Jul 222015
 

Today, I received a notification that there was a “Post by non-member to a members-only list” on one of the mailing lists I run. This occasionally happens if a subscriber posts to the mailing list from the wrong address. It can also happen if the list address has been harvested by spammers – and the message in question is therefore spam.

In today’s case, it was spam.

The spammer in question is a company called Web Windows Marketing Limited, based in Peterborough – who I have encountered before; I’ve been receiving spam from them at other addresses (possibly one, possibly more) for a while. Usually, their spam is caught by my spam filters, and all I see are the sender and subject lines in my daily spam report – but on 1st May, I received an email from them that somehow slipped through the net and reached my inbox.

I decided to call them on it, labelling them as spammers on Twitter. The subsequent conversation between me and their MD, Andrew Mogridge is summarised below, with links to the individual tweets. (Mogridge’s tweets are marked ‘AM’ – those marked ‘Me’ are obviously me!)

  • Me: And we have another persistent spammer joining my new “We love spam so much, we want all of Vince’s spam” mailing list – @WebWindowsMkg
  • AM: @VinceMH @WebWindowsMkg We definitely don’t want to be sending unwelcome emails. Happy to subscribe you now if you wish.
  • Me: . @AndrewMogridge I assume you’re to do with @WebWindowsMkg judging by your reply? If so not sending UCE in the first place is the solution.
  • AM: @VinceMH @WebWindowsMkg Panic over. Just found you on our database and subscribed you. Apologies once again.
  • Me: . @AndrewMogridge @WebWindowsMkg Neat trick since I haven’t given you the email addy you’ve used. And why was I on the DB to start with?

If you look at the actual times of the tweets, you’ll see a slight discrepancy: where one of Mogridge’s comments is listed after mine, but timed a minute earlier. This is just a ‘crossed in the post situation’ – I didn’t see his comment until after I’d typed mine, so that’s the order I’ve presented them above. The odd timing aside, though, the clear point there is that he said he’d unsubscribed me from their mailing list, even though I didn’t tell him the address at which the spam was received (and he forgot the ‘un’ at the start of ‘unsubscribe’!)

How did he do that?

The WebWindows spam at that time came to an address that began vinceh@{one of my domains} – so one possibility is that they managed to put two and two together, and associated the Twitter name @VinceMH with an email address beginning vinceh@ – and all in the few minutes between his first comment, which was made at 4:04PM, and the one in which he said it was done, which was at 4:07PM.

Nah.

A more likely possibility is the mailing list I mentioned in the first Tweet – the “We love spam so much, we want all of Vince’s spam” mailing list.

The idea behind the list (which I didn’t actually set up – but it would be trivial to do) is that if I receive a UCE from a verifiable source, I would treat that UCE as a subscription request, and in response, I would send out a confirmation email to any addresses I could find for the spammer. The confirmation would offer the opportunity to proceed with the subscription request – all the spammer would need to do is continue spamming; the next spam I received from them would be treated as a confirmation. To avoid subscribing, therefore, all that would be necessary would be to stop sending spam.

Once subscribed (i.e. if and when I received another spam from them), all spam I received would be forwarded on to list subscribers – they would receive copies of all the spam I received. Because, being spammers, they love spam.

I sent that confirmation from the spammed address to a number of addresses @webwindows.co.uk – most notably including the address from which the spam was sent  – pippa.brown@webwindows.co.uk. Since they were sending UCE to an address that has been harvested, I’m sure they’ll have no problem with their address being published and given a mailto: link here. (It’s worth pointing out, as well, that it was the same sender today.)

It’s more likely that confirmation email was the basis of my address being unsubscribed.

As an aside: Normally, you should not reply to spammers (if they’re using an address that is theirs to use), and especially don’t click on any links in their email (including ‘unsubscribe’ links) – preferably don’t even open the email to start with – because doing any of these can confirm your email address is live and read by someone; in the case of clicking links or even opening the email, that’s achieved using tracking links that are unique to the email sent to you. By sending that confirmation email, I did something that I would normally advise against.

Since the above incident, I don’t appear to have received any further spam from Web Windows – until today’s infraction.

Today’s was to a different email address from the one discussed above, though at the same domain name – this time one of the mailing list addresses. The lists are set up such that any attempts to post messages from an address that isn’t subscribed are deferred to me, so that I can glance at the messages and deal with them as appropriate, such as send an email to the subscriber (if it’s clear to me that it’s one posting from the wrong address) to point out their error.

As before, I decided to comment on Twitter – and this was the conversation that ensued (this time from the @WebWindowsMkg account – WW below).

  • Me: I see @WebWindowsMkg are spamming again. This time, attempting to punt their crap to one of my mailing lists.
  • WW: @VinceMH What are your email domains and I’ll do a blanket unsubscribe.
  • Me: @WebWindowsMkg None of my domains should be subscribed in the first place. “Blanket unsubscribe” all addresses not obtained legitimately.
  • WW: Unless we know the email addresses it’s difficult to comment. If a data supplier is providing us with poor lists we’d like to know.
  • Me: @WebWindowsMkg Okay. Here’s the deal: 1) If I tell you the email address in question, in return, I want to know the source of that address.
  • Me: @WebWindowsMkg 2) If you are unwilling/unable to furnish me with a verifiable source, I want a payment of £50+VAT every time I get your spam
  • Me: @WebWindowsMkg (at that address or any other).
  • Me: @WebWindowsMkg In fact, if I give you the address, you can stop using that source – so #2 should apply regardless.
  • Me: @WebWindowsMkg Another question: Since we’ve been here before (look around May), why did you not establish/stop using the dodgy source then?
  • WW: @VinceMH We purchase data from around a dozen different sources.
  • Me: @WebWindowsMkg Yes, but I highlighted this problem in May (different address). You claimed to unsubscribe me – but why only that? …
  • Me: @WebWindowsMkg … after all, you must have been able to see where you sourced the address then and concluded it was supplying bad data.

There are a few things to look at here.

I’ve suggested that I will provide them with the specific email address they have spammed this time in order that they unsubscribe it, on the condition that they identify to me the source of that email address – where they got it from, and on the understanding that if I get any future spam from them (at any address) I expect a payment of £50 plus VAT.

My logic is that if I provide them with the spammed address, not only can they unsubscribe it, but they should be able to identify which of their dozens of sources provided them with that address. Once they know that, they provide that information to me, which would allow me to start looking into that source.

I should add that under the Data Protection Act, I can submit a Subject Access Request – Web Windows would be legally obliged to provide me with any data pertaining to me, and that ought to include information regarding any email address I own that they have, including its source. If not, they are not maintaining a proper audit trail tying data to sources – but even without that trail, it’s a text string and a search of data files from different sources; it’s not rocket science!

Additionally, by identifying the source – even for themselves – they would know which of their dozens of different sources is providing them with “poor lists” and they would be able to stop using this questionable supplier, and wipe records supplied by that supplier from their database. They would benefit from that! Sure, they’d have less email addresses to send their rubbish to, but the ones they do have would be ‘clean.’

The £50 plus VAT for future infractions therefore shouldn’t be a problem – they’d no longer be obtaining and using email addresses from a questionable source, so there would be no danger of them having to pay out.

Would there?

To date, I’ve seen no messages from them accepting my offer.

And of course, there’s the question I raised. I’m not sure why I called it “another question” since it appears to be the first – but the question is: In May, they (allegedly) worked out what my address was and unsubscribed it. Why did they not use that address to identify which of their dozens of suppliers is the one giving them lists that include email addresses that shouldn’t be used?

If Web Windows is an above board, responsible marketing company, they would want to ensure they are using good, safe data, because they would want be 100% sure they are complying with the law.

Wouldn’t they?

So the real question is, are they an above board, responsible marketing company?

Let’s look at their website. In particular, let’s look at their email marketing policy. The first ‘FAQ’ on this page is “I have received an email from Web Windows and want to know where you got my details from?” and the answer states:

Your details could have been obtained from a variety of different sources: A member of staff may have genuinely come across your business on the internet and identified you as a potential business for our web marketing services. Alternatively, your details may have been acquired from a number of data suppliers that we work with, each of whom are members of the Direct Marketing Association. A third source of information generation is the variety of double opt-in forms that have been on our website for the last 8 years.

What is the first source, again? “A member of staff may have genuinely come across your business on the internet and identified you as a potential business for our web marketing services.”

Here, they are admitting that – as well as bought in databases – they actively send their marketing emails to email addresses they find on websites.

Further down, another ‘FAQ’ is “What are the regulations surrounding email marketing?” and their answer states:

Under EU Laws, B2B emailing within the UK is a perfectly permissible form of marketing providing it follows certain guidelines:

The email states who it is from

The subject is clear and unambiguous

An unsubscribe link is included within the message

Full contact and company details are included

That isn’t quite true, however. They talk of B2B – business to business – emailing, but what they aren’t taking into account is that businesses take a number of forms, and can include sole traders, who should be treated as individuals. The relevant legislation – The Privacy and Electronic Coummunications (EC Directive) Regulations 2003 (PDF) – defines an “individual” as “a living individual and includes an unincorporated body of such individuals.”

The specific regulation in question is number 22 (on page 10) and, in very summarised form, it states that UCE must not be sent to individuals unless they have consented; given permission for their email addresses to be used for marketing purposes.

It does include a clause that a method of unsubscribing must be included with each communication, but that is in addition to that permission being given in the first place.

Going back to Web Windows’ own FAQ, the one mentioning the regulations finishes with this:

If you believe that Web Windows does not adhere to any of the above please let us know. We are very diligent in working within the guidelines and recognise their importance.

However, those words are meaningless if they don’t back that up with action:

  1. They need to identify the source of their dodgy email data, and stop obtaining data from that source (and stop using data already obtained from it).
  2. When scraping email addresses from websites, they must make absolutely sure the business whose site it is isn’t covered by the regulations to which I’ve linked above.

I’m not convinced that, at the moment, they are doing either of those.

 

VinceH