I have a website where I send out surveys to people who want to take these surveys. They gave me their email address, so they do want to take the survey.
The problem is, our server had malicious code injected into a contact form and that resulted in a blacklisting problems. The blacklisting seems to be resolved, but now I'm trying to do everything I can to help make my emails look cleaner and not spammy. I'm using PHPMailer to send with SMTP authentication.
One important tip I've come across is to include an unsubscribe link. But these people aren't actually "subscribed." They will only be emailed to do a survey one time. So I was wondering if I put a link that leads them to a page explaining why they received the survey (basically remind them they game me their email) and just name it unsubscribe.php? Then I will name the link "click here to unsubscribe." Would that be sufficient?
You can't just send people random stuff because you got their email address. You need to have explicit consent to send them things for a specific purpose, and what's more, you need to be able to prove that they gave that consent. Such a record of consent effectively is a subscription, so an address obtained legitimately would never raise this question.
If they did give you their address willingly, but you have no record or evidence, it's legally indistinguishable from you having harvested it from a random web page.
To put it another way - if you don't have this provable consent, you can't legally send them anything.
Related
I have written a script for my clients to generate a newsletter form, embed it on their website, collect email addresses and then email them using a php while and PHPMailer.
Currently, the script uses a "double opt in" which sends an email from "myclient#myclientsemail.com" to the subscriber to click on a confirm link that then goes to "http://myserver.com" to complete the confirmation process.
My question is,
the mail address they are receiving the confirm script from and the address they are confirming their email address with is different, will this be a problem?
In other words, does the spam filter add the confirm email "from address" to the friends list or the address of the link in the email?
The desired end result obviously being the "from address" (my clients address) being the one that will not be junked in future.
Thanks,
Anthony
My company does something similar. The double opt-in is something that you're doing on your end to ensure that you have valid results, not an email sent in by the user's enemy wanted to load up their account with spam. The theory goes that if someone is going to be malicious like that, they wouldn't have actual read access and time/means to respond to the second opt-in, making it about as fail proof as possible.
The spam filters don't know if you did an opt in at all, they just know what they see and who's doing the sending. So as long as you're sure the user you're getting approval from is the same one, you should be good to go. If you've properly configured headers, ensured list accuracy, aren't mail bombing (i.e. loading a host with thousands of messages in a short amount of time) and include content that's not "spammy" you'll be fine. Just remember, there's virtually no way to 100% guarantee delivery of an email thanks to overzealous IT guys and spam filters and the distributed nature of the web.
Note that being a new system, your host is not yet "trusted" so you'll have higher than average bounce stats likely. I'd recommend doing a "break" script when you send to ensure that emails are "trickling" out at first while you gain hosts trust. Even with well-established servers, my company's policy is no consecutive emails to a host will be delivered with less than 50 ms break in between, and it's worked well for us (we deliver 100k+ per day) And no matter what, include CAN-Spam items such as opt-out, physical address, and proper subject line...no exceptions.
I'm not sure if this is exactly possible, but figured I'd throw it out there.
I have a client that is getting some hate-mail from somebody he knows via a contact form on a website that I developed for him. Currently I do the normal checks for a validly-formatted email address, along with a Captcha, but the client has requested that a user enter his/her own email address in the form.
Now I realize that something like this could be easily spoofed by setting up a fake Yahoo account, etc, but the client's thinking is that this person is not quite that computer-literate.
Is there any possibility for checking if an email address is valid and in-use?
The only other things I can think of is turning his contact form into a mailto: link.
The only way to confirm an email address is in use is to send an email to it with a unique token, and have them pass the token back to you (usually by clicking a link). This is typically how mailing list signups work.
There are theoretical ways to tell in the SMTP protocol, but many (or maybe even most) servers don't respect those due to problems with spammers abusing them.
Although it may not work, I find Akismet ( http://akismet.com/ ) fairly good at blocking spam and unwanted emails in forms and comments.
If that fails and the problem is only one individual you can blacklist by IP, or even by browser fingerprint ( http://www.h-online.com/security/news/item/EFF-demonstrates-a-browser-s-finger-print-918786.html ) Ultimately it is impossible to stop someone though if they are dedicated.
Why not just not send this email if message contains some commonly used abuse word or abusers IP address?
I have a site where users register for an account. I have an internal communication system, that sends them an email when they get a private message. I dont force people to confirm their email, so naturally, many enter a fake address.
When they get a PM, it tries to send them an email, but obviously fails, so it keeps retrying and retrying. After a few weeks, the retry queue gets quite big, and it affects server performance (I also dont wanna get blacklisted for all these attempts).
What can I do to solve this issue (other than force people to confirm their email upon registration).
