-mails from them every single weekday, at multiple jobs over the years, advertising their training courses. Unsubscribing did nothing. Every mail had a different sender, with one of a large collection of garbage domains (Today it was acfcursus.ca, promotionacf.com and capsulesacf.ca). The justification footer was a joke: "You are receiving this mail because of your function in the company". -- You're supposed to tell that the mail is opt-in, jackasses.
Most office workers know about "ACF Management" in Quebec because of the relentless spam and I'm not surprised they're the first hit by CASL. It's like the law was made for them.
32 comments
[ 6.4 ms ] story [ 77.5 ms ] threadOn both occasions I was receiving emails/spam I never signup for, and on both occasion I tried (several times) to contact the sender directly asking to be unsubscribed. Neither responded to my emails (and I've tried various different email addresses).
When the path of least resistance is filling a complaint, senders should expect no less. And if you decide to spam people, make it easy to unsubscribe, because the next fastest option is to file a complaint, and fines don't come cheap.
They ask to send them the spam emails (with headers) to them, all communication from and to. I guess it's the same around the EU, just the relevant national agency.
Meaning that the next time Compu-Finder will quietly hire a one-man shop in some other country and it will just spam on their behalf. It will be nearly impossible to (legally) pin this on them, because of the possibility that it was a hostile move on part of their competitors. Spammers gonna spam, just from a non-Canadian IP.
[0] http://en.wikipedia.org/wiki/Joe_job
1. I make an account on their service, or buy something. 2. There is no newsletter signup box. 3. They send me lots of newsletter emails. 4. They often keep coming after unsubscribes.
I consent to transactional emails, but I'm not consenting to newsletter and marketing emails. It's spam. I hope laws like this help deter such behavior.
Meanwhile, I've been marking non-consented emails as "spam" in gmail. If enough people do this, the companies will get blacklisted, which is another form of deterrence.
I have yet to find a single person who actually appreciates the emails LinkedIn sends them. That includes business people who got their job through LinkedIn, and the recruiters who use it.
When it gets to the point when TV shows are casually taking jabs at LinkedIn for their abusive email policy, I think that's a sign that they're not wanted. Anywhere.
Edit: To clarify, the recently released Simpsons episode poked fun at LinkedIn, as has John Stewart (multiple times), and John Oliver.
Usually, emails I don't ever click on or explicitly mark as spam end up in my spam box automatically. Gmail is smart enough to do that. Even Quora emails land directly in the spam box.
Not so for LinkedIn. I've never clicked through on an email from LinkedIn. I don't even have a profile on the site - just an account that's sitting empty.
Yet, all emails still land in my inbox.
I wonder why...
All LinkedIn email is banned at my gateway. As is any vendor who considers me purchasing from them to be an agreement whereby they can send me unsolicited email. 0 tolerance.
I have notification "fatigue" as it is and I don't need my attention drawn once a week to an email "ding" from a company I tried once.
If I were creating a new service I'd explicitly state on the signup prompts that I will not be send you marketing material, or at least have a checkbox.
Wishful thinking. The law in Canada, to my understanding, says that if you have conducted business with someone, then it's fair game for them to contact you with offers for some period of time (either 6 months or 12; I can't remember which.) Spam is defined as unsolicited bulk mail. If you bought something or subscribed to a site or whatever, then it's not unsolicited regardless of any opt-in or opt-out mechanism. The "do not call" registry of phone numbers similarly only applies to unsolicited callers; companies you've done business with can spam you with calls if you give them your phone number.
For these throwaway subscribes and transactional e-mails, I use an e-mail of them form <user>.<pin>@<mydomain>. When my mail server receives mail for this pattern, it changes it to <user>@<mydomain>, and bypasses all filters. Thus I'm sure to get important transactional e-mail. From time to time, and when I start seeing spam, I simply change the value of <pin>, which is a global in my mail server's config file.
Some people have date-based approaches, which can work well. E.g. if it is March 2015, your mail server might recognize an e-mail of the form you.201503@yourdomain, and map it to you@yourdomain. When April comes around, it stops working.
e.g.
cole.christensen+hnspam@gmail.com
And when mail from that source becomes troublesome setup a filter based on that To: address.
Maybe the problem you're running into is that the + character is special in URL's and must be escaped, otherwise it is treated as the representation of a space character. E.g. the URL parameter in <http://foo.example.com?unsubscribe&bob+whatever@domain> looks, after URL decoding by the server, like "bob whatever@domain". The software which inserted the e-mail into the URL didn't treat the plus properly, but the software which is decoding the URL is treating it like it is supposed to.
If that's the issue, the workaround could be as simple as manually fixing the URL in your browser, replacing the unescaped + character with its percent-encoding equivalent, %2B, as in <http://foo.example.com?unsubscribe&bob%2Bwhatever@domain>. The URL parameter bob%2Bwhatever@domain should now decode into bob+whatever@domain.
Try it next time.
It's easy to see how this could happen because the insertion of e-mail addresses into unsubscribe links in e-mail bodies is done by ad-hoc software probably cobbed together in house, whereas whereas URL parsing is done by generic URL handling code in a web server.
(But anyway, the whole point of this exercise is that we don't trust the unsubscribing. If unsubscribing could be trusted to be honored, we wouldn't need this extraneous e-mail address that we can recognize and junk.)
You could not, for instance, widely publicize your "plus armored" gmail address in ways that make it susceptible to harvesting, and the scheme won't safeguard against situations where that e-mail address, once given legitimately, ends up sold to spammers.
Basically, everyone should have their own mail domain with a different trick. :)
Here is something you can do to bootstrap your own trick: make a "plus armored" gmail address your main one. For instance "bob.smith+rocks@gmail.com", such that "bob.smith@gmail.com" is considered invalid and thrown to the bit bucket. Do not give the "+rocks" version to anyone other than close contacts. Since "rocks" is a personal suffix, a spammer who has the address "bob.smith+junk003@gmail.com" cannot guess that "junk003" must be replaced with "rocks".
My email address isn't Fort Knox. Email I don't want just doesn't get past the spam filters; even at peak spam a few years back when I was getting 4000+ illicit messages a month. Complex schemes aren't going to benefit me any because despite publicly posting my email as above, I just don't have a problem with unwanted messages.
Investigating into this, I learned that you can set up SQS queues for SES bounces or complaints. Complaints? Yeah, SES somehow gets information back when you hit the "Spam" button in gmail. An acceptable complaint rate is below 0.1%, and if you go above it you can get banned from SES, from other emailing services like Mandrill, or if you're emailing directly to ISPs they can block you at their level.
So hit those spam buttons! Make email senders pay for bad email!
(My story had a happy ending-- I cleaned up what segment of users my company is sending service emails to and now our bounce rate is below 5% like it should be.)
This is called FBL (feedback loop)[1]. It's a standard[2] adhered to by all of the bulk message senders (SES, Mandrill, marketing providers like Mailchimp, Emma, etc) and the big account providers like Gmail, Yahoo, etc. When you hit the "report spam" button that triggers an FBL message back to the Return-Path address in the message. Complying with FBL reports is super important to staying on the account providers' good sides.
[1]: http://en.wikipedia.org/wiki/Feedback_loop_(email)
[2]: http://tools.ietf.org/html/rfc5965
Thank you for the link to the wikipage, I didn't know about FBL. It's disappointing that the page can't provide more information on how feedback loops are established between mailbox providers though.
Most office workers know about "ACF Management" in Quebec because of the relentless spam and I'm not surprised they're the first hit by CASL. It's like the law was made for them.