Me, Nectar & Spamcop

Sometimes someone will sign up for some service or other, and they'll be asked for their e-mail address. Sometimes they get their own e-mail address wrong, so if you mail them you get the wrong person. Sometimes that wrong person is me.

I got a copy of some guy's phone bills e-mailed to me every month for a year before someone noticed and it stopped. As a result I know his name, address, phone number, service password, and every single phone call he made for a year. If that's not ripe for identity theft I don't know what is.

Recently I've started receiving promotional emails from Nectar. Apparently I'm called Claire XXXXXXX. I'm guessing that Claire has had a baby recently, because Sainsbury's were inviting her to "Win a trust fund for your child with Sainsbury's and Pampers". I've also got Claire's Nectar card number, and I get told how many "points" she has in her account (810 at the last count).

The first of the Nectar e-mails I ignored. The second one I reported via Spamcop (it's unsolicited, commercial, and bulk so in my book it's spam):

Subject: Spamcop report id:XXXXXXXXXX
Date: Tue, 29 Mar 2005 09:56:41 +0100
From: "Alex Schajer" <a.schajer@loyalty.co.uk>
To: <XXXXXXXXXX@reports.spamcop.net>

Hello SpamCop user,

RE: Golden Bonus Points Offers from Nectar this Easter

This is a programme message sent to you by the Nectar programme.

At some point, probably when you registered, you agreed to receive
emails from us. This means you are eligible to receive information about
special offers and bonus points offers us.

If you wish to change your preferences at any time simply visit
www.nectar.com and update Your Account.

Or if you wish to unsubscribe please send a blank email to
unsubscribe@newsletter.nectar.com . 

Thank You.

So I countered,

Date: Tue, 29 Mar 2005 18:51:17 +0100
From: Dave Evans <XXXXXXXXXXXXXXXXXX@XXXXXXXXXXX>
To: Alex Schajer <a.schajer@loyalty.co.uk>
Subject: Re: Spamcop report id:XXXXXXXXXX

Alex Schajer wrote:
> Hello SpamCop user,
> 
> RE: Golden Bonus Points Offers from Nectar this Easter
> 
> This is a programme message sent to you by the Nectar programme.
> 
> At some point, probably when you registered, you agreed to receive
> emails from us. This means you are eligible to receive information about
> special offers and bonus points offers us.

I am not even a "Nectar" user, thus I could not have possibly consented
to receive Nectar promotional material.  Please stop sending it.

Regards,

- --
Dave

The third Nectar spam I also sent to spamcop:

Subject: Spamcop report id:XXXXXXXXXX
Date: Tue, 5 Apr 2005 15:39:36 +0100
From: "Alex Schajer" <a.schajer@loyalty.co.uk>
To: <XXXXXXXXXX@reports.spamcop.net>

Re: Email from Magnet @ Nectar (Friday 1 April 2005)

This was a programme message sent to you by the Nectar programme.

At some point, probably when you registered, you agreed to receive
emails from us. This means you are eligible to receive information about
special offers and bonus points offers us.

If you wish to change your preferences at any time simply visit
www.nectar.com and update Your Account.

Or if you wish to unsubscribe please send a blank email to
unsubscribe@newsletter.nectar.com .

Thank You.

Sounds kind of familiar. So again I countered, but this time a little more constructively:

Date: Tue, 05 Apr 2005 19:04:36 +0100
From: Dave Evans <XXXXXXXXXXXXXXXXX@XXXXXXXXXXXX>
To: Alex Schajer <a.schajer@loyalty.co.uk>
Subject: Re: Spamcop report id:XXXXXXXXXX

Alex Schajer wrote:
> Re: Email from Magnet @ Nectar (Friday 1 April 2005)
> 
> This was a programme message sent to you by the Nectar programme.
> 
> At some point, probably when you registered, you agreed to receive
> emails from us. This means you are eligible to receive information about
> special offers and bonus points offers us.

As I told you last week, what you claim is simply untrue.  I have not
agreed to receive emails from you.  I am not a Nectar customer.

I'm going to take a wild guess at what has happened here: someone called
Claire XXXXXXX (I know this because you're sending e-mails to
CLAIRE.XXXXXXX@XXXXXXXXXX) *is* a nectar customer, and she told you that
her e-mail address is CLAIRE.XXXXXXX@XXXXXXXXXX.  You took this at face
value, without verifying the fact.  Alas, that e-mail address is
actually mine, not hers.

(In fact, seeing as the emails I have received also include Ms.
XXXXXXX's Nectar card number, it looks like I can go to your web site
and impersonate her.  For reference, her card number is XXXXXXXX
XXXXXXXXXXX, and last time you spammed me, apparently she had 810 points
on her card).

Hence, you're sending the Nectar promotional blurb to me, and I have not
agreed to receive it.  Thus, despite the best of intentions on your part
I'm sure, you are sending me Unsolicited Commercial Email, known to many
people as simply "spam".

To rectify this, might I suggest that:

(a) before sending anyone Nectar e-mail, you first send a one-off email
to the address they gave you, asking them to confirm that the address is
correct and that they agree to receive email from you.

(b) you stop sending me these emails.

~~~~

While we're at it, if you're still reading I have another suggestion for
your suggestion box.  The emails that you're sending out currently
include MIME base64 encoding in the headers:

From: "=?iso-8859-1?B?TWFnbmV0IGF0IE5lY3Rhcg==?="<nectaronline@newsletter.nectar.com>
Subject: =?iso-8859-1?B?MTAwIE5lY3RhciBCb251cyBQb2ludHMgZnJvbSBNYWduZXQ=?=

which, when decoded, simply reads:

From: "Magnet at Nectar"<nectaronline@newsletter.nectar.com>
Subject: 100 Nectar Bonus Points from Magnet

This is OK, but unnecessary; you can simply encode the headers as
US-ASCII.  Moreover, the encoding you're using actually has a negative
effect: some spam filters (e.g. SpamAssassin) are more likely to mark a
message as spam if Base64 encoding is used when it's not necessary.

Oh and you're missing a space character between "Magnet at Nectar" and
<nectaronline@newsletter.nectar.com>.

Hope this helps.

