Send-to-a-Friend Or Spam Relay?

This week I had a question of my own, so I tapped into the Inbox Insiders, a discussion group formed by Bill McCloskey to facilitate networking and allow participants to pose questions like these. Thanks to Bill and the experts who responded.

Dear Inbox Insiders,

My client is concerned about allowing Send-to-a-friend (STAF) functionality on their site, as their IT department says STAF can be used to turn servers into spam relays. They want us to require the user to click on a response e-mail or enter a code that appears as a graphic, a lá Ticketmaster. Is this a legitimate concern?

The E-mail Diva

Cullin J. Wible, CTO and Co-Founder of E-mail Data Source: What you are referring to is called a CAPTCHA and is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart." See the following:

http://en.wikipedia.org/wiki/Captcha

http://www.captcha.net/

CAPTCHAs were developed to stop people from using spiders or other automated programs to access certain functionality. While they can be broken, the better ones that use a script style font or overlay other images in the background are generally effective. Either way, they keep the casual programmer out.

With so many complicated scripting languages and frameworks around these days, it's almost too easy to throw together applications that can access sites automatically, which is why they are becoming more common. So any time you want to make sure it's a person, you have to use a CAPTCHA.

Bill Nussey, CEO of Silverpop: The STAF functionality will ultimately be a poor relay because very few applications like that could process any volume. Nonetheless, I have heard of cases where lawyers got involved because the same functionality was used to send hate mail anonymously. In any event, a CAPTCHA would be a good idea.

My follow-up question: Is it really necessary? I hate to put any obstacles in the way of a viral impulse.

Bill Nussey: In my view as an ex-programmer, a STAF would be a lousy way to hack together a proxy server. It would be FAR better to put a limit on the number of STAFs you could send in a period of time (e.g., 20 per minute) or from a single IP, than to add a CAPTCHA. However, as a counterpoint, the folks at [company name withheld] had this problem. I was getting Nigerian money-type things. They were personalized to me. They came through the company's Send-to-an-Author web page. They added a CAPTCHA and it went away.

Nonetheless, my recommendation would be to limit the number of STAFs that can happen from a single IP to 10-20 per hour. That would solve the main problem and be much easier on users.

Cullin J. Wible: I would also ask whether this feature is available to anonymous or authenticated users. If it's the latter, then you could cap STAF per user per day at a high number that most people would never hit. If it's the former, you could limit by the originator's e-mail address, destination e-mail address and content. If you count the number of sends with that combination, you could ensure that a single piece of content would not be sent from the same person to the same friend too many times, eliminating some of the abuse potential.

Sending a confirmation e-mail message to the user that initiated the STAF could just as easily be automated by a possible abuser. This does introduce another level of deterrent, but it's not that hard to work around. If your client is really concerned about this, then a CAPTCHA is really the only way to go.

Isn't it great to know smart people? If you have enthusiastic readers who want to send your message to friends safely, I wish you...

Good luck!

The E-mail Diva