There was an interesting article at 'The Register' today commenting on the
potential dangers of 'Contact Us' forms. I bring it up because there was also a question asked today about the spam implications of the
MSNM contacts fetching script. Many of the points raised in the article on 'The Register' also apply to this script.
The question asked by the visitor in the MSN script thread is as follows
Can this be used to grab the MSN contacts and invite them, for spamming? It looks like it but I don't understand how to use it. I want to put it on my site and then have all visitors with MSN give me their contacts!
Although his tone leaves me doubting his intentions are entirely honourable he does raise a good point.
If this script (or the Gmail script, the AIM script or the Yahoo script I've commented on) is poorly implemented then there is a danger that a malicious visitor could cause a lot of damage to your reputation.
So for example I wouldn't feel that the code in the tutorial I wrote about
contacting a visitors addressbook would be ready for deployment. Some of the issues I highlight
here but one I didn't comment on is the issue addressed in the article on 'The Register'.
If a malicious user were to flood your send-to-a-friend script with requests there is the real possibility that the volume of emails generated could overload your server. Personally I don't think this is as big an issue as the potential damage to your reputation but it is still worth considering.
The article suggests adding a CAPTCHA to these forms as a way to prevent bots bulk sending emails but I don't really think that is sufficient. I'm still thinking about what would be sufficient but there may well be a more thorough post about securing a send-to-a-friend script in the next few days.
