one mikro2nd: kakistopoly

Rant ahead. Feel free to leave now. No, really! This is just whining in public about the unbelievably crapulatious service Nedbank dishes out to its customers. A service I recurringly buy, and have repeatedly bought for... oh, probably more than 5 years, now... using the self-same Nedbank credit-card... came up for renewal yesterday. Mysteriously the transaction failed, so the vendor sent me an email to let me know. Very odd! As I say, it has worked fine for years. The card has not expired - the only reason transactions have failed before now. Oh well, off to pay the invoice manually. Using the same card, naturally. (It's the Business card, you see, so simpler for tax and accounting than using a personal card.) Next thing, I find my browser redirected to some foreign website "bankserv.co.za" for "verification". Oh yeah?! There's a crappy, pixelated copy of a Nedbank logo at the top. That sure looks convincing! And they're asking me for all sorts of account details, including my CVV number, ID number, and some arbitrary and mysterious field labeled only "Personal". What sort of phishing operation is this? Actually it turns out to be an alleged "Fraud Prevention" thing called 3-D Secure. I've only heard of it because I know people who have had the pain of implementing payment solutions that use it. <ul><li>Question: Why did Nedbank not bother to communicate to their customers that they would be requiring this much-changed payment process?</li><li>Question: Why do Nedbank not do it on their own website, instead sending me to some website who's identity is a complete unknown to me?</li><li>Question: Is this not the most incredibly stupid thing to do in a web where phishing and identity theft is rife?</li></ul>Later, a call to Nedbank's unbelievably crappy customer "service" centre illuminated a whole lot of these details. The bottom line is that: <ol><li>Nedbank absolutely require us to use this 3-D Secure thingie.</li><li>The shitty 3-D "secure" thingie absolutely requires that I enter my cellphone number to complete their process. Unfortunately, where I live, cellphone reception simply does not exist, so not an option. </li><li>So: I have no way to complete their crappy process, and</li><li>Nedbank has no other process.</li></ol>Fail! The 3-D Secure form did not even have a field labeled "Cellphone number". How is anyone supposed to guess at this? Then, too, there is no way to opt out. They claim that the 3-D Secure process is to "verify my
identity". This despite the fact that they have all my FICA docs on
record. They have my other business account details on record (because
that's how they get paid every month) and they manage to successfully
send me statements every month, and a new card every couple of years. And the process absolutely requires that I be reachable by cellphone. What if I don't have or want one? What if I have one but can't get reception? Has anybody pointed out to the shit-heads at Nedbank that SMS is not a secure nor reliable channel of communication? <ul><li>Question: Why would I jump through all these hoops, put up with really shitty service and all this pain from Nedbank when Standard Bank (my other, other bank) have been trying to give me a business credit-card for years, only to be turned down (because why would I want another credit card?)</li><li>Question: How quickly can I close this Nedbank account?</li><li>Question: Did anybody at Nedbank bother to turn their brains on when thinking about this process, or were they - as usual - operating with their heads stuck so far up their own arse that they could see out their own throat?</li></ul> Oh! I paid the invoice using my personal credit-card (Standard Bank.) Payment went through flawlessly, painlessly and instantly with no hoops to jump through.

Mr Douglas Reed, CEO of Vox Spamacom Telecom, parent company to Datapro, replies:

We run an ISP with over 18,000 corporate customers and 180,000 SME's and
we have customers who utilise various services. These include list
servers where customers use their own databases and we don't have full
control. The DataPro and Vox databases are within our control and
consist of individuals and organisations who have provided their details
to us. The reason we have you on our Company database is because you are
obviously listed as a technical contact for some of our customers. We
cannot offer opt in opt out facilities for our communication to our base
because the news letters communicate important information that the
technical contacts need to be aware of. However if you want to be
excluded please give us the details and provide us with new technical
contact details.

The other choice is do what the rest of us do and add the user to your
junk mail list.

Interestingly enough this mail ended up in my junk mail folder which
basically means that I received unsolicited mail from this in the past
or you cc'd thousands of people.

Is it just me, or does this sound just a tad arrogant? What I am hearing: "We're big; that means we can spam with impunity, since we're too big to get blocked." and "Shut up and eat your spam!"

My response:

Dear Mr Reed, On 18/02/2008, Douglas Reed <douglasr@datapro.co.za> wrote:

> The DataPro and Vox databases are within our control and
> consist of individuals and organisations who have provided their details
> to us. The reason we have you on our Company database is because you are
> obviously listed as a technical contact for some of our customers.

The (many) spam emails that form the basis of my complaint to ISPA are directly from Datapro and Vox Telecom; this is not about spam from your customers. One spam message bears your name as "signatory".

You will note from my earlier correspondence with Maggie Cubitt that I have tried repeatedly, using numerous channels, to "opt out" of these mailing lists, without any success.

Why don't your opt-out procedures work? (As required by the ECT Act.)

