A couple of years ago New Zealand passed the Unsolicited Electronic Message Act 2007 which prohibits sending unsolicited commercial messages "with a New Zealand link" (to/from/within New Zealand). The law is enforced by the Department of Internal Affairs, who have a Spam Complaints service online.

Since it passed (and before it passed) I've had relatively few New Zealand specific spam messages, so haven't had many opportunities to try it out. And most of those I chose to report them to the ISP and/or the source of the email addresses instead. (Most spam still originates outside of New Zealand, mostly from foreign spammers sent through owned machines. And complaining to anyone about those is nearly pointless.)

However yesterday I received not one but two copies of a spam message advertising a NZ business which was trying to promote a NZ registered website where they sell their wares. One copy to the unique address used on my DNS registrations (so I can tell when that address has been abused) and one address to the unique address used as a generic contact address on my business website (so I can tell when that address has been abused). So it seemed like a good time to try out the reporting procedure.

At the Spam Complaints site one can report unsolicited email and TXT messages (the latter of which I've fortunately received relatively few -- only one sticks in my mind, and it originated in Australia from what I could tell). They want permission to pass on the email address to the person complained about, permission to pass on to other Government departments, an indication whether you're willing to provide evidence for court, first/last names, email address, as well as headers/footers of the message. Since I got two copies, I assume that I need to report it twice. (They also have a Registration Page and state that they'll give more weight to complaints from people who register, so I tried that since it also apparently saves having to re-enter some information. Registration results in an email with registration details, sent from 131.203.102.90, which has no reverse DNS, causing my mail server to defer it, even though they do correctly send HELO as smtp.complaints.antispam.govt.nz -- sigh. And while it appears they do accept inbound SMTP to smtp.complaints.govt.nz it's not on that IP, it's on a nearby IP, 131.203.102.89 which reverses as complaints.antispam.govt.nz. So I reported this "not exactly Best Practice" DNS to their ISP to investigate -- since I know the ISP well -- and they looked into it very promptly. I also put in a hack to allow that IP anyway so I could carry on with my complaint.)

10 minutes is allowed to complete the web form and file the complaint, after which it times out. I assume this is to protect the CAPTCHA from being brute forced. Fortunately they do replay the form contents to you, so it is only necessary to fill out the new CAPTCHA information. (Particularly fortunate because the separate TEXT form boxes for the email headers and body isn't exactly the easiest format to deal with, given the typical multipart/mixed MIME email these days. Some form of attachment mechanism would be much easier to deal with.)

Filing the report earns you a confirmation email (assuming your mail server accepts their email), and a Complaint Reference Number, which appears to be a random string of digits and upper case characters. I'd guess that they don't bother to follow up much except major spam runs, but possibly the fact that I received two independent copies multiple hours apart, indicates a big enough spam run that they'll at least look.

It'll be interesting to see if anything further happens. After 2 years of the law being in force you'd think that most organisations would know not to send such blantantly unsolicited spam. But some seem to be slower learners than others.

(For good measure I've also saved the mail server logs, and original messages, in a GPG signed tarball, just in case anything meaningful actually happens with this -- to avoid them getting lost in my huge uce folder.)

ETA: The AntiSpam unit at DIA asked for a draft of a written complaint (based on their template) so I've sent them two, one for each unsolicited message. For good measure I also offered them the mail server logs (since I imagine most of the people complaining do not have sufficient access to get at such logs). So far, so good. The email they sent implies that they've had more complaints than mine about this particular antispam campaign, so hopefully they do actually manage to do something about it.

Unfortunately things are less promising on the reverse DNS front, which leads to the wonderful irony of mail from complaints.antispam.govt.nz being blocked by anti-spam rules. My contact at the ISP for the IP address was able to get reverse DNS added fairly quickly. Unfortunately the forward DNS for that name points at a different IP address. Which causes the "valid DNS entry" anti-spam rule to fail: it checks (a) that there is valid reverse DNS to a name, which (b) has valid forward DNS that (c) points at the IP address that was first checked. This combination proves that the name is under the control of the person with the IP address and is very common on well run mail servers, and much less common on non-mail servers and poorly run mail servers. It also allows making stronger statements about what is shown in the mail headers since the name associated with the IP has been double checked.

For the email source from complaints.antispam.govt.nz the mail comes from 131.203.102.90, which now (2009-12-21) gives this DNS chain:

ewen@bethel:~$ host 131.203.102.90
90.102.203.131.in-addr.arpa domain name pointer complaints.antispam.govt.nz.
ewen@bethel:~$ host complaints.antispam.govt.nz
complaints.antispam.govt.nz has address 131.203.102.89
complaints.antispam.govt.nz mail is handled by 10 smtp.complaints.antispam.govt.nz.
ewen@bethel:~$ 

and 131.203.102.90 is not 131.203.102.89 to a computer, so the test fails. (Without the work around I put in on the 16th this means that the normal anti-spam rules on my mail server would block mail from complaints.antispam.govt.nz.)

I sent a follow up to the DIA contact that my ISP Contact had pointing this out, on the 16th, and I've had no reply and nothing has changed so I suspect this means that the irony of mail from complaints.antispam.govt.nz being blocked by anti-spam rules will continue for some time.

ETA, 2010-04-28: More unsolicited mail from Image Marketing Group who now appear to be operating out of Florida, USA, and Auckland, using a diferent bulk mailing address. FWIW, I have reported the two messages I got this time to DIA (complaints LHHMCBGX, and 7QN48M9L). Given that I understand that DIA reached a point where they were unable to proceed due to loss of jurisdiction last time, it'll be interesting to see if they are able to do anything at all this time; I did make a point of reporting the messages within minutes of them arriving to give them the best possible chance of acting if they are going to.