Spam from Scottish Power, their response: we’ll carry on spamming (just not to you).

Spam annoys me.
More specifically, the effect of spam annoys me. It annoys me that from time to time I find emails I really need have been filtered to a spam folder. It annoys me that from time to time customers don’t receive emails from us because our email is filtered to their spam folder. It annoys me that I’ve had to jump through hoops to get email delivered to members of a community group I’m a part of ’cause Microsoft’s email servers overzealous approach to spam filtering (tell my server the email was accepted and delivered, but not deliver it to the member or even the spam folder of the member – took several hours to figure out they were doing that..)

Anyway, in the UK we have laws that ban companies from sending unsolicited email. Sure, it won’t stop the non UK spammers or those peddling dodgy things, but it’s a start at least. The rules are called The Privacy and Electronic Communications (EC Directive) Regulations 2003 – abbreviated to PECR. The sad thing is, there is essentially no enforcement of these[1]. Most of the spam I get is from small companies that have been sold my address and don’t realise that is not allowed by the regulations. Last month I got new spam email from Scottish Power. I’d expect them to know better than buy email addresses, but apparently they think it’s OK.

From the regulations:
a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b)the direct marketing is in respect of that person’s similar products and services only; and
(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

The text I put in bold, to me at least, makes it clear that if I’ve never communicated with your company I can’t possible have given consent to your company to send me email. The Information Commissioners Office (ICO) appear to agree – “You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.

Scottish Power made it clear in their replies to my emails (all below) that they think it is acceptable to buy email addresses. Even though they will stop sending to me (’cause I asked them to stop, and I believe they will), the people they bought it from will continue to sell my address to other companies. Scottish Power did not provide contact details for those companies (they named two companies) so did not provide a way for me to unsubscribe from future spam. They claim (in the emails below) they only send to corporate email addresses or opt-in addresses but on this occasion could not find proof of opt in. Maybe that’s true, maybe my address is the only one that slipped through a vetting process, however my instincts are that they’ve bought a load of addresses as ‘businesses’ and used them all.

A long time ago, I read a Mailchimp article (mailchimp are a company that provide email services for newsletters, marketing etc) about whether you should use bought in email lists, the answer: http://caniuseapurchasedemaillist.com/

Scottish Power – here’s a public message to you; Please stop sending spam!


For those who like to know the detail without my summary, here are the emails:


From: ScottishPower Business
Date: 28 April 2016 at 08:13
Subject: Let’s make your business energy simpler

If you are unable to view this email, click here to view online.
We know it takes a lot to run a business – being on
top of every detail matters. That's why, when you switch

If you are unable to view this email, click here
to view online.
[image: ScottishPower]



From: Steve Root
Date: 28.04.2016 07:58:31
To: genesys.routing@scottishpower.com
Cc:
Subject: Fwd: ))) scottishpower1 ((( Fwd: Let ’s make your business energy simpler

Where did you get this email address from please?



From: CONTACTUS@SCOTTISHPOWER.COM [mailto:CONTACTUS@SCOTTISHPOWER.COM]
Sent: 28 April 2016 13:37
To: Data Protection (Energy Retail)
Subject: Fwd: Fwd: ))) scottishpower1 ((( Fwd : Let ’s make your business energy simpler

Hi ,
We have recieved an auto reponse and customer is quering where we got the email address from ,I have no way of tracing this as per email below ,Please advise or contact the customer if possible .
Regards
Kim McLaughlin
Scottish Power Business Energy Team Glasgow



29th April

Dear Mr Root

Thank you for your email of 28 April 2016.

Having contacted our business marketing team, I can advise you that your email address was purchased from a Third Party for use in marking activity.

Following on from your email, I have arranged to have your email address removed from any marketing activity so you will no longer receive emails from ScottishPower.

Many Thanks

Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser



30th APril

Thank you Andrew, can you provide contact details for this company please.

Regards
Steve



2nd May

Good Morning Mr Root

Thank you for your email.

