Users can't sign up your site without activating their account via the email address they supplied. SO you can't send a message if you haven't activated your account.
Users can decide whether to accept emails directly from your site. You can't send a message to an user who doesn't want to accept them.
All emails should have 'from field' based on your domain - NOT the address of the sender (user)). You are responsible for formmail.
Keep a log of messages sent - sender_id | recipient_id | timestamp - don't keep copy of content, unless you tell everybody that a copy will be kept. In the event of a complaint, you can check the log and ban / delete an user. Keeping copies can get heavy - especially if they contain attachments.
Use captcha YES.
diafol
Keep Smiling
10,611 posts since Oct 2006
Reputation Points: 1,628
Solved Threads: 1,506
Skill Endorsements: 57
Messages through the site are usually send by non registered - visitors. What they deal is not my business.
Be very careful, you could be providing malicious users with a facility to anonymously send spam. You'll get fingered for it if they provide a false email.
Depending on your site usage, you could be up to your neck in spam pushers.
diafol
Keep Smiling
10,611 posts since Oct 2006
Reputation Points: 1,628
Solved Threads: 1,506
Skill Endorsements: 57