32 comments

[ 6.4 ms ] story [ 77.5 ms ] thread
I've filled two formal complaints to an EU regulator regarding spam (one is a company, another an individual). The first complaint was made back in early 2014, and a few weeks ago I got a response from the competent authority. They fined the company with just over €30,000. I'm still waiting on the second complaint.

On both occasions I was receiving emails/spam I never signup for, and on both occasion I tried (several times) to contact the sender directly asking to be unsubscribed. Neither responded to my emails (and I've tried various different email addresses).

When the path of least resistance is filling a complaint, senders should expect no less. And if you decide to spam people, make it easy to unsubscribe, because the next fastest option is to file a complaint, and fines don't come cheap.

When CASL was first passed, I was worried about it being toothless. Glad to see I'm wrong.
It is a huge headache at our company but I am glad to see this penalty handed down because it means all the work we are doing on it is worthwhile.
(comment deleted)
This likely means that the spamming will now become a dedicated off-shore service in Canada.

Meaning that the next time Compu-Finder will quietly hire a one-man shop in some other country and it will just spam on their behalf. It will be nearly impossible to (legally) pin this on them, because of the possibility that it was a hostile move on part of their competitors. Spammers gonna spam, just from a non-Canadian IP.

I don't think it works that way. One might be sending emails from abroad, but if you sell a product/service where you are suing, the company can still be liable, regardless of the geographical origin of the email.
GP is suggesting that the spam might be a joe job[0]. Don't like your upcoming competition? Work with some foreign spamming company to send emails looking like legit emails from them in the hopes that their real emails are penalized.

[0] http://en.wikipedia.org/wiki/Joe_job

I'm seeing a lot of spam by companies that purport to be legit startups.

1. I make an account on their service, or buy something. 2. There is no newsletter signup box. 3. They send me lots of newsletter emails. 4. They often keep coming after unsubscribes.

I consent to transactional emails, but I'm not consenting to newsletter and marketing emails. It's spam. I hope laws like this help deter such behavior.

Meanwhile, I've been marking non-consented emails as "spam" in gmail. If enough people do this, the companies will get blacklisted, which is another form of deterrence.

I wonder when, if ever, they'll dock LinkedIn for this. Easily the worst offender in my inbox as far as legitimate companies are concerned.
Everything from Linkedin goes straight to my spam filter. They simply will not shut off emails.
At this point, I'm convinced LinkedIn is literally paying Google to whitelist their spam.

I have yet to find a single person who actually appreciates the emails LinkedIn sends them. That includes business people who got their job through LinkedIn, and the recruiters who use it.

When it gets to the point when TV shows are casually taking jabs at LinkedIn for their abusive email policy, I think that's a sign that they're not wanted. Anywhere.

Edit: To clarify, the recently released Simpsons episode poked fun at LinkedIn, as has John Stewart (multiple times), and John Oliver.

I definitely think there are some backroom deals.

Usually, emails I don't ever click on or explicitly mark as spam end up in my spam box automatically. Gmail is smart enough to do that. Even Quora emails land directly in the spam box.

Not so for LinkedIn. I've never clicked through on an email from LinkedIn. I don't even have a profile on the site - just an account that's sitting empty.

Yet, all emails still land in my inbox.

I wonder why...

One of the benefits of running your own email server: You can block all LinkedIn spam at the gateway.

All LinkedIn email is banned at my gateway. As is any vendor who considers me purchasing from them to be an agreement whereby they can send me unsolicited email. 0 tolerance.

Funny thing about LinkedIn emails: some years ago I got sick of it and tracked down everything I could turn off. I then got no LinkedIn email. Now, I've been looking for jobs and such and wanted to turn on inbox notification emails and maybe some job search results, and they've changed their settings around enough that I can't figure out how to turn these things back on. A+ work!
This kind of spam actually deters me from signing up for much of anything anymore for the purposes of quickly test driving the service. I feel like just putting in my email address and a password is now more often than not considered an invitation to start emailing me useless marketing material once a week until I eventually get frustrated and open one of the emails to proceed with whatever their unsubscribe process is.

I have notification "fatigue" as it is and I don't need my attention drawn once a week to an email "ding" from a company I tried once.

If I were creating a new service I'd explicitly state on the signup prompts that I will not be send you marketing material, or at least have a checkbox.

> I hope laws like this help deter such behavior.

Wishful thinking. The law in Canada, to my understanding, says that if you have conducted business with someone, then it's fair game for them to contact you with offers for some period of time (either 6 months or 12; I can't remember which.) Spam is defined as unsolicited bulk mail. If you bought something or subscribed to a site or whatever, then it's not unsolicited regardless of any opt-in or opt-out mechanism. The "do not call" registry of phone numbers similarly only applies to unsolicited callers; companies you've done business with can spam you with calls if you give them your phone number.

For these throwaway subscribes and transactional e-mails, I use an e-mail of them form <user>.<pin>@<mydomain>. When my mail server receives mail for this pattern, it changes it to <user>@<mydomain>, and bypasses all filters. Thus I'm sure to get important transactional e-mail. From time to time, and when I start seeing spam, I simply change the value of <pin>, which is a global in my mail server's config file.

Some people have date-based approaches, which can work well. E.g. if it is March 2015, your mail server might recognize an e-mail of the form you.201503@yourdomain, and map it to you@yourdomain. When April comes around, it stops working.

