will spammers abuse the email-a-friend feature?

sneakyimp

i am considering adding a feature to my project that will allow users to send an email to a friend which contains a link to the current page. i've seen this in many places on the internet such as msnbc.com, etc.

the user will be able to enter a friend's email address and write a short message. most of the email message (a greeting, a link, some text) will be beyond the user's control. but they will be able to type a short message.

do spammers generally attack this kind of feature? in the event it does get attacked, is there any reliable way to detect spamming like screening by IP or something?

i was hoping someone with more experience might give me some perspective.

bretticus

Probably okay. Just make sure that you do not enable html (default) in the email headers so the message always arrives as text. Filter all absolute URLs. Another issue may be CSS or Cross Site Scripting. Take a look at htmlspecialchars() . I suppose, the same goes for an html message as well (if you must.)

sneakyimp

it is likely that we'll want to send HTML mail so that users get really nice looking messages. you only get one change to make a first impression 😉

i'm aware of htmlspecialchars and was expecting fully to screen anything that could be an html tag--css or otherwise--by calling html specialchars on the POSTed text.

i'm guessing spammer interest in such an exploit will be a function of how much they can control the appearance of the email. i expect to reduce that as much as possible.

does anyone have techniques for detecting exploiters? i know these spam folks can be quite clever. i'm guessing you might see a bunch of requests from a single IP address. or perhaps similar content in the messages.

bretticus

There is a free class out there (I cannot remember the name) that can be used within your form to prompt the user with one of those rendered-on-the-fly alphanumeric images to avoid bots submitting mass amounts of email. I'm sure you've seen them before. I just can't remember what they are called at the moment.

Also, there are regular expression patterns you can make or google that will strip all html tags out of a message. Forcing the message, at least, to be plain text (you can at least apply nl2br() function on it, for example.)

sneakyimp

thanks!

rikmoncur

image verification is called 'captcha' and you can download a php script here: http://www.neoprogrammers.com/

cyberlew15

you would need gd'lib I think and still it's not that good. Do what php builder has done put a timer onto the page so that they can only send a message once every 30 seconds or every minute. just so you do not ask use a JavaScript Countdown script linked to the submit form button this way it cannot be submitted because the button is inactive. borland and macromedia etc have used this before to try to force people to read their terms and conditions and most WaReZ sites (look for the fake ones) use Timers in order to con you into voting for them 🙂 (ahem according to common knowledge anyways 😉 )

bretticus

just so you do not ask use a JavaScript Countdown script linked to the submit form button this way it cannot be submitted because the button is inactive

I think that a timer is a great idea. However, you CANNOT rely on JavaScript. When you have a bot sending a raw POST to your form handler, JavaScript will not matter a hill of beans. You could, however, store the submitor's ip address in a database table complete with timestamp. You cannot rely on a session here either because once again, that's a client side cooperative event. IOW, my bot doesn't care about session cookies (especially when their purpose is to keep you from posting.)

Some remote clients use proxy servers. This means, by following my database ip suggestion, you may, in effect, lock out legitimate users for 30 seconds or so (AOL lusers...ah...users 😃 )

If you can make CAPTCHA work, I think it's still the best way to foil bots.

cyberlew15

You can't make javascript stop bots this I know because the bot will ignore active scripting but you can check where the form data is being submitted from as well as the javascript this should stop bots. I too like the sound of this CAPTCHA but I would'nt use it because I can hardly ever read the text in the image all of the zigzagy lines turn G's into 6's. The best feature according to bretticus is the AOL users possible problems we can only pray that all AOL users continue to have a diminished internet service 🙂