Goodreads is an Amazon-owned site to track and review books. Recently I got propositioned for sex there.

Screenshot of Goodreads Wikipedia page

This totally caught me by surprise. My use of the site is passive - with my Kindle, books get marked in Goodreads as I start reading and when I finish.

Then this email arrives to suggest a different type of finishing.

Screenshot of Goodreads sex spam email

As an appsec guy, it’s hard — err difficult — not to find this interesting.

We can infer that there’s ineffective or non-existent controls against botting on this Amazon-affiliated site.

We can infer that the input validation for usernames is super liberal.

We can infer there are social features that may be little-known to most Goodreads members — making this an excellent means of popping an email to them.

Honestly this is a great spam vector and not even being used to its potential here.

What does my reading history look like?

Screenshot of my Goodreads history

It’s not that spicy. There’s no erotica. But you might find people that do have that and target your spammy campaigns appropriately.

More to the point, “e-whoring” as popularized by could prove quite successful. Just a guess.

Watch yourselves out there in this sex-crazed world. Not even Goodreads is safe from heathens.

An e-whoring advertisement from

Randy Gingeleski - GitHub - - LinkedIn