These Tagged emails are definitely "spam" but will not always be caught as such.
They are generated by a web site named Tagged.com which is a social networking site (sorta like facebook but with a little less good manners).
When someone signs in to use Tagged it as for various info, including email address and password to email address book (supposedly to match you up with friends) and the site uses that info to access the users email address book and then creates these phony tagged emails which it sends to folks in the address book. It makes them look like they come from that user (friend) and is usually an invittation to join or an invitation to view some photos.
Advoid being used by this site by just erasing those tagged emails and not starting the join process.
If you have already joined and others are getting tagged emails that seem to come from you there are several sites that have solutions to get out of this situation including several of the anti-virus sites (even tho this is not technically a virus).
Hope this helps some. You can read about the "tagged emails" at snopes.com and other places by doing a google search on "tagged emails".

Here is the snopes link for the "Tagged" e-mails

snopes.com: Tagged

I definitely did not give them my e-mail password. But I'm guessing they can still get into my address book somehow....

They may well have a way of doing that with just your address and maybe they set a cookie or the likes. I'm not sure of all the particulars, just know that they use your address book to sent others messages that look like they come from you.

eWEEK article on Tagged

Network Security & Hardware

Harvesting Teenagers

Harvesting Teenagers

Share This Article
Article Rating: / 16 By: Larry Seltzer
2007-04-10

There are 7 user comments on this Network Security & Hardware story.




Harvesting Teenagers
( Page 1 of 2 )

Opinion: Web 2.0 means a lot of fuzzy things, and they're opportunities for the bad guys too. One new social networking site is a poster child for the abuse of social networking.Business is business, but some things are dishonest, and dishonest usually gets away scot-free on the Internet. You can learn a lot about what legitimate looking sites are capable of, and what ordinary users are willing to do when asked, from the example of Tagged.
Tagged is one in a flood of new social networking sites targeting teenagers. Theyre all MySpace wannabees, and perhaps some of them are harmless, but Im going to focus on Tagged. It first got my attention several weeks ago when I got about six e-mails in rapid succession from her. They were obviously auto-generated invites to join a site and said "[my friends name] has added you as a friend on Tagged," and "Please respond or [my friends name] may think you said no ". I could tell right off something phony was going on, but I still had better things to do, so I passed, and my friend was apologetic about it. I wasnt the only one who got the e-mails.

Web 2.0 represents multiple transitions in the manner of using the raw material of the ubiquitously connected public network. Click here to see a video about the business of Web 2.0.

Then I read this blog entry from Symantec and it explained how my friend might have gotten hit: "...when a user signs up for Tagged, theyre practically forced to put in their Webmail credentials. Tagged then logs into your Webmail account as you, accesses your address book and prompts you to e-mail your contacts using your Webmail address as the reply-to." At this point, I have to figure the phenomenon is maybe bigger than I thought and decided to do some testing.

First, its worth noting about the invitation e-mail that its sent with a From: and Reply-To: header of the members e-mail address, but its actually sent through the tagged.com mail server. They use an envelope-from address of bounce@tagged.com so that they pass SPF (sender policy framework) tests (a good example of the useful limits of SPF). In most mail clients, the message ends up looking like it came from your friend, so you dont want to block the address.

I set up two Gmail accounts specifically for the testing and a number of e-mail aliases on domains I own to be my "friends." I put these aliases in the address books of the Gmail accounts. Signing up for Tagged (which, I admit, I did under an assumed name), was easy enough, although I did quickly run into what Symantec describes. I was prompted for my Gmail credentials. They already knew my Gmail user name since I had provided it as an e-mail address. There is no option here but to provide a password:


Before too long the addresses in my Gmail address book received invites like the one I received. I later figured out that you can provide an incorrect password here, and it lets you proceed. Incidentally, they have similar functionality for AOL Mail, Hotmail, Yahoo mail and MSN mail.


Before I actually signed up I decided to read their TOS (terms of service), something Im sure none of the teenagers they target have done. Its long and a genuine Nightmare on Elm Street for the abusive and, while were at it, misleading rules for privacy.

