Spammers are getting very good at exploiting “Tell a Friend” (TAF) scripts. Any site that uses TAF without adequate security can easily be misued by spammers as a free spam sending service, using up your bandwidth and getting the server blacklisted.
“Tell a Friend” (TAF) scripts allow a user to send an email to another person via your website, usually intended for sharing product/page links. However, as these scripts are nothing more than simple mail send commands, spammers can easily exploit them by running an automated script against it which sends out spam messages, using affected websites as free spam relay.
Spam exploits are often only noticed when email send volumes on the site go up unexpectedly, and volume of bounced emails drastically increases. Although in some cases, spammers keep the volume of emails very low, and we have seen exploits which went undetected for months.
In this article we discuss strategies how “tell a friend” (TAF) scripts can be secured and alternative methods of allowing customers to share links on your site.
- osCommerce / Zen Cart
- Social sharing buttons
- Using email link
- Other methods to secure your script
- Secure your site now!
osCommerce / Zen Cart
Both osCommerce and Zen Cart have a tell_a_friend.php script which allows visitors to send an email with a product URL and message via your site. Misuse can be stopped by setting the configuration setting “Allow guest to tell a friend” in the shop admin to “false”. Once set to false, customers will be required to log in or register before sending the email.
If “Allow guest to tell a friend” is set to “true”, this script is easily exploited. Spammers often search the web for tell_a_friend.php script names and once they have found your site it provides an open door for using your site and bandwidth as their own free mail service. As spammers look for file names, just removing the link from your site won’t stop the exploit. Only securing (or deleting) the script itself will.
In Zen Cart, go to “Configuration -> Email Options”.
In osCommerce, go to “Configuration -> My Shop”.
Magento’s “Email a friend” script can be configured in admin under “System -> Configuration -> Catalogue: Email to a friend”. The important setting is “Allow for Guests” set to “No”. It also gives the option to limit the number of recipients, limit the number of emails sent per hour and how to monitor either by “cookie(unsafe)” or “IP Address”.
WordPress has no built-in TAF script, but there are many plugins available www.google.co.uk/search?q=social+bookmarking+wordpress . One we use is wordpress.org/extend/plugins/sociable/. This plugin combines popular social networking tools (facebook, twitter) and an email link which uses the visitor’s own mail program.
Any plugin should be checked to see how email is sent. If email is sent via your own site/server, it will present a security issue and is best avoided. Plugins which send mail via their own server or use the visitor’s mail program are safe.
Using Sharing Buttons as secure alternatives to TAF scripts
A good alternative to using your own TAF script is to use sharing tools such as www.addthis.com and www.sharethis.com/. These give visitors a wide range of options how to share content on your site including email, facebook, twitter and many others; and can easily be implemented.
Social network sharing tools are secure, customisable for your site, often can be integrated eg with Google Analytics and tap into the current trend for social network features. Additionaly, the “email” links are sent via the button provider’s website who are responsible for security. Even if the email link is exploited, it would not impact on your own site (and server).
For site owners looking for an easy to implement, user-friendly and secure alternative to writing their own TAF scripts, these tools offer an attractive option.
Using an email link
An easy alternative to TAF scripts are email links which use the visitor’s own email program (Outlook, Thunderbird etc) to send an email. Links are in the format:
Where XX is your preferred subject line and body content message. Dynamic content such as the product URL are easy to add by developers. Please note that the mailto command is empty on purpose, to allow visitors to enter their own recipient email addresses.
When a visitor clicks on the link, an email is opened from the mail program and visitors can then send via their own email service. This method is simple, but can lead to problems where visitors don’t have email programs installed on their device or eg at work are not allowed to use these for private communications. On the other hand, email is sent by the person itself, simplifying privacy implications and removing any spam concerns.
Securing your TAF Script
If you cannot secure your TAF script via existing configurations in your site, and the social networking tools are not suitable, then you can look into securing your script. This work should only be carried out by a developer with a good understanding of PHP security.
Common tactics to stop spam exploits include
- use a captcha (nb: hackers have become quite good at breaking these)
- forcing users to register with a website (customer registration) before sending email
- limiting the volume of emails each IP address can send per hour
- log all emails sent via your site (monitoring, alert of suspicious patterns)
It should be noted that any mail script that allows users to send their own mail via your site is inherently a risk. Even if security measures are taken, the activity on the script should be closely monitored and site owners should be aware of the exploit potential.
Secure your site now!
Even if you are not a developer yourself, you can easily check if your site uses a “Tell a Friend” script. Have a look on your site, check what software you are using (Zen Cart, Magento, etc), check via a file manager for any “tell_a_friend.php” or similar files.
If your site does use a script of this kind, use our advice to secure your site now & don’t be a free mail service for spammers!