I have received confirmation that your information was supplied to us from our Third Party provider Call Credit. They purchased your data from a Company called Blue Sheep.

Many Thanks

Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser



3 May
Thanks Andrew,

I'm really curious how your company's decision to buy addresses, like mine, correlates with the requirements of the PECR regulations. Can you help me understand your interpretation please?

Thanks



10th May
Thanks Andrew,

I'm really curious how your company's decision to buy addresses, like mine, correlates with the requirements of the PECR regulations. Can you help me understand your interpretation please?

Thanks



10th May
Good Morning Mr Root

I am awaiting a response to an email that has been sent to our marketing team. This has been chased up today. As soon as I receive a response I will be back in touch.

Thanks

Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser



16th May
Hello Andrew,
I'm still curious.
Thanks
Steve



18th May

Good Afternoon Mr Root

I am sorry that I have not been able to come back to you with the information you have requested.

We are keen to understand exactly how and when your details were collected so that we can provide an accurate response.

We are awaiting a full response from our data provider. I have asked for this to be pursued again today and have expressed the urgency. Thank you for your patience, I will be in touch with you as soon as we have the required information.

Kind Regards

Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser



26th May
Hello Andrew,

I restate my question:
"I'm really curious how your company's decision to buy addresses, like mine, correlates with the requirements of the PECR regulations. Can you help me understand your interpretation please?"

Maybe it's time to escalate this?

Thanks



Steve Root
31 May
to: Andrew Healing
to: richard.taylor, marion.venman

OK, still no response as to why Scottish Power think it's OK to ignore the PECR regulations.
I'll guess a couple of email addresses and see if that helps find an answer...



31st May

Dear Mr Root

We received your email address from our data provider as “consented data”.
We have noted your wishes that we do not contact this email address any further.
We are reviewing our processes to ensure we adhere to both the PECR and Data Protection requirements.

Kind Regards

Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser



1st June

Hello Andrew,
Thank you for replying but you still ignore my question:
"I'm really curious how your company's decision to buy addresses, like mine, correlates with the requirements of the PECR regulations. Can you help me understand your interpretation please?"

The PECR regulations are very clear and having a job title of 'data protection advisor' I'm sure you know this but to spell it out;

http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made

Use of electronic mail for direct marketing purposes
22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b)the direct marketing is in respect of that person’s similar products and services only; and
(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).

And from the ICO
https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

In brief…
You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.

The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:
they have specifically consented to electronic mail from you; or
they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent

... and so on.

Is your current answer "We are reviewing our processes to ensure we adhere to both the PECR and Data Protection requirements." an admission that Scottish Power currently do not abide by the PECR regulations?

As I said, on 26th May, perhaps it is time for you to pass this up your chain of management if the company wishes to make statements like that.

Regards



7th June
Fermie, Andrew
to me, Andrew
Dear Mr Root

I am writing further to the issue you have raised about PECR and your correspondence with Andrew Healing about it. Thank you for taking the time to raise this with us.

We have been unable to obtain the assurances we would expect in relation to this case. Specifically, we would expect either that the record can be demonstrated to be a corporate record or the gathering of a valid consent can be shown. I am sorry that this has been the case in this instance. We will be taking appropriate action to safeguard against any recurrence.

As well as doing all we can to make sure our practices are compliant with both PECR and the Data Protection Act, I also understand the real annoyance and inconvenience that can arise from unwanted marketing activity. And if we do get it wrong, I am keen to ensure we have the measures in place so that we don’t get it wrong again. If someone indicates they do not wish to receive any more marketing from us, we ensure we have processes in place to that end.

We have confirmed to you that you will not receive any further unwanted marketing from ScottishPower. I can also give you my personal assurance that we take the marketing rules seriously. I have answered the question you asked and, for the avoidance of doubt, this cannot be equated to an assertion that “ScottishPower do not currently abide by the PECR Regulations”. We have contractual arrangements in place designed to help ensure that we do and I cannot go into any more detail than that.

I would appreciate it if you could let me know if there is anything else that I can do.

