Spammy spam and the spammers who send it

I’m really happy that the portable contacts specification exists, and that products like Gmail enable an OAuth connection for the “find your friends already in the network” situation.

However, this has enabled a particularly bad form of spammy spam that I encountered again this week from It starts with a message like this one:

ShoppyBag Spam

It comes from someone you know, claims that person has “tagged you” in a photo, and asks you to sign up to come see it.

Once you get in the sign up process, you have to provide access to an address book to find existing friends – it’s not optional, but one of the required steps with no skip option. (That should, in retrospect, have been my point to shove off and avoid the site with due haste – but I went ahead, reassured by the messaging that they would never send any email on my behalf without my permission).

Then once the site finds your “friends” (anyone in your address book who is said to already be a user) it offers to connect you to them. Again, there’s no “select none” or “skip this step” – the most minimal option is the “select people already using” (paraphrasing as I didn’t take a screenshot and don’t want to try this again).

The problem is that at that point, ShoppyBag is out “tagging” for you all of your “friends” and sending them the same email you got in the first place.

To all my contacts – sorry I fell for it again this am; I usually recognize the signs and bail earlier in the process than I did.

So instead, public warning: avoid signing up a as they will spam your whole address book without your permission.


  1. I was wondering where you got a photo of me. :) It’s diabolical! And it’s a little shocking that they have this spamming process that completely alienates their potential users… instead of “hey, we have a cool site, you should join” they screw you right at the introduction.

Comments are closed.