As previously discussed, the Chinese fake-storefront scammers who have been using other people's Hotmail accounts to send spam have also been hijacking Gmail accounts. Talking to people who have had their Gmail accounts hijacked has revealed one interesting fact: everyone we spoke to had used the same password for both Gmail and Facebook.

Long-running spammer Canadian Pharmacy has a new trick, which it has been using obsessively over the last few days. It consists of sending out messages that exactly duplicate notifications from popular services (Amazon, Digg, Wikipedia, etc) but contain URLs that direct recipients to the pharmacy site.

If you're a business with a mailing list that may be of questionable quality, there are three possible options open to you. One is to err on the safe side, dump the whole list and start over using known best practices for list building. This is commendably cautious, but sometimes hard to justify to the marketing department. Another is to ignore your doubts and just keep sending to the whole list anyway: this is the kind of thing that gets you into spam blacklists. The third option is to do what's called a permission pass, which is to send a brief message to all the addresses on your list asking if they want to remain on it. The message should contain no advertising copy (to reduce the risk of it being seen as a kind of surreptitious spam) and the default should be to unsubscribe: in other words, if someone doesn't write back and say 'Yes! Keep me on your list!', you should drop their mail address. A permission pass is a gray area — it's a tacit admission that you've done things the wrong way in the past, but also a declaration that you want to start doing them the right way. Permission pass mails should be a last resort, but they shouldn't be viewed as spam.

Every so often, the Google news alert that feeds me a steady diet of spam-related news throws up an article written by someone who we might charitably call a 'non-expert'. Sometimes it's a junior journalist who has been told by his editor to go away and write something about spam. Sometimes it's a columnist who wants to share their own frustration or some folksy wisdom on the subject.

In the best cases, there's usually little new or actionable information in the piece. The better junior journalists just summarize a few other articles on the topic, while the columnists let their readers know that spam is making them sooooo mad. In the less good cases, the writers obviously haven't quite understood what they read, so the article is full of misinformation. And in the worst cases of all, the writer may try to offer advice, usually based on their own cursory study of the issue. These are the ones that have me screaming "No!".

So how bad is Microsoft's spaces.live.com spam problem?

Recently, I've been seeing heavy use of spaces.live.com URLs as spam gateway pages, promoting everything from pills to fake watches, from Russian brides to — embarrassingly for Microsoft, whose own products are among those offered — pirated software. The use of these domains gives spam messages a kind of limited 'respectability'. Instead of directly listing the Chinese-hosted sites that sell their products, easily identifiable by spam filters, they can trade on the name of the corporate giant to get the message through.