By Margot Romary @ReturnPath 7/2/12
Peer initiated, “send to a friend”, “forward to a friend”, “send to a network”… while these terms can conjure visions of dollar signs for potential revenue bumps — nobody sells your products better than a consumer who’s passionate about them — they can also turn into persistent sores which ultimately tarnish your sending IPs’ reputations, as well as your business image. In 2011, social networks utilizing peer-initiated messages had a whopping average of 20.8 spam traps per IP address, and 73% of our sending clients’ security issues in Q2 of 2012 so far have been caused by deficiencies in peer-initiated messaging protection.
It stands to reason… Virtually all websites nowadays have some form of peer initiated sharing component to them. The idea of enabling website visitors to share content, or products, or sales notices to a trusted network is effective, hence why it’s become so prolific. What you can’t see, though, is the oftentimes complex set of algorithms and rules that sit on the apache server, or the sendmail hosts (or insert webserver to SMTP technology here) which filter this “shared” web traffic before it’s sent outwards. So while the idea seems simple, the successfully protected implementation is far more complex.
I don’t have enough fingers to count the instances over the years when — in running one of the largest email systems in the world at my previous employer — I had to shut down a new product launch because the peer initiated email feature of this new product was insecure. Trust me when I say that if you think your legitimate consumers find an email API sans-captcha more convenient than one with a captcha, spammers do too. Spammers do what they do to make money. What’s more, the more time hacker/spammers spend in and on your system, the more they know about how you work, and the less they’re incentivized to attack someone else.
It’s the old story of being at a picnic in the woods, and having a grizzly bear stumble on your delicious meal. You don’t have to be the fastest runner to escape, you just have to not be the slowest. Unfortunately for the slowest runners, they often end up getting mauled over and over again, requiring they invest far more than they would have, had their mail form started with some rudimentary security measures. In other words, if you start off wearing running shoes rather than flip-flops, by default, you end up being a less appetizing target. (continue @ReturnPath)