MCMC Issues Public Consultation Paper on Spam

22 August 2025

• "Unsolicited commercial electronic messages" – "any commercial electronic message sent through any communication mode, where there is no prior relationship between the sender and the recipient, or no prior consent from the recipient". 
• "Electronic message" – "any message sent using a network service or applications service to an electronic address, endpoint, or similar communication mode, regardless of whether the address exists or whether the message reaches its intended recipient". 
• "Commercial electronic message" – "any electronic message sent by electronic means for the purpose of promoting, offering, marketing, or supplying: (a) products or services; (b) land or any interest in land; (c) business or investment opportunities; or (d) a person or entity that provides such products, services, or opportunities." 

• "Address harvesting" – "the automated collection of electronic addresses (such as email addresses or phone numbers) from websites, databases, or online sources without consent, typically for the purpose of compiling bulk messaging or spam list". 
• "Dictionary attack" – "a method in which senders or attackers systematically generate and test common address combinations (e.g. user123@example.com) in an attempt to identify valid addresses, often for use in spam distribution or account intrusion". 

• The sender is: (a) physically present in Malaysia at the time the message is sent; (b) an individual who is a Malaysian citizen or permanent resident, regardless of physical location; or (c) an organisation formed, incorporated, or carrying on business in Malaysia, regardless of where the message is sent or the infrastructure used. 
• The recipient is: (a) an individual physically present in Malaysia; (b) a Malaysian citizen or permanent resident, regardless of current location; or (c) an organisation formed, incorporated, or operating in Malaysia. 
• The message is accessed through a computer, server, device, or telecommunications network infrastructure located in Malaysia. Interestingly, this would suggest that messages originating from outside Malaysia could also be caught by the upcoming regulatory framework, if they are received in Malaysia. 
• If the message cannot be delivered but there is evidence of intent to target Malaysian users, including where the electronic address used is associated with Malaysia (e.g. using a ".my" domain) or the content of the message suggests it was reasonably intended for access by a person or infrastructure in Malaysia. 

• Tools and practices related to the sending of spam, including: (a) automated tools or software designed to extract electronic addresses from online sources (i.e. address harvesting); (b) software or mechanisms that generate addresses through automated or pattern-based guessing (i.e. dictionary attacks); (c) any database or list of electronic addresses obtained through the aforementioned means; or (d) the rights to access, sell, or use such software/databases. 
• The actual sending of spam to electronic addresses obtained via any of the aforementioned means. 

• Express consent must be: (a) given voluntarily; (b) limited to the specific purpose of receiving messages; (c) given with the recipient having been informed of the sender’s identity, the purposes for the messages and types/categories of messages; and (d) revocable through a free, accessible and functional opt-out mechanism. 
• Implied consent may be relied upon where: (a) there is a prior relationship between sender and recipient; (b) the content of the message is directly related to the nature of the prior relationship; (c) it is revocable through a free, accessible and functional opt-out mechanism; and (d) it is valid for a limited period from the last interaction between sender and recipient. 

• Clear identification of the sender, including by providing contact details to allow recipients to make enquiries, submit complaints, or withdraw consent. 
• A clear, functional, and free opt-out mechanism. 
• Accurate labelling to prevent misleading/deceptive practices, e.g. clear titles, headers, or advertisement identifiers.