Recently I started getting invitations to join Flixster from both friends and complete strangers. Obviously, this was spam, but why were these complete strangers sending it to me? (For that matter, why were these friends inviting me to join Flixstr, which is a social networking site geared towars movie reviews?)
Here’s what the typical spam invitation for Flixster looked like:
Subject: John D has sent you a private message
This note was sent via Flixster by John D (firstname.lastname@example.org) to email@example.com. If you prefer not to receive emails like this, tell us here: http://www.flixster.com/DoNotSend.firstname.lastname@example.org.
Then I noticed two curious things: 1. All the spam was coming from AOL and Hotmail accounts – real AOL and Hotmail accounts of real people, and 2. It was coming not just to me, but to role accounts at our organization – for example email@example.com. These people had really contacted us for support at one time or another, but a generic role account would hardly be a friend to whom you would send an invitation.
Then I got email from someone, a professional contact with an address at AOL, asking me (and everyone else in his address book) to please ignore the invitation to join Flixster which appeared to come from him but which, he said, had actually been sent by Flixster.
So, what is actually going on?
We decided to investigate, and here is what we found:
Once you join Flixster, Flixster commandeers your address book – your list of all of your personal contacts in your AOL (or Hotmail, Yahoo or Gmail) address book – and sends out an invitation to join Flixster “from” you. Oh sure, you enable them to do it – but clearly enough people are unaware of what they are doing that it’s causing a problem.
Flixster is getting their AOL (and Hotmail, and Yahoo, and Gmail) passwords!
Using AOL as an example, when you first sign up for Flixster using an AOL email address, after you select a username and password, the very next screen prompts you for your AOL password!
Here’s that screen – look how compelling it looks that you should give them your AOL password!:
If you use a Gmail address, you can get the same screen, only with the Gmail logo. Same for Hotmail and Yahoo.
Once you give them your password, they grab everyone’s email addresses from your AOL, Hotmail, Yahoo or Gmail address book, and spam them with the invitation. In your name using your email address.
And they access your AOL account before you ever get to the next step. Even though they make you feel as if you have complete control over the process by telling you “On the next page you will be able to select whom to invite”, they already have your contacts by that point. How do we know they access your account first? Watch what happens if you give them the wrong password:
How compelling does that look?
Now, who do we blame for all this? Flixster for asking for the password? The user for giving it to them? After all, the user had to take an affirmative action to send you the invitation spam. But, do they feel compelled to send it? Do they even understand what they are doing?
Do they feel that their ISP has approved this or even partnered with Flixster because Flixster has placed their ISP’s logo right next to the password prompt?
Is this phishing in plain sight?
For their part, Flixster is not only unrepentant about their tactics, but brag about them. An article in American Venture Magazine following Flixster’s getting $2million in VC funding last month, included the following:
“But the site has also grown due to its aggressive viral marketing practices that have raised the hackles of some potential users. Such practices might include the automated selection of your email account’s entire address book in order to send a Flixster invitation to all of your contacts. (Emphasis ours.)
But such practices are becoming increasingly more common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget.
“I attribute our success to a combination of both of those,” Greenstein said. “We make it easy to invite your friends. Other sites don’t provide good ways for people to spread the word. And, we tried to build a really compelling site.”
If you actually go on to read their Terms of Service, however, you’ll find that they mention nothing at all about this. Nothing. One way or the other. But they do, ironically, state that it is a violation of their Terms of Service to “Create a false or misleading identity of, including, but not limited to, a Flixster employee, or falsely state or otherwise misrepresent your affiliation with a person or entity, for the purpose of misleading others as to the identity of the sender or the origin of a message or to harvest or otherwise collect information about others.”
Oh, and it’s also a violation to “Disseminate any unsolicited or unauthorized advertising, promotional materials, ‘junk mail’, ‘spam’, ‘chain letters’, ‘pyramid schemes’, or any other form of such solicitation, or to “Harvest or collect email addresses or other contact information of Members, including usernames, from the Flixster.com website by electronic or other means.”
“Our Just-Say-No-to-SPAM Policy
We do not send SPAM of any kind. The only email you will get from us is a weekly update of the latest movies and quiz questions and, of course, any personal messages sent directly to you by your friends.”
Me? I’ve now got a Just-Say-No-to-Flixster Policy.