Here is at least a superficially appealing question: why is the end result of giving your website an 'invite-your-friends' feature spam from you, as opposed to spam from your users and thus not your responsibility?

(For the moment, let's set aside WordsForWebmailProviders.)

There is clearly a continuum of email responsibility that runs from 'email you send unprompted' (which is clearly your responsibility), through 'form letters that your users ask you to send' to 'you're an email provider and you're sending a message that one of your users wrote from scratch' (note that even this end of things does not absolve you of all responsibility). To me, form letters are on the side of the line where you spammed.

Right now, my justification for drawing the line there is who created the 'bulk' part of the UBE definition of spam. When you create an 'invite your friends' feature or anything similar to it, you created the bulk, not any individual user (well, generally). However, when an advance fee fraud spammer uses your webmail system to email 10,000 people who have unclaimed lottery wins, it is that spammer who created the bulk, not you.

(I say that you created the bulk because, well, you did: you wrote the code that generates and sends all those boilerplate emails, you wrote some or all of the boilerplate, and the emails come out of your system.)

This does imply that it is impossible to create a web application that sends form letters for people without sending UBE spam (unless you can guarantee that your email is always wanted). Given the existence and arguable usefulness of 'mail your elected representative about issue <X>' systems, I'm not sure that I like this conclusion, but it seems inescapable.