« Congratulations to Tim! | Main | Complete your changes »

Beware of Quechup

| 7 Comments

A bunch of people are getting email from a new social networking site called Quechup. Unfortunately, as with some other social networking sites, if you sign up for Quechup and tell it to search your email address book, it automatically (without telling you) sends email to everyone in your email address book, asking them to sign up.

So beware of Quechup. I recommend not signing up for the service at all, but if you do, I very strongly recommend not giving it permission to look through your address book, because as soon as you do that, it'll spam everyone in your address book.

Note that some other sites have been known to do the same thing. When you're considering signing up for a new social networking site, always do a web search to see what other people are saying about the site before you sign up.

I initially wrote a little rant about how people should never send email to everyone in their address books 'cause chances are you've got business associates (like, say, editors you've submitted to) in your address book. But now that I see that it was unintentional, I'll just say to be careful around social networking sites.

And be particularly careful around Quechup.

7 Comments

That's not a 'social networking site'. That's a worm.


I got one of those. The person who "sent" it was horrified, and suggested that I not connect with them at all.


I was initially under the impression that Quechup spammed people if you even opened an email from them, but that turns out not to be the case, as far as I can tell. My current understanding is that you have to go to their site, sign up for an account, tell them your Gmail username and password, and then click a confirm button. The trick is that it's not obvious that when you click the confirm button, your whole contacts list gets spammed. Apparently they can also do something similar with your address book from a desktop-based mail application like Outlook, but I'm not sure what the process is for that.

So ... technically, I don't think it's really a worm; or if it is, it's a worm that requires user action to spread it. It's scummy and misleading, but I'm guessing it's not technically illegal.

The other site that I was thinking of did basically the same thing back in April. It's called tagged.com (link is to a blog entry about it, not to the site itself). Another blog entry about Tagged recommends complaining to the VCs who funded the site; that sounds like it might be a good idea, though I don't know whether it would actually help. And I don't know whether Quechup has received any VC funding yet. Quechup appears to be part of a company called iDate, which is publicly traded over-the-counter (i.e., not listed in any major stock exchange); see company info at pinksheets.com, which gives a contact papermail address and phone number in Las Vegas. But I'm guessing that the iDate people are well aware of Quechup's practices and won't care if you complain. Oh, and here's an iDate contact form if you want to complain online.

I guess my other general advice about all this would be to not give out your email username and password to anyone, especially not to a social networking site that you know nothing about. But I'm told that both LinkedIn and Facebook ask you to do this and don't abuse it. So it's a decision you'll have to make on your own, but the idea gives me the creeps. Remember that if you give them your username and password, you're giving them full access to your account--they can do anything there. If they do want to send an actual virus to all your contacts, they can. They can delete all your mail. They can send messages to your coworkers saying that you enjoyed sleeping with the boss. They can send messages to the FBI saying that you're a terrorist. They can read all the email that you've received (and possibly that you've sent) that's still in your account. Your email account is in some ways your online identity, and in other ways your public face; don't just hand over the keys to that to anyone who asks.

(It's tempting to think that because the original email asking you to sign up came from a friend, the site must be trustworthy. But remember that email return addresses can be faked. Which does somewhat undercut my argument in that last paragraph--they don't actually need your email address to send spam that appears to be from you. Still, giving them full access to your account seems like a bad idea to me.)


I got scammed by this one due to the fact that I wasn't paying attention and that I received invites from people I trust.

My apologies Jed, I'm sure the Strange Horizons account received one of those emails from me.

I spent all Saturday doing damage control and am happy to say most people have been understanding. I can't explain how grateful I am of this, since it was clearly a dumb mistake and it should have never happened in the first place.

There are rumours that Quechup has stolen passwords for other uses, not just spamming, so I recommend anyone who has fallen for this change their passwords immediately.


artemisin: No problem as far as we're concerned. The first one we got, I almost sent an annoyed response to, but then I saw several more and realized what must be happening.


Thanks!


I feel raped! Defiled! Robbed!!

I received the invitation to join Quechup from a good friend of mine. Without thinking, I joined. When the 'joining' seemed to be taking too much time, I got nervous and shut the window down. This was 4 days ago, and I had not returned. Yesterday, every person in my inbox got spammed with an invite to join Quechup.

How they still managed to do this, even after I disconnected, is completely beyond me. Why it happened 3 days later is mystifying. What they did may indeed be legal. I am sure that they have covered their assets in the very fine print.

However, their morals and ethics must be non-existent to behave in this manner. They hijacked my address book, stole my identity, spammed my friends in my name and call this business?


Post a comment