There's a more common version of this attack, one that many people volunteer for -- the multiple-recipient e-mail.<p>The worst kind of e-mail is one that has more than one visible recipient address. If a system has been compromised, and the attacker can get his hands on multiple-recipient e-mails, he can use them as the basis for a phishing campaign in which he pretends to be one of the other recipients -- i.e. a "friend" of the recipient.<p>The solution is to <i>never send an e-mail with more than one visible recipient</i>. As it turns out, this is easier said than done -- people just don't understand why multiple-recipient e-mails are dangerous. They also don't understand that the remedy is simple -- just put the list of recipients in the BCC (blind carbon copy) field of the e-mail client program, not the CC (carbon copy) field. The former avoids disclosing the addresses of all the recipients in each copy of the message.<p>More details: <a href="http://arachnoid.com/opinion/help_the_crooks.html" rel="nofollow">http://arachnoid.com/opinion/help_the_crooks.html</a>