After reputable companies became concerned about privacy, they started to add a privacy policy to their websites and to switch to an “opt in” process for marketing email. That meant that the marketing folks could only send you an email if you gave them permission. Some clever marketing folks developed the “Email a Friend” function to get around this annoyance.
The function has several names but they all work in a similar manner. Selecting this feature, you are presented with three input boxes. You are asked to put your email address, the email address of your friend and some clever words to send to the friend. The function creates an email from you to your friend, adds some marketing message about how great the product/site/service/etc is on this page, and adds your comment. Since the email appears to be from you, then the marketing folks can weasel around the privacy issue.
Of course this is ripe for abuse and with a few lines of code can be turned into a great non-traceable spambot or even used to flood an email and perhaps create a denial of service. If the clever spammer puts an email address from an employee of the company, it adds even more fun. Since the company email server sent it out, it becomes hard to claim that someone else sent it. In addition to flooding an email box, a truly angry spammer can also add some very abusive and profane comments in the little text box.
Should this little tool cause an email server to clog and possible to shut down, then the target may call in the lawyers. While you may be able to claim that the person in the “from” line did not send out the email, you are still responsible for the misuse. If you want to appear as a leading edge technology company or want to sell technology services to other companies, the bad press alone will cause a large chunk of revenue.
In a company I worked at, we had one of these popup on a website. When confronted with the potential danger, the marketing person’s response was that very few people use it and no one has abused it yet. Some how leaving a loaded gun on the street and claiming that it was Ok since no one was shot yet seemed a bit weak. After a chat with our legal folks, a quick directive landed on the desk of that marketing person’s top management ordering that it get removed immediately.
Somehow adding a function to one company website that is reckless and dangerous, has no measurable benefits, and is rarely used by the customers does not strike me as a good idea.
Technorati tags: Web Design; security; internet
No comments:
Post a Comment