Quechup is rotten: don't accept invites

As blogged here yesterday:

While you were Burning / vacationing / spacing out offline this Labor Day weekend, many folks online were hit with invitations from a social networking service called Quechup that violates your address book, and abuses user trust by spamming all your contacts.

Now that people are coming back from the Labor Day holiday, expect a bunch of invites -- I've received a dozen just this morning. Delete 'em if you know what's good for you. Link to one of many first person accounts, Link to another. And another, and another (punch line: the spam blast created by Quechup caused Google to suspended that victim's Gmail account).

Update: via Howard Rheingold on Twitter, here's the corporate rep info for Quechup:

Quechup attorney, I am told: Loeb & Loeb LLP 345 Park Avenue New York, NY 10154-0037 Tel: (212) 407-4000Tel: (212) 407-4000 USA

Quechup parent corp, I'm told: iDate Corporation 6767 West Tropicana Ave. Suite 207, Las Vegas, NV 89103 Las Vegas, NV 89103


  1. “Yaari.com,” a social-networking site for Indians and their friends around the world behaves similarly. Stay away from Yaari.com as well!

  2. Thanks for the tip. Who’s behind this gang of bandits? I’m afraid even to go to their site to see if they identify themselves.

  3. Can someone tell what is the subject of this messages, so I can create a a filter on Gmail to automatically delete it?

  4. @Eduardo: it’s “Invite from [name] [email address]” and it’s generated from the user email, not [something@quechup.com], which gets past many people’s trust filters.

  5. Yeah,I believe Tagged does the same thing – I’m in Mexico City and periodically I get emails from way too many people that say “So-and-so has tagged you… ” But I figured out awhile ago, it doesn’t give you the option to choose who you invite, it just invites everyone…

  6. It’s unclear from the story: is this just another Windows exploit? An update with details of what systems are affected would be appreciated.

  7. Oh, of course it’s my first name there, so now i’m paranoid even though i’ve never heard of or used quechup. :P

  8. Hey, wait — does the mail go out from your own account or through their server? That’s something filterable. I’d like to put it into Despammed if it’s that easy.

  9. Here’s an example with header info, actual victim’s details deleted:


    From: VICTIM@gmail.com
    Subject: Invite from VICTIM (VICTIM@gmail.com)
    Date: September 3, 2007 9:36:36 PM PDT
    Reply-To: (VICTIM@gmail.com)
    Delivered-To: XENI’S ADDRESS
    X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on XENI’S EMAIL SERVER
    X-Spam-Status: No, score=-2.6 required=7.0 tests=BAYES_00,HTML_MESSAGE autolearn=ham version=3.1.9
    Received: (qmail 14572 invoked from network); 3 Sep 2007 21:39:48 -0700
    Received: from mail2.quechup.com (HELO www1.quechup.com) ( by XENI’S EMAIL SERVER with SMTP; 3 Sep 2007 21:39:47 -0700
    Received: by www1.quechup.com (Postfix, from userid 48) id E56A52B3517; Tue, 4 Sep 2007 05:36:36 +0100 (BST)
    Sender: “Quechup”
    X-Mailer: PHP v5.2.3
    Mime-Version: 1.0
    Content-Type: multipart/alternative; boundary = “1c0ee4632942be820932c592055b2695”
    Message-Id: <20070904043636.E56A52B3517@www1.quechup.com>

  10. The oldest reference to the problem I can find online is here:


    I’m not sure if the problem has really been around for 18 months and has just taken this long to explode, or if it’s been on and off. In any case, the bulk of blog complaints seem to be within the last month.

  11. Has anyone gotten an invite for Rapleaf.com? Seems like a pretty legit site, though the invite I got from someone I had never talked to before said they vouched that I am a “good person”. I signed up anyway, it seems pretty cool, though I doubt it’s a perfect way to tell anyone’s true online reputation.

  12. Hi5.com is another social networking site that spams your contact list without clearly telling you what it’s doing.

    Is there someplace we can see a list of these skeevy sites?

  13. Man, if they’re getting this kind of negative attention this early on, they’re pretty much DOA. So much for sweeping the nation. As a product manager, I can almost guarantee you there’s a PM at Quechup who wants to kill his boss for making them do this. Nobody who gets social networking would knowingly implement this kind of crap.

  14. Hoo boy do I wish I’d read this a few days ago. I got an invite and responded, and was burned. Luckily, I used an address book with only a dozen or so addresses, but still… annoying!

  15. Another address book violator;


    As soon as you sign in to check it out is starts sending SPAM invites to your entire list!
    The horror…

  16. I must have a particularly adept (technically; or, perhaps, merely suspicious?) set of friends, because I haven’t yet seen one of these invites. Good to know, anyway.

  17. This is why Xeni is my favorite blogger here. It doesn’t just rape your address book; it *anally* rapes it.

    I don’t think Cory would have posted that one!

  18. I’m just wondering, why there are so many people willing to reveal their e-mail adress/password in a website they’ve just discovered? To be honest, I only login to my GMail account in Google’s services and once on Pidgin, to check their GTalk support (MSN is often blocked these days in offices).

    Then again, I’m very suspicious of “social networking” websites. Last.fm is the only one that I’ve found to be interesting, all the rest look too much like the pick-up spots at your local bar.

  19. Hey Teresa, I got an invite from David Cramer on Rapleaf – I just realized it was because he has the most popular profile on the site. He must have trolled, and got my real name, because he runs a website called Curse.com, and I play World of Warcraft. Anyway, it seems like an interesting site so far, though maybe not very useful.

