Reunion.com Will Scrape Your Address Book, Then Spam Your Contacts

Reunion.com dupes new members into signing up by sending them an email that pretends to be from an acquaintance who’s been looking for them (on Reunion.com, naturally). After signing up, the site sucks in your contacts and immediately begins spamming them to join by sending out a similar email. If one of those people then signs up at Reunion.com, their contact list is scooped up and the cycle starts all over again, like a social engineering version of a virus or parasitic infestation. Maybe this is why Reunion.com can claim to register about 1 million new members every month.

The LA Times traces how the process works through one accidental member’s experience:

West L.A. resident Elaine Schmidt experienced Reunion.com’s aggressive marketing for herself when she received an e-mail the other day that appeared to be from a longtime acquaintance.
 
It said: “Hi, I looked for you on Reunion.com, the largest people search service — but you weren’t there.” The e-mail instructed her to click on a link to see who else has been searching for her.
 
Curious to see if her acquaintance had left a message, Schmidt, 44, clicked on the link and found herself at Reunion.com’s site, where she was prompted to register so she could see who’d been searching for her.

You know the rest. Elaine had to end up emailing 250 people to apologize for the intrusion. She also discovered that she’d been spammed by Reunion.com because someone she knows had fallen for it earlier that day:

In Schmidt’s case, the e-mail that prompted her to open her address book to the company appeared to come from Vera Eck, a Santa Monica psychotherapist whom Schmidt has known for a while.
 
“I wasn’t searching for her,” Eck told me.
 
Just an hour or so before Schmidt received her e-mail, Eck, 46, said she received a message from what appeared to be the father of one of the kids in her son’s Cub Scout pack. Curious to know why he was searching for her, she registered at Reunion.com to see if her acquaintance had left a message.
 
Eck provided access to her Gmail address book as part of the registration process. And so it goes.

Don’t join Reunion.com if you value the privacy of your address book.
 
“Too much contact at this Reunion” [LA Times] (Thanks to David!)
(Photo: tanakawho)

Comments

Edit Your Comment

  1. mgy says:

    It’d be nice for a follow-up if Consumerist were able to snag an interview with someone over at reunion. I’d LOVE to hear the justification.

  2. jpx72x says:

    She gave them the password to her yahoo account. I have no sympathy for someone that stupid.

  3. DeadlySinz says:

    @jpx72x: *cough* GMAIL *cough*

  4. dragonfire81 says:

    There are many websites that operate like this. The technique is sleazy but not illegal

  5. huadpe says:

    This is one of those times that using a mailinator.com address is REALLY useful. Like, fantastically so.

  6. huadpe says:

    I just went through the process of registering under a false name, and saw this small font message on one of the pages:

    “We’ll search our Member directory for any matches to your email contacts — and we’ll tell you who’s already a Member. We’ll also let anyone who isn’t a Member know that you looked for them, and invite them to join (it’s free!).”

    They actually do say that they’re going to spam all your contacts. But, “it’s free!” Thanks but no thanks, I get enough ‘free’ spam as it is.

  7. it’s a feature!

  8. unravel says:

    I registered with reunion (and classmates) a while back in a last ditch effort to find a couple of old friends, using my hotmail address (which still exists because it’s an excellent landing zone for spam – and they sent tons of it, oh yes). Not having any real use for hotmail, there are long periods of time during which I fail to log in, and every now and then, Microsoft “kills” the account, and I have to re-activate it. Reunion & Classmates couldn’t spam me for a whole TWO days, and each locked me out of their websites. I thought I’d forgotten my password, so requested it be sent, but got some message about how I needed to contact customer service (so they could try to convince me I really wanted to pay for their services, I’m sure). I don’t think I’ve ever been locked out of any other sites _because they couldn’t spam me_

  9. SOhp101 says:

    Wow, I JUST got an e-mail from this company…

  10. magic8ball says:

    Do new users have the option of registering without forking over their address book?

  11. bigmil87 says:

    @jpx72x: Uh, it doesn’t say that she gave the password to her Gmail account, it says that she gave reunion.com her address book. Read a story and comprehend it before you make yourself look silly.

  12. Reunion.com spammed my wife and she had never been to the website, so I am guessing someone she knows signed up. That’s okay we blocked reunion.com from about 45,000 email users for spamming. Even if they changed IP addresses the email will be deleted if it has “reunion.com” in the message body.

