Getting spam with my friends email address in the subject line

[SKesselman]

I use gmail.

The sender's name is an obvious sign that they're a spammer.
But, I'm wondering where the spammer picked my friend's email address up.

Does anyone think maybe my gmail address book, or his, has been hacked?
Or worse, our Outlook address books?

I'm hesitant to open it, just to see what it says.
I've heard of worms that have the friend's address in the sender field, but not in the subject.

If this is a known phishing tactic, please forgive me.
I've never read phishing articles, I can spot a phishing email a mile away.

Thanks,
Sarah

[4wd]

They could have got your friend's email address from virtually anywhere.

eg.
1) Your friend used it to register at a site that was hacked, has a less than 'nice' policy regarding sharing of personal info, or was of a 'questionable' nature.
2) Your friend responded to a spam email by clicking a link in it which confirmed a working email address.
3) A friend of a friend of your friend had their PC infected with virus that sent emails to everyone in their email addressbook and so propagated a list of working email addresses.
4) Spammers bulk email millions of random addresses, any that aren't bounced are classed as valid, (one problem I wish GMail would fix instead of just forwarding to the closest sound-alike).
5) ad infinitum.

I'm hesitant to open it, just to see what it says.

-SKesselman (June 17, 2009, 03:57 PM)

Never, ever open a suspected spam email unless you have your email client properly configured.

By properly, IMHO, at the very least only configured to send/display all messages as plain text, (see here¹), and to never send a receipt saying it's been received or read.

1. Yes it's old but still valid - there is no reason to send HTML in an email.   Any sent to me usually end up deleted rather than read and I blame it on a message filter if someone asks  

[tomos]

It happened me once (2001 or so-ish) when I didint have a clue* that my email address was used and people received spam from my address. No idea how, but as I say I had absolutely no clue then about anything (I had first started using pc's a year or two prior to that).

What should one do in this situation? (if it's your address being abused) - abandon the account, tell the provider?


* I'm not a whole lot better now . .

[SKesselman]

Never, ever open a suspected spam email unless you have your email client properly configured.

-4wd (June 17, 2009, 04:17 PM)

I don't really trust that I'll ever have an email client so properly configured that I'd feel safe, so I filter my mail manually before downloading it.
But, maybe I'm being silly. Are the consequences similar, no matter where I open the potentially harmful mail from, be it webmail or Outlook? Hmm...

1. Yes it's old but still valid - there is no reason to send HTML in an email.   Any sent to me usually end up deleted rather than read and I blame it on a message filter if someone asks  

-4wd (June 17, 2009, 04:17 PM)

I tried that for a while, and all it did was piss people off. Seriously.
Someday, when I'm working again, I'll probably (again) have little say in the matter.
But I looked at the links you posted anyway, & bookmarked them - you're right, these are still valid reasons to avoid HTML mail.

Thanks for all the help, and for the quick reply, 4wd...much appreciated.

[Target]

it's old but still valid - there is no reason to send HTML in an email.

-4wd (June 17, 2009, 04:17 PM)

is anyone aware of a reason why HTML mail persists?

wouldn't some sort of rich text format be a far better alternative?

[cranioscopical]

I tried that for a while, and all it did was piss people off.

-SKesselman (June 17, 2009, 09:46 PM)

And you stopped? What better reason could you want?  

[4wd]

Are the consequences similar, no matter where I open the potentially harmful mail from, be it webmail or Outlook? Hmm...

-SKesselman (June 17, 2009, 09:46 PM)

Yes, I would expect so - probably even easier in webmail since you're already looking at it in a browser that's designed to load images from all over the internet.

Unless, of course, the webmail service gives you some measure of control over what you choose to display while you're online.

1. Yes it's old but still valid - there is no reason to send HTML in an email.   Any sent to me usually end up deleted rather than read and I blame it on a message filter if someone asks  

-4wd (June 17, 2009, 04:17 PM)

I tried that for a while, and all it did was piss people off. Seriously.

The obvious answer to those people is, "Well, I don't know how valuable your personal data is but I actually take steps to protect mine."

Alternatively, you could scramble the <html> tags and forward it back to them asking where in the load of rubbish is the pertinent information.

For a while I actually toyed with the idea of creating a filter that auto-responded with that website before deleting the offending message.
Now-a-days people tend to know me better and don't send me things I have no intention of looking at, (like bl**dy PowerPoint attachments for stupid jokes), because they know it'll just get deleted.

it's old but still valid - there is no reason to send HTML in an email.

-4wd (June 17, 2009, 04:17 PM)

is anyone aware of a reason why HTML mail persists?

-Target (June 17, 2009, 10:31 PM)

That's easy, have a look at any PC running Windows - OE, (and probably Outlook), and Thunderbird, (IIRC, it's been awhile since I last installed let alone configured it), both default to HTML email and replying to email in the format it was sent.

I don't know about any other email clients but since you're talking about probably the most used one, (OE), it comes back to being "people don't know any better."

They see the pretty emails they can send but they don't see all the junk that's sent to do it, neither are they aware of the risk involved in receiving the damn things.

[Target]

That's easy, have a look at any PC running Windows - OE, (and probably Outlook), and Thunderbird, (IIRC, it's been awhile since I last installed let alone configured it), both default to HTML email and replying to email in the format it was sent.

I don't know about any other email clients but since you're talking about probably the most used one, (OE), it comes back to being "people don't know any better."

They see the pretty emails they can send but they don't see all the junk that's sent to do it, neither are they aware of the risk involved in receiving the damn things.

-4wd (June 17, 2009, 10:44 PM)

There's some truth in what you say, but it doesn't answer the question - why does the format persist?

Given that HTML mail is such a well known vector for security breaches it's kind of hard to understand why nobody is making an effort promote a better alternative (rich text?).  Outlook (not express) already includes RTF mail, but it's not as 'mainstream' as others, and it's pointless if the people your sending to can't (or don't/won't) use that format   

The reason that people 'don't know any better' is because they're not being offered an alternative.  And if an alternative exists, it's obvious advantages are not beng promoted

Or could it be that it's in the best interests of the (AV) industry to perpetuate this format?