If you don't want to force people to confirm their email because if something goes wrong, they can't access their login straight away, why not do something like this:
If they haven't confirmed their E-Mail, don't send PMs, but show them when they are logged in instead. Remind them to confirm their E-Mail.
If they have confirmed their E-mail, send them out.
But anyway, your scenario sounds like a server misconfiguration. Why would a mail server keep re-sending mails that it got a "not deliverable" message for? As far as I know, re-sending mails only occurs when the receiving host was not reachable for technical reasons.
You really should just require confirmation.
Short of that, you can deactivate users whose emails have bounced a certain number of times, and require a new email at next login.
It will be hard without verifying, but you can at least verify the domain it's coming from:
Option 1: Use getmxrr to search for MX records on their hostname
Option 2: Use checkndsrr to check their DNS info
But all these really do is check the validity of the domain, and whether it's running a mailserver. To get real authenication a confirmation is the best way. You could also implement a tool to send out a test email, and see if it bounces back. But this method may not always work as expected, because of variations, some servers it's instant, others it can be a day later to return an undeliverable email.
I hope this helps.
consider having a checkbox so that people can opt-out of email notifications. if they do not enter a valid email address, it is surely because they do not want to receive emails in the first place, so let them tell you.
additionally, you may consider having an opt-in system, where people will not receive email notifications in the first place and have to enable it somewhere in their account settings, providing an email address at this moment. this way, the number of fake email addresses will be reduced to near zero.
Twitter and Facebook invite new users to send an invitation to everyone in their Gmail, Hotmail, or Yahoo Mail accounts.
Is it easy to add this functionality to a website?
Thanks,
John
Last I checked you basically have to pretend to be a web browser then programatically log in to the site, scrape the contacts, then compose/send the message. It isn't difficult, but it is time consuming as each of these services works differently.
I does, however, look like people have written script for some of this though: example.
Yes!
What they generally do is to send in the email a special URL that contain a code, for example:
www.mysite.com?UserCode=ABC
That code (ABC) is associated to the email of the user so the application undestand which user is trying to subscribe. You must keep in a database the pair: email, code.
HTH
All of the above answers are correct, here is a summary and some more explanation:
You first need to get the user's login for each service you want to get contacts from (I personally don't understand why people would do that - I would never give my GMail password to Facebook, let along some little known web site).
Then you can simulate a login to the said website and grab their contact list as an export (all serious email services allow you to export the contact list as CSV or something). You can implement this yourself or use some external library such as contactgrabber mentioned by Haim.
You then go over their list of contacts and for each contact you generate a key (you want to generate a unique key for each email you send so you'd know who responded to you). Generating the keys is easy - take some info like the current user's email plus the target email address, add the current time and pass everything to a hashing function like SHA1 - should do the trick.
Now store in a database table for each contact you got: the inviting user's ID, the email address being invited and the key you generated.
Lastly send a nice email to each contact with a URL to your website's "invitation activation page" with the correct key applied - like so: http://www.somesite.com/invited?key=123456780abcdefgh
when that page is accessed, get the key from the URL and find it in the table - that would give you the email address that activated the invite and the user that invited them. From here you can take it to where ever you want.
I need to build a little webapp but I'm not sure what is the best thing to do.
A person that subscribe the petition is signing an email sent to X. This will be also saved to a db in order to show online who subscribed.
The idea is to have a standard text message, the user submit his name and that name goes into the message as signature.
I could make php send the email with the address of the real sender, or let the user copy and paste the text and let him send the email on his own.
I'm not sure of what is the best way to implement it. What will be more "effective", I mean as number of subscribers the solution where the app send the email is easier, but what about the authenticity of the emails? They could be considered not valid if sent all from the same place?
Regardless of the whole thing being a "good" idea or not, you want to keep yourself safe. If you spoof the from field, chances are most of your email (especially for domains with SPF records) will not make it through the first level of spam filtering.
A SPF (Sender Policy Framework) record lists the only IPs that are allowed to send mails for a domain. If a domain has a SPF record and you poll it, you're supposed to treat anything that didn't originate from a listed server as hazardous waste.
Depending on where you're sending these emails, you'll probably end up with your mail server on one or multiple blacklists. That means any email, SPF or not just won't get accepted.
So in short:
Get people to send their own email. Provide templates.
Consider utilizing the full specs for <a href="mailto:... -- you can put the subject and body in the link, allowing templates to be a one-click affair.
You could use Javascript on your site to personalise the message (and therefore mailto: link) while still on your site.
Let me get this straight - so you want to add to the flood of armchair activism email that is already saturating the world to no good purpose, and you're asking how best to do it? I would read the following before going any further with this:
http://www.breakthechain.org/armchair.html