...making Linux just a little more fun!

Dinesh has Tagged you! :)

Rick Moen [rick at linuxmafia.com]

Wed, 24 Oct 2007 10:30:22 -0700

Quoting Dinesh Sikhwal (disikh at yahoo.com):

>    Dinesh S, 21
>    Dinesh has added you as a friend on Tagged.
>    Is Dinesh your friend?

Functionally speaking, Dinesh is a spammer.

>   [imgsrv.php?uid=5382936315&imgn=1&imgt=1&iw=320&ih=170&iy=53&is=35&nfr
>    =3]
>    [2]Click here to block all emails from Tagged
>    P.O. Box 193152 San Francisco, CA 94119-3152

No, I really don't think so: I'd rather just globally block all mail at all of my MTAs from the entirety of "taggedmail.com".

I'll also throw in "tagged.com" while I'm at it, as this "social networking" business appears to be more than usually pestilential.

http://labnol.blogspot.com/2007/03/how-to-block-tagged-mail-latest-e-mail.html says:

Tagged.com describe themselves as a "teen social networking destination on the web" but it is currently the largest source of email spam in our inbox.

Every other minute, there's a new email message from Tagged.com with a subject "[Your Friend Name] has tagged you! :)".

There's a link at the bottom of the email message that says "Click to unsubscribe" but even when you unsubscribe, "TaggedMail Invites" will continue to flood your inbox.

Goodbye, Dinesh. Goodbye, Tagged.com.

Top    Back

Rick Moen [rick at linuxmafia.com]

Wed, 24 Oct 2007 10:57:45 -0700

I wrote:

> I'll also throw in "tagged.com" while I'm at it, as this "social networking" 
> business appears to be more than usually pestilential.

Address-harvesting for use in subsequent commercial solicitation appears to feature very heavily in this business (Tagged, Inc.). Quoting the Wikipedia article:

When a user signs up for Tagged, they're practically forced to put in their webmail credentials. It then logs into your webmail account as you, accesses your address book, and prompts you to email your contacts using your webmail address as the reply-to.


There are two supporting references from that article. One is to http://www.symantec.com/enterprise/security_response/weblog/2007/04/spam_meets_web_20.html . Representative quotation:

It's difficult to recall all of the mass-mailing worms we've seen that have used similar strategies for propagation. Melissa and Lovebug would be good examples.

Fortunately, Tagged isn't actually sending the emails as the user whose login credentials they've borrowed, the email is just coming from Tagged's server so it's not difficult to blacklist. But Tagged's signup process is sparse on the details about why they ask for the information they want, and what they're going to do with it. Clearly they've snagged all the email addresses in your address book, which would be useful for sending future advertising-based spam, but they've also taken your webmail login credentials and not really told you what they intend to do with it.

It's interesting in that they've circumvented the need to mock-up your webmail site, but still had the effect of a phishing attack. With the search capabilities of most modern webmail services, and the amount of people doing online banking, it doesn't take a lot of imagination to see where this kind of site could head. Though we've all heard it before, the best way to avoid these situations is to avoid giving your credentials to third-party sites. Just like you wouldn't give your banking info to your mailman, you shouldn't give your banker a copy of your mailbox key.

The other is to http://www.eweek.com/article2/0,1895,2112675,00.asp . Excerpt:

First, it's worth noting about the invitation e-mail that it's sent with a From: and Reply-To: header of the member's e-mail address, but it's actually sent through the tagged.com mail server. They use an envelope-from address of bounce at tagged.com so that they pass SPF (sender policy framework) tests (a good example of the useful limits of SPF). In most mail clients, the message ends up looking like it came from your friend, so you don't want to block the address.

I set up two Gmail accounts specifically for the testing and a number of e-mail aliases on domains I own to be my "friends." I put these aliases in the address books of the Gmail accounts. Signing up for Tagged (which, I admit, I did under an assumed name), was easy enough, although I did quickly run into what Symantec describes. I was prompted for my Gmail credentials. They already knew my Gmail user name since I had provided it as an e-mail address. There is no option here but to provide a password: [Snip screenshot of the "Find your friends on Tagged! Check your Gmail address book" screen.]

Before too long the addresses in my Gmail address book received invites like the one I received. I later figured out that you can provide an incorrect password here, and it lets you proceed. Incidentally, they have similar functionality for AOL Mail, Hotmail, Yahoo mail and MSN mail.

Article goes on to detail the misleading, labyrinthine, and extremely cheeky Terms of Service -- which, author Larry Seltzer points out, signs over to Tagged, Inc. the right to harvest e-mail addresses from the victim^Wcustomer's address book and use it for any purpose.

Seltzer attempted to contact Tagged, Inc. to hear their side of the story. All of the means of contacting them he found were dead links. He concludes: "Why am I not surprised?"

Cheers,                              T?? m'??rthach foluaineach l??n d'eascainn.
Rick Moen
rick at linuxmafia.com

Top    Back