  20. I am so not impressed with Rapleaf.com. I went and had a look at the site an hour or two ago. Now–surprise!–I have mail from them:

    Rapleaf Reputation
    3:00 pm (17 minutes ago)

    Dear Teresa,

    Someone researched your reputation on Rapleaf by searching “tnh@panix.com”.

    To view (or update) your profile, check out:

    Even though your profile is incomplete, the person who searched you found some basic reputational information on you. At Rapleaf, you can find such information as age, location, history, social network links, and more on over 60 million people.

    Your friends at Rapleaf.com

    Yeah, sure. People who have information on Teresa Hayden either don’t know me, or are talking about someone else.

    I’ve gotten messages like this before from other sites. They tell you someone’s been checking on your reputation, so naturally you go there to see what they’ve got on you. Generally, it’s a name and address. If you fall for it, you update your profile, which gives them valuable social networking information about you.

    Joey? Say something about yourself that’s got nothing to do with Rapleaf.

  21. Ooh, Teresa, them’s fightin’ words! (Pass the popcorn!)

    I would like to announce that Despammed.com now officially blocks all mail from quechup.com. I’m partying like it’s 1999! (Literally.)

  22. Teresa,

    Whoa. I didn’t realize that type of site was so shady…

    I am definitely not affiliated with them. I’m just a BoingBoing reader and a student. Seriously.

  23. the lawyers are called “Loeb and Loeb”? “Andrew Loeb” is the name of the fictional lawyer in Neal Stephenson’s Cryptonomicon, the insane one that ended up coming after them with a bow and arrow. I’d avoid those lawyers…

  24. Granted, if you give them access to your address book, which I was dumb enough to do, you’ve pretty much opened the door for them to spam all your contacts.

    On the other hand, no matter what the TOS it seems pretty damn shady that they didn’t start sending invites out to my contacts until *after* I’d closed my account. There is some good info and are some informative links here http://microformats.org/wiki/social-network-anti-patterns

  25. Sad that these guys are doing such things. Anyone blogger interested in decampaigning them so that they should be brought down?

  26. Quechup sucks! I warned about them on my blog and deleted my account.

    But the following day, they still spammed everyone on my email list, despite me no longer being a subscriber.

    As well as deleting my account, I should have changed the password on my email and i advise others in my shoes to do the same.

  27. I canceled my quechup and changed my email password within five minutes of stupidly letting them rape my address book – three days later they spammed my thousand plus email contacts. ::head/desk::

  28. I’m really betting this was me. I got hit by a ton of people asking (civily) “what the hell is this shit?” It posted to mailing lists I haven’t used in years, etc.

    So, sorry, Xeni (I didn’t think you were in my address book, but you were.)

    Anyway, I am Andrew @ gmail.com which really sucks.

    For what it’s worth, there’s no warning that they will be spamming your email – there’s a pretty normal “enter you password and we’ll see if any of your friends are here” screen. Apparently that was enough for them to post umpteen emails to everybody.

    I wasn’t as drastic as the person above, though. I just let it go. I apologize for being stupid but I haven’t been “hacked.” Yet.

  29. I received on “invitation” from Quechup this morning. I had never heard of them and didn’t even recognize the sender. I assumed it was more Storm worm spam and tagged it as junk. However, after reading this, I went back an investigated the sender. It turns out to be someone I had responded to a couple of years ago in a craigslist job posting. If this idiot kept everyone that had responded to his job posting(s) in his address book … thousands spammed … oh the humanity!

  30. Another reason to avoid MS ‘LookOut’? I assume that this probably can’t get into the address book of other apps like Thunderbird…

  31. Another site, spymac.com did this last year. It’s so embarrassing when your boss gets an invite to this dodgy site, and thinks you’re behind it.

    I never recommend stuff, so everyone assumed that it must be really great if I went to that much trouble!

    Despicable behaviour.

  32. #41 :
    As a mac user, I’m not sure if it’s an Outlook hole or not – a buddy of mine who’s almost purely OSX hit me twice with it. I suppose it might have grabbed one of his webmail things, but I don’t know…

  33. If anybody has accidentally signed up for this…

    1. change your email account password

    2. log into Quechup and change your email address (e.g. to a free mailinator address) and change/remove any personally identifiable details (name, address, etc.)*

    3. in the Account menu find the ‘cancel membership’ link and use it

    * why do this? because we know Quechup behave unethically and therefore I don’t trust them to genuinely delete all information when you cancel

  34. “Choose the address book with the most contacts and we’ll search for matches so that you can […] invite non Quechup members to join you.”

    I’m no legal expert that does sound like it gives consent to automatically send email from your account.

  35. @anonymous (40) – doesn’t Gmail save every addressed you’ve ever emailed? do Quechup and other spaminazis go to your saved contacts list or do they just take from the bigger list? if they do the latter, the recruiter may not have saved your email address on purpose. then again, maybe your resume holds a special place in his heart.

  36. Even WORSE – I unsubscribed within minutes but Quechup STILL spammed my address book 3 days later and is still keeping my “profile” up as a filler. I know this because I’m continuing to emails that random people are adding me, and the only way to change my preferences is to subscribe back up.

  37. If you harvested a locally hosted addressbook (outlook) with an activex control installed from the quechup site, you can remove it by going into “Tools – Manage Add-ons – Enable or Disable Add-ons” choose the ‘downloaded activex controls’, there should be one in there called ‘importer.imp’ from ‘improsys(unverified)’ you can remove this activex control from your system to prevent any further harvesting. I don’t believe that this control will jeopardize your email account and password, it appears that it simply copied the contents of your addressbook to their server.

  38. I had a bunch of invite e-mails this autumn from people whom I could never suspect to invite me to such network.
    So, now the mystery is solved.
    I wonder did they thought about consequences and community reaction to this dirty trick?

Comments are closed.