Although some of your technical staff are certainly in possession of my email address as "technical contact" for some of our mutual customers, this does NOT extend a license to your companies to send me unsolicited bulk email on ANY subject.

Further, I will note that I have never -- not even once -- receive a bulk message on any technical subject. The emails forming the basis of my complaint have ALL been of a nature that can only be characterised as "marketing crap". I did not, ever, at any stage, give any person or system representing your companies, permission to send me marketing crap. The fact the your companies have done so is known in the email management industry as "address repurposing" and is considered a sure sign of "spam spoor".

> The other choice is do what the rest of us do and add the user to your
> junk mail list. I will repeat what I wrote to Ms Cubbit:

<quote>
having my own email address removed from your mailing lists is of only limited interest to me in this matter. The larger issue, which it is my main purpose to tackle, is that of Datapro and Vox Telecom blithely spamming, over an extended period of time, continuing in the face of numerous good-faith attempts to unsubscribe, and in direct violation of

1) their own Terms of Service,

2) the email provisions of the ECT Act, and

3) the ISPA's Code of Conduct.
</quote>

The point this: "adding Datapro/Vox Telecom" to my "junk mail list," as you suggest, fails to eliminate or mitigate the primary complaint against spam: the receiver has to pay for it. Putting Datapro/Vox Telecom into my "junk mail list" does not mean that Datapro/Vox Telecom cease being spammers.

To (attempt to) be completely clear on this: since you seem to have overlooked the point:

* This is not about Datapro and Vox Telecom spamming ME.

* This IS about Datapro/Vox Telecom spamming AT ALL.

> Interestingly enough this mail ended up in my junk mail folder which
> basically means that I received unsolicited mail from this in the past
> or you cc'd thousands of people.

Nonsense.

No such conclusion can be inferred.

Having personally administered email and spam-filtering systems, I can tell you that you cannot draw any such conclusion; thogh it /may/ call into question the competence of the people managing your spam-filtering systems.

> We run an ISP with over 18,000 corporate customers and 180,000 SME's and
> we have customers who utilise various services. These include list
> servers where customers use their own databases and we don't have full
> control.

What I read into this is that you believe that your organisations are "too large for the rules to apply". I have some bad news... There are other organisations far, FAR larger that manage to adequately, and to the full satisfaction of the anti-spam community, police their customers' mailing lists and email activities. I am pretty sure that both Outblaze and AOL are larger than your operations; both manage to maintain an impeccable reputation for managing the spam problem and speedily terminating spammy customers.

Of course, neither one spams their customers directly, as your organisations have done.

Part of your (companies') responsibility to the Internet community is to police your customers and their mailing lists. Ways to do this include monitoring their behaviour, and maintaining and ENFORCING uncompromising Terms of Service. Your response suggest an unwillingness to do so. This is a slippery slope. Next your sales-staff will be writing "pink contracts". (Google for it!) Should you require access to better expertise than your organisations evidently possess, I shall be glad to forward my consulting rates.

All of this remains (largely) irrelevant. The numerous spam messages I have received are from your organisations; not from your customers. Your unwillingness to eliminate spam from /within/ is, perhaps, indicative of your willingness to tolerate/profit-from spammy customers from without.

Here is the response I expect: As I see it (prove me wrong?), you have two choices:

1. Throw away all mailing lists under your control, and start from scratch to build new mailing lists. Of course you WILL follow established Internet procedures for building permission-base email lists. (Somehow, I doubt this one...)

OR

2. Send a ONE TIME email to all addresses on your mailing lists, explaining (in full) the situation, expressing your companies' regret that such an unacceptable and untenable situation has come about through the action of a few misguided individuals, and asking the recipients to confirm that they WISH to be subscribed to the relevant mailing list. Should recipients so confirm their desire to participate, your staff should proceed in the full confidence that those persons have positively opted-IN. Any email address that fails to reply, or that expresses a desire to opt-OUT must be removed from your databases.

This (second) option should be followed-up with a comprehensive on-going (so that new-hi[r]es get the message, too) educational message from the organisation: "We don't tolerate spam in any shape, manner or form." (together with a detailed explanation of just what that means.) Your marketing and sales staff may require particularly persistent education.

Forgive my lack of optimism.

Since you (read: your organisations) do not know the email address(es) being spammed, you may be sure that I am in a position to monitor your organisations' actions on this, and will report accordingly.

PS: You, Mr Reed, might wish to consider that a small one-man consultancy such as myself, may frequently be in a position to make recommendations to customers concerning their choice of service providers in the Internet Services industry. Either to recommend providers, or, alternatively, to discourage use of any particular provider. Your call...

If anybody out there thinks I am being irresponsible or unreasonable (obviously with the exception of any Datapro or Vox Telecom employees or agents!) please, please say so by leaving a comment on this blog. I promise not to delete any relevant comments...

Let's just note for the record that he failed, completely, to address any single point of substance or question in my response...

one mikro2nd

21 June 2010

Nedbank Service Fail

22 February 2008

Taking on the Spammers: Datapro/Vox Telecom - Part 4