Tell-a-Friend: Leverage Word of Mouth Marketing. I’d love to know how they intend to stop this free widget from becoming the world’s most popular spam proxy. And of course, they abuse the password anti-pattern despite the existence of safe API alternatives to address book scraping.
Sign in with 
OpenID
Simon,
You can send messages from the widget ONLY to buddies in your address book and to no more than 20 addresses at a time. It is rather hard(work) to use the widget for SPAM. They may as well use the email client and send out more messages.
As regards to using safe API. We do use the published API. Opening new windows and directing to different sites is a distraction, so we provide a simple UI to view the address book.
Vijay
Vijay - 20th September 2008 16:12 - #
"You can send messages from the widget ONLY to buddies in your address book and to no more than 20 addresses at a time"
That's not true. You click "e-mail", then "Type e-mail addresses" and you get a free-form box to enter e-mail addresses and any subject and message you want, all without even having to log in - no address book is involved. This is great news for spammers - they can use the widget to send anything they like to anyone they like and it's the Tell-a-Friend e-mail server that will end up blacklisted, since there's no audit trail back to the spammer (who will probably post to the form through anonymous proxies making them very difficult to block).
The safe APIs I'm talking about are these ones:
http://code.google.com/apis/contacts/
http://developer.yahoo.com/addressbook/
http://msdn.microsoft.com/en-us/library/bb463979.a spx
Using these means you don't have to ask users for their webmail username and password.
Simon,
"Type e-mail addresses" box also has limit of 10 email addresses. As I mentioned sending few emails at a time manually is not viable for Spamming.
Vijay
Vijay - 22nd September 2008 05:17 - #
Vijay,
You are wrong.
For spammers to win, it doesn't have to be *easy*, it only has to be *profitable*.
Web requests can be automated. Spammers have distributed IRCbot armies.
1 POST => 10 emails => spammers love you.
This is *way* easier than many other vectors that spammers use to great effect every day.
On the password/API question: 3rd party services (this means socialtwist) should not ask for passwords. At all. Ever. You are setting unreasonable expectations of trustworthiness, training users to give away their information to anyone, and gaining access to far more information than the user is likely to grasp.
I'm generally against laws regarding technology because congress so frequently get the issues totally wrong, but I do hope that companies engaging in this dangerous practice are held liable for any identity theft damages or fraud. Consider the exposure you're giving your company.
I can only conclude that the people responsible for this widget are terribly incompetent or feigning incompetence just long enough to collect lots of data for personal profit.
Jeremy Dunck - 22nd September 2008 15:37 - #