Best practice to avoid "add friend" abuse

Question

I have a PHP / CodeIgniter site with basic social functionality which obviously includes an "Add friend" link. When clicking this link an AJAX call is made in the background, which adds the user associated with the link as a friend of the logged in user. Also the link transforms into "Remove friend" which does what it says on the tin, just the way "Add friend" does.

When "Add friend" is clicked the user who's added as a friend is notified via e-mail that he or she has been added as a friend. This is where my question comes in: I want to avoid spamming the user with these notification e-mails if the logged in user keeps clicking add / remove / add / remove / etc.

My idea is to set up sort of an add history table which records the 2 user ids and a timestamp. And I'd only send out an e-mail if the (current time - timestamp) is bigger than a set value. And every time a user would re-add a friend I'd update the timestamp to the current time so it "extends" the valability of the spam control. With this method I could also control if a user wants to add too many friends in a given interval.

This table would be cleared from time to time for records with the timestamp farther away in the past than a given value.

This is my idea, if you have other ones or used different methods please share.

Thanks for reading.

Answer 1

I think it's best that you make the add friend option a two way thing. So the first user invites someone else to be his/her friend (changing the "add friend"-link into something like "invited" which is not a link). The other person then has to accept the first user as a friend. After that both of the users can delete the friendship, but after that, if one of them decides to be friends again he can invite the other one again. You can put some sort of validity-period to this invitation of course, or some limitations (ie. one can only invite someone else three times)...

This way you won't be spamming users with emails (at least because some clicks a link too often), and people have a bit more control over who they are friends with. Of course, this approach does have some downsides (like what to do with ignored invitations, etc..).

The way you describe in your question I think is also a good way of fighting spam, you can also do something like limiting the number of times someone can add another user as a friend (ie once per day, three times a week, I don't know, something like that)..

Answer 2

Sounds to me like the best option. To simplify, I'd probably send out the email if the record exists at all (instead of checking based on a timestamp), and then set up a cron to systematically dispose of the old ones - that way you can have a bit more control over the time limits (your "limiting" logic would go into the cron script, so you could decide whether to remove the records or not based on more complicated parameters than just a timestamp - e.g. don't remove the record if a particular user has a large amount of activity, to stop spammers. You could even be user or account-type specific, but I do have a tendency to go overboard...)

As far as I can tell, Facebook has "Add Friend" -> "Pending request". From there, you can't do anything until the other person responds, so you can't spam requests at all, but I guess that depends if you require confirmation on the other end, and it's subject to your own tastes.