  13. prameta1 says:

    @bigmil87: you’re the one looking silly. are you completely ignorant of the internet? exactly how do you think that she gave them her email address book? email by email?

    i’ve received invitations to other networking services like this. they ask you to register your hotmail or yahoo email address and then prompt you for your email password to those email services. they promise not to store your login information, and promise to only use it the one time to check your contacts against their membership database.

    they very literally ask for your password, and they very literally log into your email account and go through your contacts with their filthy paws.

    so, next time your ill-informed mind doesn’t know what it’s talking about, how about you shut your mouth and refrain from condescending to a well-informed poster.

    are you comprehending? how’s your comprehension? did you comprehend?

  14. Swervo says:

    My favorite part about all of this is how their message couldn’t even possibly be genuine given the circumstances.

    Why would you bother looking for someone on Reunion.com that you *already have* in your address book? I thought the whole point was to try to reunite with people whose addresses you *don’t* have.

    Reunion.com and Classmates.com lost me as a potential user a long time ago, even when I did want to try to reconnect with people.

  15. humorbot says:

    Shit like this is really insidious, in principle no better than phishing. Indulge, just for a moment, this juvenile stab at vengeance:

    1. Set up a dummy email account and populate the contact list with nothing but dummy @reunion.com email addresses. Like, thousands of them. Wouldn’t hurt if you managed to track down the real addresses of Reunion employees as well, but deluging their server’s dead letter postmaster account will still provide modest satisfaction.

    2. Be sure to include some gems like:

    toallthesleazebags@reunion.com
    stopspammingmygrandma@reunion.com
    iseewhatyoudidthere@reunion.com
    getarealbusinessmodel@reunion.com
    takeyourspamandshoveitupyour@reunion.com

    3. Join Reunion.com using the dummy account. Hand over your password and sit back as they scrape all those bogus email addresses and bury their own systems in the stink they themselves have created.

  16. humorbot says:

    Now that I think about it, I wonder if their spam machine filters certain legally sensitive domains, usdoj.gov, say, or bbb.org. Or for that matter, reunion.com.

  17. WhirlyBird says:

    I got “Quechup”-ed last year, so when I recently received my invite from a “long-lost friend” at Reunion, I recognized what was going on, and deleted my account.

    @bigmil87: You’re retarded. Shut up.

  18. KogeLiz says:

    They tell you upfront.
    Obviously if you use your email address book, they will email everyone on it. Isn’t that common sense nowadays?

    And I’ve noticed a lot of sites that do this now.

  19. chemmy says:

    OMG i love the reunion.com idea…. Throw in a couple (hundred) Sprint emails and other people we read about and loathe here on Consumerist and watch it go down.

    Darn it, I am at work right now – otherwise I’d start the address book for you!

    LMFAO

  20. Chris Walters says:

    @KogeLiz: Heck no. Like opt-in vs. opt-out, there’s a right way to do this and a wrong way.

    Right way: scoop your address book, display a list, and then ask for explicit permission to contact specific entries on it.

    Wrong way: scoop your address book and start contacting everyone on it without giving you a chance to either deselect some or all of the names, or preview the outgoing message before approving the blast.

  21. Norcross says:

    Funny enough, I got one of these spam messages from a client of my old boss. I first wondered why SHE wanted to contact ME, then realized that…well…spam.

  22. BalknChain says:

    Classmates is pulling a number on me. I cancelled the service, but they keep charging our card. To try and cancel again I have to log into the site which then effectively has me using the site and getting charged. I also forgot my password since I stopped using it and thought it was cancelled so long ago. I also have received a lot of Reunion emails, but I just delete those.

  23. lunchbox says:

    @prameta1:
    can’t stop giggling at the last line…are you comprehending…it’s the kind that just brings tears to my eyes at my desk. i do not know why it is so funny to me. but thanks for that none the less.
    also, props to WhirlyBird. your comment, too, has me in stitches. (it’s going to be a long day so every little bit helps)

  24. EyeHeartPie says:

    I agree that this is flawed thinking. I mean, why would you want to send emails to people who you ALREADY have email addresses for, to let them know you are searching for them? Anyone who signs up with them and gives them access to their email contact list hasn’t thought the process through. There would be no reason that reunion.com needs access to your email contacts other than wanting to spam them.

    Bottom line: you already have their address and can contact them whenever you want; why would you need to use another site to contact them?

  25. annelise13 says:

    Explains those annoying emails in my spam folder. I haven’t been reading them, so now I wonder who I know fell for it.

  26. KogeLiz says:

    @Chris Walters:

    Hmm..
    So, there’s no way to opt out of the whole address book option when registering?

  27. jpx72x says:

    @bigmil87: Lol, self pwned.

  28. fuzzymuffins says:

    @humorbot:

    hell yeah!!!

  29. NightSteel says:

    @BalknChain: Chargebacks or report your card stolen.

  30. Mr. Gunn says:

    So basically, they’re doing what facebook was allowed to get away with? How can you blame them?

  31. Orv says:

    @humorbot: It’s a nice thought, but unless you come up with real addresses it’s not going to work. As someone who has run some Internet mail systems in the past, I can tell you that almost no one routes incorrectly addressed mail to the postmaster account anymore.

  32. Chris Walters says:

    @KogeLiz: You can skip that step, but the crucial thing is Reunion doesn’t tell you it’s going to send emails out to everyone. It simply asks you if you want to give it permission to go through your address book to see if anyone in there is registered with Reunion already. After you give it your password, the next screen announces that it’s “contacted” everyone in your address book. Surprise!

  33. Chris Walters says:

    Okay, I just set up a fake account and tested the service to see what happens. Technically, they do warn you in a roundabout way with the following line of text: “We’ll also let anyone who isn’t a Member know that you looked for them, and invite them to join (it’s free!).”

    I’d argue this still isn’t blatant enough. For something as private as an address book, which can mix personal and professional entries and be quite large, you must explicitly give the user a chance to see exactly what is going to happen to that data, and force the user to authorize the act in a very deliberate way. It’s too easy for a user to assume that the next step after giving their password is they’ll see a “results” screen and then can decide who to invite, when actually that’s taken out of their hands entirely so that Reunion can spam the maximum number of addresses. (“It’s easier to ask forgiveness than permission,” as my marketing boss at an old job always said.)

    Here’s what happens—I just tested it with a fake Gmail account with my real address in the fake account’s address book.

    Screen 1

    [consumerist.com]

    Results Screen

    [consumerist.com]

    Email Sent Immediately Without Approval

    [consumerist.com]

  34. humorbot says:

    @Orv: So the bad addresses just bounce? I figured as much, but then, 3am revenge fantasies usually aren’t that well thought out.

  35. SoCalGNX says:

    Fansite.com does the same thing.

  36. humorbot says:

    I dunno… this whole thing still just smells. Ever since my pal got Quechup’d (reconnect with your Incan friends!) and I got spammed.

    Isn’t it internet-common-sense to never give your password(s) to anyone or anything for any reason? Odd are many folks Gmail/Hotmail/etc. passwords are identical to the PWs they use for more sensitive sites, like banking.

  37. Ragman says:

    I had signed up for reunion back when it was HighSchoolAlumni in the 90s. Back when they would actually let you view pics and info if you were a free member. I’ve noticed a difference in some of the emails reunion sends – one will say there’s been searches for your name – today’s spam title is “Ragman, 3 People Searched Your Name!” Occasionally another will say that a classmate has searched for your name, with both wanting you to pay to find out. Makes me wonder if they have a bot that runs searches to generate the first type of email, since I seem to get one almost every day.

  38. SJActress says:

    @Gstein:

    You must play EA Game products. They call all of the bugs “features”.

  39. Amy Alkon000 says:

    Mamasource.com does this, too. I posted about it, and a woman started an entire blog about it:

    [www.advicegoddess.com]

    [mamasource.blogspot.com]

  40. TamarMoth says:

    Comment on Reunion.com Will Scrape Your Address Book, Then Spam Your Contacts Well it happened to me. Wish I had read Consumerist first.
    I signed up for a free reunion.com account, my Gmail
    account was open in another tab. I did not see the
    ‘skip this step’ in the top right corner. I did not click the
    gmail icon, I did not give my password. I did click continue
    thinking *that* would skip the step (repeat I did not click the
    gmail icon or enter my password or do anything else on that
    page, just hit continue). They spammed EVERYONE in my
    gmail address book. They really are trying to trick people into
    allowing them to send spam in their name. I’m totally pissed
    off and closed my ‘free’ account immediately. I called their
    customer support, they insisted I had opted in and didn’t
    really seem to care.

