Spam fighters and email administrators of a certain age probably remember the bad old days of “formmail” spam.
Formmail was a popular Perl script that let websites implement simple “contact us” forms. The problem? It was easily abused. The destination address was specified in the form POST, and there were usually no checks on what went in that field. So, script kiddies figured out they could use your formmail script to send spam. Thousands of messages routed through your server, with your IP address getting flagged for being exploitable and having been exploited.
It was right up there with open relaying mail servers as an early and widespread vector for spam and reputation damage. The spammer didn’t get blocked. You were, because the world perceived you to be the source of that unwanted garbage..
Formmail stuck around for years, partly because it was so easy to set up and forget. It took a lot of noise from a lot of people before site owners finally started to rip it out.
Forward to a Friend: The Sequel
I bring this up because formmail spam reminds me a lot of "forward to a friend" (F2F) spam.
F2F was one of the earliest forms of viral content sharing. ESPs and publishers would let you click a link, type in your name, your friend’s email address, usually add in a little message, and they (the publisher, store, ESP, etc.) would send an email to your friend. It came from their server, their IP, their domain. Something like: “Dear friend, check out this cool article I found”, along with the link to that article or other piece of content.
Compare that to today. If I want to share an Amazon product link, Linkedin post, or Facebook reel, I click a “share” button that most often opens an email or iMessage on my device, which I send myself. I’m in control. The message comes from me, not Amazon.
But, back then, the ESP or publisher sent the message for you. That’s where the problems began.
F2F: Abused Again and Again
Like formmail, F2F forms got abused. Spammers figured out they could use the infrastructure of others to attempt to shovel their junk into inboxes. All it took was an open text field and a recipient address.
Better still, it could be automated. Fire up a script to submit 200,000 F2F requests and now you are sending 200,000 spam messages. Just like with formmail, it is you that gets blocklisted, instead of the spammer.
To be clear, it doesn’t look like anything was hacked. Nobody broke in. This just looks like plain old F2F spam, the kind ESPs have dealt with before. The lesson here isn’t new. If you let random people on the internet submit messages to be sent to others, someone will eventually abuse it.
I share this not to shame Microsoft, but to remind them and all of us to be vigilant, and that we need to remember the bad old days, and be careful when allowing somebody else to submit text or links to get forwarded on to someone else, using our infrastructure.
Side note: That abuse doesn’t always or only come from outside the building. Back in 2009, a company called Jumpstart was forced to settle with the FTC over misusing a forward-to-a-friend mechanism to send deceptive marketing messages. As I wrote about way back then, the FTC alleged that Jumpstart was the real sender of those messages, even though users had entered their friends’ addresses. It purported to be from the person initiating a forward, but actually, the content and cadence was under Jumpstart’s control, and not disclosed before email address submission.
Some Concrete Advice
Remember the ways that this can go bad and how it can cause deliverability and reputation (and maybe even legal) issues:
F2F spam can hurt your reputation. The mail is coming from your domain and IP, and it will pass authentication. But recipients won't love it, especially in cases of abuse, and spam complaints will follow.
People might think you’ve been hacked. Even if nothing was breached, people see spam from your domain and jump to conclusions.
You might be legally responsible. Under CAN-SPAM, you could be considered the sender of that message.
The ethics of it are questionable, even if no spammer touches it. You are sending a message to someone who didn’t opt in. They might not know who you are. They probably don’t want your email. You are assuming consent where none was given, and that leads to low engagement and higher than average spam complaints.
We’ve seen this before. We know how it goes. Any time you offer an open box for people to type into, along with a recipient address, you’re inviting trouble.
So be careful. Rate limit it. CAPTCHA it. Or better yet, don’t do it at all.
Remember Formmail?
Spam fighters and email administrators of a certain age probably remember the bad old days of “formmail” spam.Formmail was a popular Perl script that let websites implement simple “contact us” forms. The problem? It was easily abused. The destination address was specified in the form POST, and there were usually no checks on what went in that field. So, script kiddies figured out they could use your formmail script to send spam. Thousands of messages routed through your server, with your IP address getting flagged for being exploitable and having been exploited.
It was right up there with open relaying mail servers as an early and widespread vector for spam and reputation damage. The spammer didn’t get blocked. You were, because the world perceived you to be the source of that unwanted garbage..
Formmail stuck around for years, partly because it was so easy to set up and forget. It took a lot of noise from a lot of people before site owners finally started to rip it out.
Forward to a Friend: The Sequel
I bring this up because formmail spam reminds me a lot of "forward to a friend" (F2F) spam.F2F was one of the earliest forms of viral content sharing. ESPs and publishers would let you click a link, type in your name, your friend’s email address, usually add in a little message, and they (the publisher, store, ESP, etc.) would send an email to your friend. It came from their server, their IP, their domain. Something like: “Dear friend, check out this cool article I found”, along with the link to that article or other piece of content.
Compare that to today. If I want to share an Amazon product link, Linkedin post, or Facebook reel, I click a “share” button that most often opens an email or iMessage on my device, which I send myself. I’m in control. The message comes from me, not Amazon.
But, back then, the ESP or publisher sent the message for you. That’s where the problems began.
F2F: Abused Again and Again
Like formmail, F2F forms got abused. Spammers figured out they could use the infrastructure of others to attempt to shovel their junk into inboxes. All it took was an open text field and a recipient address.Better still, it could be automated. Fire up a script to submit 200,000 F2F requests and now you are sending 200,000 spam messages. Just like with formmail, it is you that gets blocklisted, instead of the spammer.
I suspect that this is why old-school F2F is mostly gone today. But traces of it still pop up now and then, like in a recent example where attackers used the Microsoft 365 admin portal to send extortion emails.
To be clear, it doesn’t look like anything was hacked. Nobody broke in. This just looks like plain old F2F spam, the kind ESPs have dealt with before. The lesson here isn’t new. If you let random people on the internet submit messages to be sent to others, someone will eventually abuse it.
I share this not to shame Microsoft, but to remind them and all of us to be vigilant, and that we need to remember the bad old days, and be careful when allowing somebody else to submit text or links to get forwarded on to someone else, using our infrastructure.
Side note: That abuse doesn’t always or only come from outside the building. Back in 2009, a company called Jumpstart was forced to settle with the FTC over misusing a forward-to-a-friend mechanism to send deceptive marketing messages. As I wrote about way back then, the FTC alleged that Jumpstart was the real sender of those messages, even though users had entered their friends’ addresses. It purported to be from the person initiating a forward, but actually, the content and cadence was under Jumpstart’s control, and not disclosed before email address submission.
Some Concrete Advice
Remember the ways that this can go bad and how it can cause deliverability and reputation (and maybe even legal) issues:- F2F spam can hurt your reputation. The mail is coming from your domain and IP, and it will pass authentication. But recipients won't love it, especially in cases of abuse, and spam complaints will follow.
- People might think you’ve been hacked. Even if nothing was breached, people see spam from your domain and jump to conclusions.
- You might be legally responsible. Under CAN-SPAM, you could be considered the sender of that message.
- The ethics of it are questionable, even if no spammer touches it. You are sending a message to someone who didn’t opt in. They might not know who you are. They probably don’t want your email. You are assuming consent where none was given, and that leads to low engagement and higher than average spam complaints.
We’ve seen this before. We know how it goes. Any time you offer an open box for people to type into, along with a recipient address, you’re inviting trouble.So be careful. Rate limit it. CAPTCHA it. Or better yet, don’t do it at all.
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.