Our website has several areas with “invite a friend” type links, and for the most part they just pop up a modal asking for your name, email address, friend’s email address, friend’s name, and the ability to modify the message of the body.
The huge upside to this is that anyone can easily send a message to their friends without having to worry about their computer handling mailto: links the way they want them to.
The huge downside to this is the level of spam we get.
Typically if the same IP tries sending email out on our system more than once in a short period of time it will enforce a capcha, but a few clever bots have gotten around this recently.
What do you use for the public to share via email?
Unfortunately, that sort of thing is amazingly prone to being used for SPAM and links not making it through at all.
Most of the time I try and push people to social sharing since that’s usually a bit less problematic. Otherwise, you’re fighting the constant battle of either requiring capcha for everyone or trying to content/reputation filter clients. Something like Cloudflare can help a lot with that if it’s the route you want to go.
Our main website just uses a captcha, however, I actually wrote a seperate form for our helpdesk that has a nifty way of handling this. This form allows a user to really quickly open a ticket without logging in and trying to figure out how to use the real form on in our real helpdesk. So its an open form on the internet with no login. And since we wanted it to be fast we really didnt want to have to put in a captcha. One of the things I did to proactively prevent spam was to add another input field and then hide it with CSS. If you visit the form in a browser you have no idea its there. The idea here is that your average use will never put data in that field since they will never see it. A bot generally doesnt obey CSS or javascript rules though and will see this input field and when they come across it they’ll likely put random data in. So if that input box is filled in with anything, I deny the email. If its empty, the email goes through.
Obviously not perfect but it will thwart a few! You can also do the inverse of this with javascript. Having javascript add a mandatory field. I didnt like this methos specifically because its more susceptible to having issues with plugins.
On a similar type of form we found this to be highly effective: Save a timestamp when the form is displayed. Compare the timestamp to current time when the form is submitted. If it is less than some reasonable minimim number of seconds, display an error message, otherwise let the email go out. Very simple, has worked very well.