  41. SmitaKhayln says:

    Comment on Reunion.com Will Scrape Your Address Book, Then Spam Your Contacts Hi That happened to me as well! I had gmail open already, and didn’t
    select any emails lists to import and definitely didn’t enter a
    password either.
    I don’t even think I hit continue, I accidentally hit enter and *boom*
    all my contacts in gmail were in the contact list.

    How the heck are they allowed to DO that?!

    I started deleting the addresses immediately. ONE AT A TIME. At that
    point I wasn’t aware my contacts had been spammed until I got an email
    from a couple of friends asking me if this was spam.

    I’ve contacted the better business bureau and am trying to get my
    account deleted but no one is picking up the phone. It nicely tells
    you to wait. and wait. and wait.
    So I’ve modified my profile a bit to warn off anyone else from joining
    and put it out on twitter. I’ll do it again later when everyone is
    awake.

    This is really bad – I have a lot of random people in my list and this
    points people to a page I’m supposed to populate with personal
    information?!? I don’t think so!
    Dana

  42. SudiptiCachai says:

    use facebook. Its free and more people use it!

  43. Anonymous says:

    Just call me old fool. Im on a fixed income but the 5.00 fee Reunion.com asked for seem fine but they got me for 60.00.I only wish I knew how to get it back as I realy need it.Anyone out there know how?

  44. Anonymous says:

    Reunion not only picked up my e-mail address from someone else—at the exact same time I began receiving crappy spam that I had virtually never had a problem with on that account—due to my refusal to answer any come-on messages. I finally had to get a new account and address. AVOID Reunion.com and hope no one with your address falls for the come-on.

  45. Anonymous says:

    Hm is it me or they stopped with these practices?

    There is NO REQUIREMENT to enter password to your msn or any sort…

    And after I opt-out I no longer receive messages from them.

    I guess they aren’t behaving like bad boys anymore.

  46. Anonymous says:

    My 80-year-old mother recently fell for this when she did a Google search for an old long-lost friend and was directed to reunion.com. Next thing I knew, I was getting these “invitations” from reunion.com, CLAIMING to be FROM HER, of course, at multiple email addresses (work, home, etc.). After talking to her about it, I logged in to reunion.com under her “account” (which she didn’t realize she was creating) and saw ALL of her email contacts listed as her friends, INCLUDING — to my great amsement — spoof [at] paypal.com, spoof [at] ebay.com, abuse [at] practically every domain name on earth, etc.!

    So I decided to investigate this further. I set up a fake account at reunion.com. During the process, I was asked to select my email provider (Yahoo, Gmail, AOL, MSN, etc.) and provide both the USERNAME AND PASSWORD for that account. As a computer professional, I am deeply saddened, and not just a little emarassed, that my own mother fell for this and actually provided her account information, including the password! (Needless to say, all her accounts and passwords are being changed, and a mass-mailing will be going out to all her legitimate contacts explaining what happened, warning them of what to expect, AND warning them to change their passwords and apologize to THEIR friends!

    – “No Prob Rob”

  47. Anonymous says:

    Doesn’t anyone read “privacy policies” any more? I checked this one out – didn’t like what I saw about “third parties”, so didn’t register. Pretty simple.

  48. James Gross Jr says:

    Looks like I’m going to need some luck here. I just canceled my account this morning. Here’s hoping nothing crazy happens later. Question: should I just cancel my card and simply get a new number? Honestly, I feel really stupid going for the paid subscription. OTOH, the charge is that “tweener” number where it’s high enough you see it, but not worth it to challenge it. Of course, I call that a 2008 mistake. The trouble comes if it lasts until 2010.

  49. Anonymous says:

    PLZ HELP! can someone please advise how to get your name out their listings? i did a yahoo search on my own name and this spam reunions has my name, age and city of residence listed. to request the HELP feature, they want you to register. I never used this site or registered. i want no part of this.

    does anyone know how to get your name out of their database?

  50. Tammy Cooley Lau says:

    I had reunion spam my address book. I wasn’t happy. Of course, I didn’t realize this until it was to late and I paid 60.00 for a subscription. Ugh! I wished I had checked out facebook sooner! Its much better then reunion!