views:

55

answers:

3

I'm building a web application, call it http://mywebapp.com, where a user should be able to create a newsletter and email it to everyone in his user account's contact list. So he can check mark all his friends, select an html template, fill in the body content, and send.

The only catch to this is that after the user sends the email, the recipient must NOT be allowed to trace the source of the email back to http://mywebapp.com.

The reason for this condition is because the user is a "reseller" of my business who wants to appear as if he's an independent business. If liability issues arise due to the reseller's unduly usage, I do not want to be caught up in the legal issues. Hence, I do not want anything about my business or technology to be traceable back to me by newsletter recipients.

What's the best way to achieve this?

A: 

In my opinion one way to do it is to get configuration parameter of user's email and send it via his smtp server. In this way you actually send it from your email user. The problem is that your user should know what he's doing when he gives you the parameters.

Another way could be rewrite the email header sent from your mail server. In this case is just appearance.

dierre
The email server will still likely reveal the IP of the originating connection (the server you're trying to hide).
Shin
Yeah, that's true but if the user send via smtp, he needs to log in, so he's doing it.
dierre
A: 

Well the email must appear to come from somewhere. If it isn't http://mywebapp.com then it must be another centralized email server. It is impossible to appear to come from user's personal email account. The reason for this is that even if the user grants you access to their SMTP server, you won't be able to connect to them from your application server and send emails.

This is so because most Internet Providers restrict access to the SMTP server to IPs in their network (for avoiding spam of course). Email providers like Gmail do allow remove connection, but I guess it will be difficult to find a general solution.

My recommendation is to create an email account for every user that uses your application. Name it something like [email protected]. Make all the emails that the user is sending to come from this email account.

kgiannakakis
+4  A: 
  1. Legal department - draft a disclaimer about a) acceptable usage for your client b) your right to monitor, and c) your indemnification from anything he does.

  2. The email you end up sending should contain unsubscribe links that can't be changed by your client. Though, these will link back to /your/ site. However, you need to provide your victims a way to opt out. If you're not ok with that, you should just sell (a copy of) the software outright, and let you purchaser administer the whole shebang.

Shin