"Send to a Friend" - Risks

Question

Let say I have a website that allows users to send articles on that website to a friend.

The way it works is that when the "send to a friend" link is clicked a form appears and it allows users to fill in the details and an email is sent to their friend.

The user can put in a "from" email address and a "to" email address into this form and a small amount of content.

When the email is received the from email address appears in the FROM and REPLY TO.

This website also sends a great deal of its own email communications to its users.

---

My question is:

Is there risk to allowing users (bots, attacks etc) to use this application to send emails from my SMTP, and how great is the risk?

---

My assumption is yes, this is not ideal.

Is it possibly worse than "not ideal"?

---

Answer 1

yes this is definitely not ideal if this is a public website that any bot can access. but there are easy ways for you to limit spam use.

1. have your code limit any email address to send ~50 emails a day and only ~10 an hour based on your needs. a bot would probably try to send a million at once so limit them on an hourly and daily basis.
2. store every email communication in a database and come up with a good program to monitor the most active email senders. if you can verify that an email is trusted, then let them send as many emails as they want

think about this site itself, it has very defined actions and reputation guidelines that limit you until you have proved you are trusted.

Answer 2

It may depend on whether you do any authentication to determine who's allowed to send emails. If the user has to be logged in to send articles, then you're probably fine. Bots will fail because they'll never be logged in.

The risk will increase the greater traffic you get to your site, and yes it's probably less than ideal. Unprotected, a bot will inevitably find your unprotected form, and start sending emails from your server.

There are some pretty easy solutions though, the most common probably being to implement something like Captcha

Answer 3

I do not know about bots using your form. Should it be a problem? I don't know.. I do know they program bots to be pretty clever, using your custom forms and all.

I do know that some email servers check if the FROM email address has the same IP address as the IP the mail was sent from. So imagine I put in my hotmail email address, and the mail server sees your server, it might flag the email as spam.

In the past I've an e-card websystem. It was a small joint venture with a girl I knew. She created the (cute) cards and I build her an e-card system. The website was pretty simple. Select card, enter email address, placing senders email address in the FROM and sent the email that you would have received an e-card.

Life was good...

Until I found that my entire web server IP was blacklisted at three major spam filtering mechanisms. And that 15% of all email recipients who used to receive e-cards from my site, would not receive their e-cards, because all my emails were blacklisted as spam from the get go. We have receive many many emails from angry "customers" demanding that their e-cards did not arrive. (I still find it funny how some people demanded the service, especially since it was a free service, go figure). My automatic reminder function was telling them the e-card still were not viewed, and they perhaps mistyped the email address, so that might have ticked them off :P

It was pretty annoying for my other customers as well, since they relied on sending out played newsletters and such and calling me that over 20% of the customers did not receive the newsletters.

Sending e-mails is hard. You should also check out Jeff's blog about this. So, learn from my mistake, and please put an email address associated with your email server in the FROM. This will spare you a lot of headaches ;)

Answer 4

Fairly safe. I assume you do check the "From" address, if only by sending it one (standard!) mail first and asking the owner of that email address to confirm they are really humans ? This prevents most bots from finding and abusing your form. Of course, a directed attack with a human responding to your verification email will still allow spamming. But you've got a much better trail if you have received at least one reply from the alleged "From" address.

However, I don't think this will work reliably. The introduction of techniques like SPF will mean that mails from "example.com" will only be accepted if they originate from an outgoing SMTP server in the *.example.com domain. If you're faking emails with From: addresses @example.com, the receiving SMTP server will see that you are in fact not part of *.example.com and reject the email - and probably blacklist your IP range for good measure.