( Page 2 of 2 )


Here are a few highlights from the TOS which, so it says, was updated as of October 18, 2006:

Tagged reserves the right to modify or amend this Agreement at any time, for any reason, or for no reason at all, at Taggeds sole discretion. —And theyll post the changes but wont otherwise notify you, and its your job to check the TOS page. Perhaps this is standard practice, even if it makes it impossible to follow the rules.
During registration, users also complete survey questions that provide information that is helpful for us to understand the demographics and consumer behavior of our users, such as identifying the users eye color, style, personality type, favorite color, sport, food, activity or TV show, post-graduation plans or graduation year. —Eye color? This gets even creepier when you hear the rest of the rules.
From time to time, Tagged may share the e-mail address and/or other personally identifiable information of any registered user with third parties for marketing purposes. You may opt-out from receiving marketing messages from our partners at any time by using the following link: Untitled Document. In addition, Tagged may share a registered users e-mail address with third parties to target advertising and to improve user experience on Taggeds pages in general. —So they can share your eye color, your school, etc., with anyone they want, for marketing purposes. This is the heart of what Tagged is about of course, building a database with all this PII (personally indentifiable information). As far as I can tell, under this agreement they can sell your Gmail login credentials too. And who are the third parties to whom your PII may be sold? Spammers? Pornographers? That would be cool under this TOS.
Users have the option, within their Internet browsers, to disable cookies and continue to access the Tagged website. —Not true. I tried. If you disable cookies it wont let you log in and says that you have to enable cookies.
Pixel tags are tiny graphic files that are included in HTML-encoded e-mail messages. We use pixel tags to gather information about the e-mails we send to our registered users. When such a message is opened in an HTML-capable e-mail program, the recipients computer accesses our server to retrieve the pixel tag file and allows us to record and store the date and time, the recipients e-mail address and other standard logging information. The pixel tag also may read cookies. Tagged Web pages may also contain similar pixel tags that allow us to count users who have visited those pages to compile aggregated statistics about site usage and to deliver co-branded services as they become available. Tagged pixel tags collect only a limited set of information including a cookie number, time and date of a page view and a description of the page on which the pixel tag resides. Tagged Web pages may also contain pixel tags placed there by third-party ad servers, to monitor the effectiveness of their advertising. —Pretty good description of what I always called "Web bugs." But they dont just send them, as the TOS says, to their registered users. The invitation e-mail I received from my friend had this tag in it:
<img src="http://www.taggedmail.com/imgsrv.php?uid=12345678" />
Obviously a "pixel tag." The whole point of this, and the basic point of the cookies is to track you, and then to sell the information they collect.
Nothing in the TOS says that they will be harvesting addresses from your address book, nor what they are entitled to do with those addresses. Perhaps they consider these addresses as being provided for invitations to Tagged, but thats clearly not true.

Recently identity thieves used a Quicktime vulnerability to attack users on Myspace.
I also tested canceling my Tagged account and the process seemed to work, but you need time to really judge such things. For instance, even though I cancelled are they still selling my PII?

To answer this question and to give Tagged a chance to respond I decided to contact them but ran into problems. They have no contact link on their page, and the closest link they have to one, with company information, is to Tagged Inc., a dead link. Why am I not surprised?

I have seen the future of teenage exploitation, and its on social networking sites. Even the "legit" ones like MySpace creep me out some, and Im sure Tagged isnt the only one thats scams and abuses its users. When users are willing to provide their e-mail login to a Web site, you know we have a long way to go to make the Internet safe.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Listen, if anybody gets one from me, will you let me know, please? Thanks!

(And I'm really sorry, in advance.)

Tagged!


I was first tagged by Connie/Grest early this morning aka (Constance S)
Never heard of the website before but since the name was someone I knew
I registered to see her online photos (Photos of a tiger and a tan puppy)
After providing some basic information - For some unknown reason....
The site then sent out emails to everyone in my AOL address book too!
I discovered this minutes later after an out of office email was returned.
The (spam) emails from Tagged were not sent out with my permission...

Sorry To All Here on TS4MS
If "Lucky" sent you a photo.

Well, sort of, actually, they were.

I just looked - I got one from someone unrelated to the 4Ms, but my email program filed it as "junk."

I feel left out, I did not get one.

You are the lucky one

Me neither Frank, we're just not one of the "popular kids"

Yeah

It would be superfluous to say that I did not receive one either.

I just got a &quot;MyLife&quot; invite

from a TUGer I corresponded with - so these things are still making a mess of peoples emails.


What a pain!