HomeBlogsMacRonin's blog

Harvesting Teenagers using TAGGED.COM as an example

April 10, 2007 - 1:11pm — MacRonin

Harvesting Teenagers: "Then I read this blog entry from Symantec and it explained how my friend might have gotten hit: '...when a user signs up for Tagged, they're practically forced to put in their Webmail credentials. Tagged then logs into your Webmail account as you, accesses your address book and prompts you to e-mail your contacts using your Webmail address as the reply-to.' At this point, I have to figure the phenomenon is maybe bigger than I thought and decided to do some testing.

First, it's worth noting about the invitation e-mail that it's sent with a From: and Reply-To: header of the member's e-mail address, but it's actually sent through the tagged.com mail server. They use an envelope-from address of bounce@tagged.com so that they pass SPF (sender policy framework) tests (a good example of the useful limits of SPF). In most mail clients, the message ends up looking like it came from your friend, so you don't want to block the address.

I set up two Gmail accounts specifically for the testing and a number of e-mail aliases on domains I own to be my 'friends.' I put these aliases in the address books of the Gmail accounts. Signing up for Tagged (which, I admit, I did under an assumed name), was easy enough, although I did quickly run into what Symantec describes. I was prompted for my Gmail credentials. They already knew my Gmail user name since I had provided it as an e-mail address. There is no option here but to provide a password:

Before too long the addresses in my Gmail address book received invites like the one I received. I later figured out that you can provide an incorrect password here, and it lets you proceed. Incidentally, they have similar functionality for AOL Mail, Hotmail, Yahoo mail and MSN mail.

Before I actually signed up I decided to read their TOS (terms of service), something I'm sure none of the teenagers they target have done. It's long and a genuine Nightmare on Elm Street for the abusive and, while we're at it, misleading rules for privacy.

[...]

Nothing in the TOS says that they will be harvesting addresses from your address book, nor what they are entitled to do with those addresses. Perhaps they consider these addresses as being provided for invitations to Tagged, but that's clearly not true."


Bookmark/Search this post with: