It would be nice to have something like this <A HREF="http://www.local599.org/cgi-bin/tell/3/tell.cgi" target="_new">http://www.local599.org/cgi-bin/tell/3/tell.cgi</A> to inform users of your site!
2. <A HREF="http://www.amdragon.com/cgi-bin/wwwthreads/showthreaded.pl?Cat=&Board=hack&Number=1191&page=2&view=collapsed&sb=5" target="_new">Send this Post to a Friend</A>
Let me point out that, (without looking at the specific code for any of these hacks), the abuse potential on them is QUITE high, and I wouldn't (personally) recommend it to anyone.
Hi Dredd. We were thinking about implementing some sort of "tell a friend" thing but we were concerned about abuse too. We decided that once we got W3T up we would integrate it with that to have the message sent to the "friend" include the (already verified by W3T) email address of the person doing the sending (and they would be told that this would happen). The idea was that people wouldn't spam if they couldn't do it anonymously. We were also planning to notify the "friend" that they could have their email address put on a list to block such emails from our site in the future. I don't know if Eileen's hacks have such things already built in (I haven't looked). Do you think there would still be a significant risk of abuse? Any interesting stories you would like to share? Thanks.
Bill Dimm, <A HREF="http://MagPortal.com/" target="_new">MagPortal.com</A> - find magazine articles
Hotmail, Excite, Yahoo all offer what a spammer considers "throwaway" e-mail addresses.
e.g., they get a freemail account, register with your board, and then spam the hell out of someone.
It needs to have some rate-limiting involved. (e.g., maybe you can only invite X users per month, where X is some value calculated based on the number of posts you yourself have made. Likewise, address foo@domain.com can only RECEIVE Y invitations, to prevent someone from using you to mailbomb someone.)
It gets very cluttered and confusing, and (from my practical experience) isn't worth the effort, as the recipient almost always considers it spam and deletes it without reading.
Yes, it does. (Sadly). I haven't seen it exploited in the wild, but doesn't mean I think we should add a bunch of new "features" with the same vulnerability, either.
My hacks all include the poster's email address and they can only send to *one* recipient. I think it would take too much of their energy to keep sending over and over for them to bother. There's much easier ways to spam if that's what they're into...
Hmmm, LWP is your friend. Shouldn't be too hard to do:
foreach $victim (@bigarray) { my $req = new HTTP::request(GET "blahblah&address=$victim"); my $response = $ua->request($req); }
(syntax here is intentionally boned, too lazy to look it up). Point is, it can't be that hard at ALL to use it as a nice convenient spam tool, using the web site's mail path as the source.
Anybody who is prepared to go to those lengths is going to find a way whatever we do. I see no reason to cripple our sites in a futile attempt to thwart them.
Just FWIW, we've had a "refer a friend" feature on our site for four years. We average 100K pages served per day and have our share of psychos and we've NEVER EVER had the "refer a friend" feature abused. Not one single complaint in four years.
So while I'm not saying it can't happen, there are
1. easier ways for stupid people to screw with you
and
2. easier ways for smart people to screw with you.