For a while I've been keeping an eye on an apparently Chinese scammer, who sends out messages with subject lines like ________ thought you might like to see this item. When opened, the message proves to contain a little bit of eBay-related boilerplate, some graphics lifted from eBay, some not-quite-English text and a link to one of a family of sites that appear to be hosted in China. The sites in question advertise expensive consumer goods at below market prices. The deceptive use of the eBay name and graphics, the fact that the domain names used change constantly and, of course, the use of spam for advertising makes it all but certain that this is a scam.

Things took an interesting new twist tonight, when I received two emails with the name and address of a good friend of mine in the 'From:' line, with the subject 'Dear Friend:'. The messages read as follows:

Hi.Nice to meet u and my friend operates a company .i have got something from him and i must say that the quality is so good .SO i tell u the truth and hope u can connect him and welocme to his website www.ouregoods.com.If u have any questions u can add ouregoods@hotmail.com we are pleasure to help ,good luck to u!

Assuming for the moment that my friend — a highly educated and articulate native English speaker — hasn't suffered a brain haemorrhage, it's probably safe to say that he didn't write that message. Interestingly, however, the 'To:' field in each message contains the names and addresses of about forty of his friends, family members and colleagues. So it's also safe to say that whatever sent it had full access to his address book.

My friend is a Hotmail user; the message was sent through bay0-omc3-s6.bay0.hotmail.com. If the X-Originating-IP field is to be trusted, however, the message was actually posted by something in CNCGROUP Beijing province network. It starts to look as if we're dealing with something that has acquired my friend's Hotmail password and is using his account to send mail.

This is a new one to me. As a social engineering attack, it fails spectacularly because the scammers didn't take the trouble to get their pitch written by someone who can actually speak English. Nevertheless, it demonstrates the potential for this kind of attack. If you received a more convincingly-crafted message apparently sent by someone you knew, wouldn't you be more tempted to give it a look than if it came from Chauncey K. Acevedo or Angel Z. Hawkins or another of the crowd of similarly-named strangers who seem to feel that my penis could be larger? Today, you can spot the scam at a glance; tomorrow, it might not be so easy.