With gmail you can also simply add some text after a +

e.g.

cole.christensen+hnspam@gmail.com

And when mail from that source becomes troublesome setup a filter based on that To: address.

And then filtering is often your only option because the unsubscribe link doesn't work right with the plus character in it. Also, Gmail helpfully prevents us from creating filters that pipe the messages in question to /dev/null.
In gmail you can setup a filter that automatically deletes messages. Not quite /dev/null but pretty close.
"Delete it" merely moves the messages to the trash. It does not, in fact, delete the message. Not close at all.
And anything in the trash gets automatically deleted in 30 days.
That kind of depends entirely on who/what you are unsubscribing from, and how intelligently they encode e-mail addresses through URL's, surely?

Maybe the problem you're running into is that the + character is special in URL's and must be escaped, otherwise it is treated as the representation of a space character. E.g. the URL parameter in <http://foo.example.com?unsubscribe&bob+whatever@domain> looks, after URL decoding by the server, like "bob whatever@domain". The software which inserted the e-mail into the URL didn't treat the plus properly, but the software which is decoding the URL is treating it like it is supposed to.

If that's the issue, the workaround could be as simple as manually fixing the URL in your browser, replacing the unescaped + character with its percent-encoding equivalent, %2B, as in <http://foo.example.com?unsubscribe&bob%2Bwhatever@domain>. The URL parameter bob%2Bwhatever@domain should now decode into bob+whatever@domain.

Try it next time.

It's easy to see how this could happen because the insertion of e-mail addresses into unsubscribe links in e-mail bodies is done by ad-hoc software probably cobbed together in house, whereas whereas URL parsing is done by generic URL handling code in a web server.

(But anyway, the whole point of this exercise is that we don't trust the unsubscribing. If unsubscribing could be trusted to be honored, we wouldn't need this extraneous e-mail address that we can recognize and junk.)

One problem with this is that this suffers from lack of obscurity, being implemented by a very popular mass mailer. It help against obnoxious, but otherwise honest sites that you have a relationship with, but it won't hamper real spammers, who can easily encode in their spamming software the blanket rule that any e-mail matching the pattern <x>+<y>@gmail.com should always be filtered to <x>@gmail.com.

You could not, for instance, widely publicize your "plus armored" gmail address in ways that make it susceptible to harvesting, and the scheme won't safeguard against situations where that e-mail address, once given legitimately, ends up sold to spammers.

Basically, everyone should have their own mail domain with a different trick. :)

Here is something you can do to bootstrap your own trick: make a "plus armored" gmail address your main one. For instance "bob.smith+rocks@gmail.com", such that "bob.smith@gmail.com" is considered invalid and thrown to the bit bucket. Do not give the "+rocks" version to anyone other than close contacts. Since "rocks" is a personal suffix, a spammer who has the address "bob.smith+junk003@gmail.com" cannot guess that "junk003" must be replaced with "rocks".

Actual spam filtering is as good as I could ask for on gmail. Maybe a few per month get through to my inbox, and I can't complain about that at all. I am also not at all worried about parsing x+y to ditch y. The real spam filter works really well, and despite public knowledge of '+', it's very uncommonly used.

My email address isn't Fort Knox. Email I don't want just doesn't get past the spam filters; even at peak spam a few years back when I was getting 4000+ illicit messages a month. Complex schemes aren't going to benefit me any because despite publicly posting my email as above, I just don't have a problem with unwanted messages.

The company I work for just got hit with an Amazon SES probation for having too high of a bounce rate.

Investigating into this, I learned that you can set up SQS queues for SES bounces or complaints. Complaints? Yeah, SES somehow gets information back when you hit the "Spam" button in gmail. An acceptable complaint rate is below 0.1%, and if you go above it you can get banned from SES, from other emailing services like Mandrill, or if you're emailing directly to ISPs they can block you at their level.

So hit those spam buttons! Make email senders pay for bad email!

(My story had a happy ending-- I cleaned up what segment of users my company is sending service emails to and now our bounce rate is below 5% like it should be.)

> Yeah, SES somehow gets information back when you hit the "Spam" button in gmail.

This is called FBL (feedback loop)[1]. It's a standard[2] adhered to by all of the bulk message senders (SES, Mandrill, marketing providers like Mailchimp, Emma, etc) and the big account providers like Gmail, Yahoo, etc. When you hit the "report spam" button that triggers an FBL message back to the Return-Path address in the message. Complying with FBL reports is super important to staying on the account providers' good sides.

[1]: http://en.wikipedia.org/wiki/Feedback_loop_(email)

[2]: http://tools.ietf.org/html/rfc5965

Does anyone know how to manually send these complaints to Google? Eg if you run your own mailserver and some Gmail account is spamming you?

Thank you for the link to the wikipage, I didn't know about FBL. It's disappointing that the page can't provide more information on how feedback loops are established between mailbox providers though.

This company was in flagrant violation of the law indeed. I was receving 2 e-mails from them every single weekday, at multiple jobs over the years, advertising their training courses. Unsubscribing did nothing. Every mail had a different sender, with one of a large collection of garbage domains (Today it was acfcursus.ca, promotionacf.com and capsulesacf.ca). The justification footer was a joke: "You are receiving this mail because of your function in the company". -- You're supposed to tell that the mail is opt-in, jackasses.

Most office workers know about "ACF Management" in Quebec because of the relentless spam and I'm not surprised they're the first hit by CASL. It's like the law was made for them.