I was designing websites when the Mailto: option started appearing. For the people that were doing simple sites, it provided a way to let the user send mail. Unfortunately the spammers started using web crawlers to search for Email addresses. Today, web designers that continue to use this are either (1) forced to do it by their client (2) can only use simple drag and drop tools (3) are either clueless or lazy. Creating a form and processing the request on the server is both safer and allows you to send the information to many different addresses. It also has the advantage of hiding the Email address from the spammers. There is no excuse for continuing to use a Mailto:. You can easily get a copy of a number of form processing programs that can be easily modified to fit you needs. When I pointed out to one IT manage that using this option increased the amount of spam, he replied that they used an email filtering program. He was not bothered by the fact that he had to use an expensive solution, which requires continuous updates, to solve a simple and easy problem. I believe in using a good design, not wrapping a bad design with more software.
Technorati tags: Web Design; security; internet
Tuesday, December 13, 2005
Tuesday, December 06, 2005
“Email a Friend” especially a Spammer
After reputable companies became concerned about privacy, they started to add a privacy policy to their websites and to switch to an “opt in” process for marketing email. That meant that the marketing folks could only send you an email if you gave them permission. Some clever marketing folks developed the “Email a Friend” function to get around this annoyance.
The function has several names but they all work in a similar manner. Selecting this feature, you are presented with three input boxes. You are asked to put your email address, the email address of your friend and some clever words to send to the friend. The function creates an email from you to your friend, adds some marketing message about how great the product/site/service/etc is on this page, and adds your comment. Since the email appears to be from you, then the marketing folks can weasel around the privacy issue.
Of course this is ripe for abuse and with a few lines of code can be turned into a great non-traceable spambot or even used to flood an email and perhaps create a denial of service. If the clever spammer puts an email address from an employee of the company, it adds even more fun. Since the company email server sent it out, it becomes hard to claim that someone else sent it. In addition to flooding an email box, a truly angry spammer can also add some very abusive and profane comments in the little text box.
Should this little tool cause an email server to clog and possible to shut down, then the target may call in the lawyers. While you may be able to claim that the person in the “from” line did not send out the email, you are still responsible for the misuse. If you want to appear as a leading edge technology company or want to sell technology services to other companies, the bad press alone will cause a large chunk of revenue.
In a company I worked at, we had one of these popup on a website. When confronted with the potential danger, the marketing person’s response was that very few people use it and no one has abused it yet. Some how leaving a loaded gun on the street and claiming that it was Ok since no one was shot yet seemed a bit weak. After a chat with our legal folks, a quick directive landed on the desk of that marketing person’s top management ordering that it get removed immediately.
Somehow adding a function to one company website that is reckless and dangerous, has no measurable benefits, and is rarely used by the customers does not strike me as a good idea.
Technorati tags: Web Design; security; internet
Subscribe to:
Posts (Atom)
