The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

"e-mail this article" abuse?

I'm updating a site for a friend and want to add an "e-mail this article" button to each page that will send a link to the article along with a brief message from the user. Obviously the code to do this is trivial, but I'm concerned about the potential for abuse.  For example, a spammer could write a script to e-mail the article link to thousands of people along with an ad to buy viagra.  I suppose I could throttle requests by IP address, but I seem to recall that some services like AOL use the same IP address for many users.  Also, I'm trying to avoid using a database on the site (to reduce complexity and hosting costs), so I don’t have a great way to log IP's.  This seems like a pretty common problem.  Anyone have a good approach? Thanks!
Monday, June 06, 2005
AOL and most dialup services don't use the same IP for many users *simultaneously*.  They have a pool of available IPs, and when you dial in, you're given one from the pool.  When you disconnect, it's putting it back into the pool.

You can still limit by IP address - say, 1 email per minute per IP, with a global limitation of maybe 1 email per 10 seconds (this could vary depending on your expected total traffic, of course).  This way, a single IP can't spam very effectively, and a spammer can't get a bunch of drones on multiple IPs to all hit you at the same time either.
Marco Arment Send private email
Monday, June 06, 2005
Any built in limitation will requery queuing . . . complicating application design and hosting.

My suggestion, offset the problem to someone else. Inform your ISP of your intentions and that you could very well be exposing their SMTP server to this type of traffic. More than likely, they have throttling built-in and can control this for you (and by control i don't mean "disabling your email account").
Anonymous Coward
Monday, June 06, 2005
Why not just use the "image codes" which are popular among many websites today. Basically, you generate an image dynamically containing alphanumeric characters. Then the user must type the alphanumeric characters into a text field to proceed. This should prevent automated means of 'attack' on your e-mail link.

Here is an example for
Sean MOuntcastle Send private email
Monday, June 06, 2005
The code on this page is very easy to break. A medium experienced programmed would do it in an hour. But I've seen better image codes -- twisted, bent and polluted. Use something like that.

Tuesday, June 07, 2005
Well in cases like these it's not about making it impossible, just about raising the bar a bit so they go and pick on one of the many other easier targets on the net instead.
Tuesday, June 07, 2005
I wouldn't use image codes. What is the point of having the link in the first place? I would assume it is there to make it EASIER for someone to email a link to the page, not HARDER. If they have to type in image codes and such, then what exactly have you done for them? It is very easy to use the "tools->mail and news->Send a link" option in IE. If you make it much harder than that then you aren't really providing much.
Tuesday, June 07, 2005
Why not use a "mailto:" link so that the act of sending the message is pushed back to the user's PC.
Saturday, June 11, 2005
Do the readers of the web site actually need a button that emails a link? If they wanted to email it to their friends, don't you think they'd ..... just email it to their friends?
Michael Sica Send private email
Friday, June 17, 2005
Agreed with above.  You are addressing a non-problem.  Its not hard to email someone a link.

If its just an afterthought feature, I'd say leave it.

Wednesday, June 22, 2005

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz