Agree with everything but that...
At our SOC, we see more and more spammers relying on chain-letter lists.
So instead of mailing a database of a million email addresses from a single email (e.g.
[email protected]), to evade larger tracking (e.g. our GIN, or global intelligence network) they will send them from multiple email addresses.
Nothing new until here... but recently, instead of selling databases of "just" email addresses, they now have "referrer" addresses, so spammers will spoof the email to come from a "friend".
This way, they have a higher probability of being read (and going through whitelists).
The way they get the referrer address is by harvesting chain letters - there usually is a large list of valid addresses contained, as well as "trusted" referrers...
So while you comment would be very valid normally, recently we've stopped giving that advice - his email doesn't HAVE to be compromised because your friends have spam from you.
M.