From the no-kidding files: the New York Times discusses a neither new nor uncommon practice employed by less reputable web sites that ask for your email address and password, then spam every person in your contact list.
I thought it was a little strange when I received separate e-mail messages from two people I knew only slightly asking me to click and see their photos on a social networking site called Tagged.
I ignored them at first, but then thought maybe I should check it out. After all, I should keep up on what's hot in the social networking world, right? This could be the new Twitter.
That's when I started doing everything wrong. I obligingly typed in my e-mail address and a password to see those photos. Well, the photos didn't exist, but I had unwittingly given the site "permission" to go through my entire e-mail contact list and send a message to everyone, inviting them to see my "photos."
The two screenshots you see here come from Tagged, the web site the author of the Times piece highlights. As you can see in the first shot, the site claims it's going to find out which of your friends are using Tagged already, but doesn't exactly scream "I'm going to spam your friends!" It's not until later that Tagged hints that it might be sending out unwanted emails to your entire contact list.
The problem is two-fold. First, as surprising as it may seem, some people actually intentionally use this "feature" to get their friends to join them. When that's the case, the problem isn't really with the web site—it's with the user. As a user, intentionally using a tool that emails everyone in your contact list is simply bad netiquette.
Second, and more importantly, web sites that employ this sort of spamming (it's not spamming, strictly speaking, nor is it exactly phishing, as the NYT points out) are more often that not violating your expectations as a user. Users are often unaware that their email information will be used to scrape their contact list and email all of their friends; frequently this disclosure is hidden in a site's terms of service.
Before we blow too hard on our righteous indignation whistle, let's just go straight to the takeaway for you and me, the users: Do not hand out your email credentials just because someone asked for them. It may seem obvious at this point (as I said, this practice isn't new), but whether you're at a phishing site or an actual web site looking to spam your friends, family, and coworkers, think very carefully about whether or not you want to give someone you don't know or trust the keys to one of your most important portals of communication. Occasionally you will find a reputable site or service to which you are willing to hand over those credentials, so it's not set in stone that you can't give them out. But be aware that when you do, you need to consider the possible consequences.
Have you ever been on either end of these pseudo-spam lists? Ever have to issue an apology to your entire contact list? Share your experience in the comments.