Regards

Andrew
Iberdrola Group|Global Retail Operations
UK Operations - Data Protection Officer



Steve Root
7 Jun

to Andrew, Andrew
Thanks Andrew,
I've no other questions.

Regards
Steve


[1] I did email the ICO, but they make it clear they won’t investigate every instance of spam and will only start taking an interest if lots of people complain about a specific company.

Solicitors who spam? That would be Edwards Duthie Solicitors

Ah, the spam wars. I haven’t posted to this topic for a long time. Not because the spam has stopped but because I’ve had other things to occupy me.

I thought I’d blog this bit of spam though, solicitors firm Edwards Duthie who decided to spam my email with the image below. I emailed them twice to ask where they got my email address from but they didn’t reply. I then thought I’d look for the email address of their data controller but it turns out the information commissioner only publishes a postal address to the public register of data controllers.

On their web site, they describe themselves as “With 13 Partners and some 100 staff operating out of two main offices and three satellite offices, we are one of the largest law firms in the East London/West Essex region.” so perhaps I’m naive to have expected a reply to my emails, or for them to follow the law. Or maybe they know the law has no teeth, so it’s OK to spam because it won’t affect their business negatively as much as they will gain from people that reply.

The email was sent via mailchimp. That means I can unsubscribe knowing mailchimp will block any more, perhaps even drop Edwards Duthie as a customer if they have lots of complaints. It also means it got through my spam filters (mailchimp do a good job of keeping spammers from their network) and there’s every chance wherever Edwards Duthie bought my email address from will continue selling it, I’ll continue getting spam and a couple of times a week I’ll be pulling email I want from my spam folder amongst the thousand or so others from people like Edwards Duthie.

edwardsduthiespamimage

Caught in my spam trap – randrnews.co.uk

I’ve decided to start naming and shaming the people who spam me. I have an email address hidden in the code of one of my web sites. It doesn’t display to visitors but robots will read it. To give the spammers a sporting chance, the email address is nospam@….mydomain… I then email them to ask where they got the address from.

Their response to asking where they got the email address from?

They never responded.

Observations

Whilst this is the first time they’ve been caught in my current spam trap, scraping web sites and sending spam seems to be their method of operation to sell advertising space. They appear to have set up servers just to send spam. I say this because mhglobalmc3.co.uk doesn’t have a public website and displays a default virtual server login. They also run their own name servers. From an IT perspective, they seem pretty switched on – although their web server has been hacked so they’re not that good. I wouldn’t wish that on my worst enemy let alone spammers like this company. I’d email them and tell them, except I guess they wouldn’t read that either.

They are based in Kent, not so far from us, so back in 2009 I took the time to phone them and ask them to stop spamming us. I spoke to ‘Paul’ who promised to look into it. I’m assuming that was Paul Attwood. He was and is the owner of the domain sending spam back then;

Domain name:
    pamediasolutions.co.uk

Registrant:
    Paul Attwood

Registrant type:
    UK Individual

Registrant's address:
    47-48 Hawley Square
    margate
    CT9 1NY
    United Kingdom

Is the owner of the domain currently sending the spam;

Domain name:
    mhglobalmc3.co.uk

Registrant:
    Paul Attwood

Registrant type:
    UK Individual

Registrant's address:
    347a Margate Road
    Ramsgate
    Kent
    CT12 6SG
    United Kingdom

The destination, randrnews.co.uk, is owned by a dissolved company, MH Media Solutions Ltd of which Paul Attwood was a director. I guess they transferred it to a current company and forgot to tell the registry.

Domain name:
    randrnews.co.uk

Registrant:
    MH Media Solutions Ltd

Registrant type:
    UK Individual

Registrant's address:
    Lead Centre
    Dane Valley Road
    Broadstairs
    CT10 3JJ
    United Kingdom

randrnews.co.uk has a link to what I guess would be a parent company; http://mhmediaglobal.com/ except my browser wouldn’t let me visit;

Google Chrome Malware stop page

I’m beginning to think the publishing industry like sending spam, seeing as Archant have started spamming again.