~~~~

And don't forget: please, don't send me any more unsolicited emails.
Thanks!

- --
Dave

Well, it's been a while, but they're back:

Date: Wed, 3 May 2006 17:31:37 +0200 (CEST)
From: "Loyalty_team@sainsburys.co.uk " <email@sainsburys.emv1.net>
To: claire.XXXXXXX@XXXXXXXXXX
Subject: Win a two night break at Fifteen Cornwall
Content-Type: multipart/alternative; boundary=5612752687963013

SAINSBURY'S

Win a two night break at Fifteen Cornwall
----------------------------------------------------------------------

Win an action (and food) packed break at Fifteen Cornwall.

Enter now
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Dear Claire,

As one of our best customers, how would you and a guest like the
opportunity to spend two days basking in the stunning light and green
scenery of Cornwall? Imagine having all five of your senses pampered...
on us!

To celebrate the opening of Fifteen Cornwall, the new Jamie Oliver
inspired restaurant at Watergate Bay, Sainsbury's is teaming up with
Visit Cornwall to offer five lucky winners a free stay at the famous
Hotel and Extreme Academy. This exceptional prize includes two nights'
stay, a free surfing or kite-boarding lesson and dinner at Fifteen
Cornwall. Sounds perfect?

Fifteen Cornwall opens on 19 May 2006 with an innovative menu of the
best seasonal and local produce, a relaxed atmosphere, talented chefs
and an incredible view over a beautiful two mile beach.

Get clicking and get packing.

Enter now
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

----------------------------------------------------------------------

Fifteen Cornwall
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The Watergate Bay Hotel
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Visit Cornwall
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

----------------------------------------------------------------------

Win 10,000 Nectar points

If you're a Nectar card holder, enter our exclusive prize draw.

Enter
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

----------------------------------------------------------------------

Terms and Conditions

1. To participate in this prize draw, enter the required information
into the Visit Cornwall 2006 brochure request form at
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
supplying your complete name, address, postcode, daytime phone number
(including area code) and any email address details.

2. Only one prize draw entry per person irrespective of the number of
brochures requested.

3. The competition begins on 27 April 2006 and ends at 12 noon GMT on
29 May 2006.

4. Participation is open to those aged 18 and over as of 24 April 2006.
Employees and directors of Visit Cornwall, Sainsbury's and its members,
advertising and public relations agencies and their immediate families
are not eligible to enter.

5. The winners will be notified by email or by mail within 28 days of
the closing date.

6. To obtain name of prizewinner, send a self-addressed, stamped
envelope by 1 September 2006 to 15 Competition, RH Advertising,
7 Barnfield Crescent, Exeter EX1 1QT

7. A full list of competition terms and conditions is at
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

If you would prefer not to receive this type of information
click here:
http://as1.emv2.com/I?X=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Your details will then be removed from our mailing list.

Update... I just happened to notice that they're still sending spam to this address:

Date	Sender
2007-06-08 12:57:31	nectaradmin@on-siteresearch.co.uk
2007-11-02 13:15:36	email@sainsburys.emv1.com
2007-12-14 09:48:44	email@sainsburys.emv1.net
2008-02-21 11:48:15	sainsburysbank@sb.sainsburysbank.com
2008-04-11 14:47:06	nectaronline@email.nectar.com
2008-04-16 16:44:42	sainsburysbank@sb.sainsburysbank.com
2008-04-16 17:12:49	nectaronline@email.nectar.com
2008-04-30 10:32:02	nectaronline@email.nectar.com
2008-05-12 11:39:33	nectaronline@email.nectar.com
2008-06-11 18:20:00	nectaronline@email.nectar.com
2008-06-16 22:09:30	nectaronline@email.nectar.com
2008-07-09 01:53:26	nectaronline@email.nectar.com
2008-07-11 20:04:06	nectaronline@email.nectar.com
2008-07-16 18:15:14	nectaronline@email.nectar.com

I've been rejecting this mail at RCPT level for ages now - since at least June 2007 - and still they keep on trying to spam me. I think I'll open up the filters a little to see what else I can learn about Claire XXXXXXX and her Nectar account. Watch this space for updates...

Mail Archive

Update... Here's a list of all the Nectar spam emails that I've actually got the body for. Note that (1) this doesn't include delivery attempts where the transaction was rejected at RCPT time (see above for a partial list of those), and (2) just because I've got these emails does not mean that I accept them - they are still spam, and I still reject them, both in the moral and the SMTP sense.

Privacy

Remember, if you use a Nectar card, or so-called "loyalty" cards in general, you're trading your personal data for a few pence off your shopping. You're entrusting your personal details, including all of your shopping history, to these people. And, as we can see from the above, they don't seem to be too careful with your personal data.

So far I have Claire's first name (of course), last name, Nectar card number, running points tally, claimed (but incorrect) email address (but this probably gives me a clue as to what her real email address is), and some clues as to her lifestyle. I can also tell that she hasn't registered to use her card online - that, at least, Nectar seem to have not made quite such a hash of.

Update: 2008-10-20

I just got another automated email from nectar, notifying me (at the CLAIRE.XXXXXXX@XXXXXXXXXX address) that email address on the account has been changed (specifically, it's been blanked). So, it looks like after just a little over 3 years and 6 months, that they've finally got the message!

Of course if I continue to receive more spam from them, there'll be another update to make to this page. But for now, it looks like this saga may be at and end.