It’s a constant refrain round these parts, I know, but here’s another example of a web site that has a couple of nasty errors that could have been avoided with a little thought.
The site in question is Knight Frank the estate agents. I was drawn to their site as they are selling a house on my road. The house is a little bigger than ours and I wanted to know what it was selling for. Yes, I’m using the web to feed my middle-class obsession with house prices.
Anyway, the search functionality on the site was easy enough to use and I quickly found the property that I was looking for. So I clicked the link in the search results to see the details.
That’s when I noticed the first problem. When you have a details of objects (in this case houses) on your web site, then it makes a lot of sense to give each object a unique web address so that it’s easy for people to pass details of a given object to their friends. As we’ll see later, Knight Frank’s site does have unique addresses for each property, but they do their best to keep them hidden.
When I was looking at the list of search results, the location bar in my browser said:
And when I clicked through to the property details, it said:
Nothing changed. There was no address that I could have used to pass on to a friend. To my mind, that’s a fundamental misunderstanding of how the web works.
However, looking at the details of the property, I saw a “send to a friend” link. I realised that if you can send a link to the property to a friend then the email that is sent must contain the unique link that the web site hides from you. I decided to send the details to myself.
And here’s the next problem. The “send to a friend” page asks for your email address, your friends email address and a message to include in the email. The web site then sends an email containing the message and the link from you to your friend.
Can you see the problem?
The problem is that this mail claims to come from you. But it doesn’t really. It really comes from the Knight Frank web server. A common spam technique is to send mail that doesn’t originate from the site that it claims to come from. For this reason, a number of people have implemented a system called SPF. In SPF a domain publishes a list of mail servers that are allowed to send mail for that domain. At the other end of a transaction, when a mail server receives a mail, it can check against these published lists to ensure that the mail comes from a mail server that is allowed to send mail for the domain that it claims to come from. Any mail that doesn’t match these requirements can be discarded as spam. I publish a set of SPF records for dave.org.uk and I also check SPF records for any incoming mail and discard any that don’t match.
So we have the situation where the Knight Frank site is trying to send mail that claims to come from dave.org.uk, but that server isn’t on the list of servers that send genuine dave.org.uk. And that means that my mail to myself is rejected by my incoming mail server as spam. Luckily I got a bounce message that contained the original message so I finally managed to work out what the address of the property details is. If the Knight Frank web site had been honest and sent the mail from itself, then the mail would have got through without any problems.
This system probably works for them currently because SPF isn’t really widely implemented. But as spam gets worse then it will become far more common. And less and less Knight Frank web site mail will get through to the intended recipient.
The Knight Frank web site designers probably thought they were being really clever. They probably think that hiding the details of the web site address makes things look simpler. They almost certainly think that people are more likely to read mail that comes from a friend. But I think that in both of these cases they are failing to understand how the internet should work.
If you’re interested, the property details are here. It’s on sale for £795,000 and over the weekend the “for sale” sign changed to an “under offer” sign.