Email headers

Delivered-To: nospam@....
Received: by 10.76.88.49 with SMTP id bd17csp150210oab;
        Tue, 6 Aug 2013 06:01:27 -0700 (PDT)
X-Received: by 10.180.74.210 with SMTP id w18mr1934845wiv.20.1375794086684;
        Tue, 06 Aug 2013 06:01:26 -0700 (PDT)
Return-Path: <ryan@refurb.mhglobalmc3.co.uk>
Received: from plesk.mhglobalmc3.co.uk ([91.206.183.157])
        by mx.google.com with ESMTPS id f5si722923wjx.46.2013.08.06.06.01.08
        for <nospam@...>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Tue, 06 Aug 2013 06:01:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of ryan@refurb.mhglobalmc3.co.uk designates 91.206.183.157 as permitted sender) client-ip=91.206.183.157;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ryan@refurb.mhglobalmc3.co.uk designates 91.206.183.157 as permitted sender) smtp.mail=ryan@refurb.mhglobalmc3.co.uk
X-No-Relay: not in my network
X-Antivirus-Status: Clean
Received: from ADVENT1 (host31-51-58-179.range31-51.btcentralplus.com [31.51.58.179])
	by plesk.mhglobalmc3.co.uk (Postfix) with ESMTPA id 244805968D1
	for <nospam@...>; Tue,  6 Aug 2013 14:01:04 +0100 (BST)
From: "Ryan Bunce" <ryan@refurb.mhglobalmc3.co.uk>
To: <nospam@....>
Subject: Editorial Opportunity
Date: Tue, 6 Aug 2013 13:53:45 +0100
Message-ID: <8a9e01ce92a4$e607b640$b21722c0$@refurb.mhglobalmc3.co.uk>
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_8A9F_01CE92AD.47D63060"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac6SkO5QeOa53URdSzqFQjxDYyR4CQ==
Content-Language: en-gb
X-Antivirus: avast! (VPS 130806-0, 06/08/2013), Outbound message
X-Antivirus-Status: Clean

This is a multipart message in MIME format.

------=_NextPart_000_8A9F_01CE92AD.47D63060
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_8AA0_01CE92AD.47D63060"


------=_NextPart_001_8AA0_01CE92AD.47D63060
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Description: Description: Description: Description:
cid:image001.jpg@01CE8A0C.A0729EB0


We are currently putting together the September edition of the Refurb &
Renovation News publication, which will for this issue have an added =
bonus
of an extra 5,000 circulation at the Grand Designs Live exhibition and =
the
100% Design show.

=20

I am tasked with closing off some of the editorial positions within this
issue and as I feel you would be really relevant for this I wanted to =
see if
you have something you would like to promote we could include.

=20

=B7        Exclusive total 63,000 Circulation=20

=B7        15,000 glossy A4 hard copies

=B7        48,000 Digital Versions of the publication

=B7        8 Week Circulation period (bi-monthly publication)

=B7        Media Partner with all the main UK Exhibitions

=B7        Extra 5,000 copies of this edition

=20

Specifiers that we target include;
Building Contractors - Builders Merchants - RIBA Registered Architects =
and
Large Architecture practices =96 Heating & Plumbing Engineers - BIID
Registered Interior Designers - Property Developers - Health Authorities =
-
Education Based Specifiers & Local Authorities.

=20

We run just 6 editorials per page giving you a good sized space with 1 =
full
colour image, 120-140 words of text as well as full company contact =
details.
I am currently able to offer you a 1/6th of a page editorial at =A395.

=20

Please respond by Wednesday 14th August at the latest if you would like =
to
take one of these positions.

=20

Best Regards

=20

Ryan Bunce

Sales Manager

Refurb & Renovation News

=20

Refurb & Renovation News   Suite 1, The Lead Centre, Dane Valley Road, =
St
Peters, Broadstairs, Kent CT10 3JJ  Tel: 01843 601705