Stopping Address Book Spam

by Patrick Ruffini :: September 10th, 2007 12:10 am

Over the summer, cool new scripts that let you upload your Gmail/Yahoo/MSN/etc. contact lists to major sites have really taken off. The most common (and useful) application comes when you can upload your list to see who is on any given social networking site. Facebook, LinkedIn, Twitter, and many of the others enable this, and you can search MySpace and other 1.0 sites using Upscoop. Using one of these tools, I’ve discovered that one in four of the people I’ve ever transacted with over email has a Facebook account.

It didn’t take long for the dark side of this to emerge. In the past week, Quechup and Rapleaf (the folks behind Upscoop) have been smacked down hard for spamming the addresses unsuspectingly uploaded by their users. What was supposed to be a convenience for the end user, enabling them to quietly check up on their friends’ social networking profiles, has instead become a conduit for spam, with hundreds receiving bogus “invitation” or “you have been searched for” emails as a result of a single upload.

Jenn Sierra is canceling her Quechup account as a result, and this is shaping up to be a massive P.R. headache for the company. Meanwhile, Rapleaf (whose founder I consider a friend) has apologized. Plaxo was a much earlier incarnation of this problem (remember those annoying “I’m keeping my address book up to date” emails?). It got so bad network admins would routinely block the site from their corporate networks. Now, Plaxo is seeking to reinvent itself in a much friendlier, Web 2.0 savvy service. Canadian tech reporter Mathew Ingram has a much more thorough review of this issue.

Is this immediate backlash enough to rein in this abuse? I hope so, but I’m not so sure. Given the highly leveraged nature of these communications, with 1 person sending to 1,000 or more, it seems reasonable that Google and Yahoo could easily shut down contact list access, or limit it to the Facebooks of the world.

As someone who’s implemented contact list imports, and who sees the tremendous upside if they are used in an honest, transparent fashion, I wouldn’t want to see this happen. Web startups need to act quickly to contain this, and adopt voluntary guidelines to ensure that users can trust them to handle the sensitive contents of their address book.

I would suggest some guidelines like the ones below, incorporated into privacy policies and perhaps highlighted in a “Why this is safe” link next to the contact importer. These should cover just about every reasonable scenario. Let me know if I’ve missed anything.

• Option A: Non-Retention of Addresses. Explain that the site offers you the ability to upload your contact list, a comma-delimited list of names, for the purposes of finding users or sending a link. Those addresses are used solely to check against the site’s membership database or send your friend the link that one time and are not retained.
• Option B: Addresses Retained, But Sender Controls. On many sites, you might need to retain the contacted email addresses — for instance, invite-only sites that authenticate based on email. However, the original sender controls when and how their addresses are mailed, and the site is only sending messages from the original sender, on his or her behalf. These addresses aren’t visible to other users, and cannot be used by the site to contact these third parties directly.
• In every case… Sender Controls. The names can only be emailed specifically at the direction of the original sender, and cannot be mailed under false pretenses (if all you do is upload your list, that’s not an “invitation”). Scenarios include: one-time (user sends a link out, or some invites, and that’s it), multiple times (their contact list is saved for their personal convenience when they go to send future stories), or on a recurring basis (you need to be extremely explicit and transparent about this — “I authorize [site] to send my contacts my blog posts once a day/week/month/etc.” — and the original sender must be copied on all outgoing emails. And it’s probably a good idea to put a cap on the number of contacts you can send to).

Tagged: bacn gmail google quechup rapleaf spam yahoo

Comments (

) Trackbacks (

WordPress database error: [Can't open file: 'prwp_comments.MYD'. (errno: 144)]
SELECT ID, COUNT( comment_ID ) AS ccount FROM prwp_posts LEFT JOIN prwp_comments ON ( comment_post_ID = ID AND comment_approved = '1' AND comment_type='') WHERE post_status = 'publish' AND ID IN (395) GROUP BY ID

WordPress database error: [Can't open file: 'prwp_comments.MYD'. (errno: 144)]
SELECT ID, COUNT( comment_ID ) AS ccount FROM prwp_posts LEFT JOIN prwp_comments ON ( comment_post_ID = ID AND comment_approved = '1' AND comment_type='pingback') WHERE post_status = 'publish' AND ID IN (395) GROUP BY ID

WordPress database error: [Can't open file: 'prwp_comments.MYD'. (errno: 144)]
SELECT ID, COUNT( comment_ID ) AS ccount FROM prwp_posts LEFT JOIN prwp_comments ON ( comment_post_ID = ID AND comment_approved = '1' AND comment_type='trackback') WHERE post_status = 'publish' AND ID IN (395) GROUP BY ID

0) del.icio.us digg it subscribe This was posted in: Uncategorized

Both comments and pings are currently closed.

Comments are closed.