Business Web Hosting since 2005

“Tell a friend” script exploits

Spammers are getting very good at exploiting “Tell a Friend” (TAF) scripts. Any site that uses TAF without adequate security can easily be misued by spammers as a free spam sending service, using up your bandwidth and getting the server blacklisted.

Tell a Friend

“Tell a Friend” (TAF) scripts allow a user to send an email to another person via your website, usually intended for sharing product/page links. However, as these scripts are nothing more than simple mail send commands, spammers can easily exploit them by running an automated script against it which sends out spam messages, using affected websites as free spam relay.

Spam exploits are often only noticed when email send volumes on the site go up unexpectedly, and volume of bounced emails drastically increases. Although in some cases, spammers keep the volume of emails very low, and we have seen exploits which went undetected for months.

In this article we discuss strategies how “tell a friend” (TAF) scripts can be secured and alternative methods of allowing customers to share links on your site.

osCommerce / Zen Cart

Both osCommerce and Zen Cart have a tell_a_friend.php script which allows visitors to send an email with a product URL and message via your site. Misuse can be stopped by setting the configuration setting “Allow guest to tell a friend” in the shop admin to “false”. Once set to false, customers will be required to log in or register before sending the email.

If “Allow guest to tell a friend” is set to “true”, this script is easily exploited. Spammers often search the web for tell_a_friend.php script names and once they have found your site it provides an open door for using your site and bandwidth as their own free mail service. As spammers look for file names, just removing the link from your site won’t stop the exploit. Only securing (or deleting) the script itself will.

In Zen Cart, go to “Configuration -> Email Options”.
Tell a Friend Zen Cart

In osCommerce, go to “Configuration -> My Shop”.
Tell a Friend osCommerce


Magento’s “Email a friend” script can be configured in admin under “System -> Configuration -> Catalogue: Email to a friend”. The important setting is “Allow for Guests” set to “No”. It also gives the option to limit the number of recipients, limit the number of emails sent per hour and how to monitor either by “cookie(unsafe)” or “IP Address”.

Magento "Tell a Friend"


WordPress has no built-in TAF script, but there are many plugins available . One we use is This plugin combines popular social networking tools (facebook, twitter) and an email link which uses the visitor’s own mail program.

Sociable for WordPress

Any plugin should be checked to see how email is sent. If email is sent via your own site/server, it will present a security issue and is best avoided. Plugins which send mail via their own server or use the visitor’s mail program are safe.

Using Sharing Buttons as secure alternatives to TAF scripts

A good alternative to using your own TAF script is to use sharing tools such as and These give visitors a wide range of options how to share content on your site including email, facebook, twitter and many others; and can easily be implemented.

Add This Button Styles

Social network sharing tools are secure, customisable for your site, often can be integrated eg with Google Analytics and tap into the current trend for social network features. Additionaly, the “email” links are sent via the button provider’s website who are responsible for security. Even if the email link is exploited, it would not impact on your own site (and server).

Share This Button

For site owners looking for an easy to implement, user-friendly and secure alternative to writing their own TAF scripts, these tools offer an attractive option.

Using an email link

An easy alternative to TAF scripts are email links which use the visitor’s own email program (Outlook, Thunderbird etc) to send an email. Links are in the format:


Where XX is your preferred subject line and body content message. Dynamic content such as the product URL are easy to add by developers. Please note that the mailto command is empty on purpose, to allow visitors to enter their own recipient email addresses.

When a visitor clicks on the link, an email is opened from the mail program and visitors can then send via their own email service. This method is simple, but can lead to problems where visitors don’t have email programs installed on their device or eg at work are not allowed to use these for private communications. On the other hand, email is sent by the person itself, simplifying privacy implications and removing any spam concerns.

Securing your TAF Script

If you cannot secure your TAF script via existing configurations in your site, and the social networking tools are not suitable, then you can look into securing your script. This work should only be carried out by a developer with a good understanding of PHP security.

Common tactics to stop spam exploits include

  • use a captcha (nb: hackers have become quite good at breaking these)
  • forcing users to register with a website (customer registration) before sending email
  • limiting the volume of emails each IP address can send per hour
  • log all emails sent via your site (monitoring, alert of suspicious patterns)

It should be noted that any mail script that allows users to send their own mail via your site is inherently a risk. Even if security measures are taken, the activity on the script should be closely monitored and site owners should be aware of the exploit potential.

Secure your site now!

Even if you are not a developer yourself, you can easily check if your site uses a “Tell a Friend” script. Have a look on your site, check what software you are using (Zen Cart, Magento, etc), check via a file manager for any “tell_a_friend.php” or similar files.

If your site does use a script of this kind, use our advice to secure your site now & don’t be a free mail service for spammers!

, , , ,

11 Responses to “Tell a friend” script exploits

  1. John March 14, 2011 at 8:21 pm #

    Interesting and helpful post. I’m using Zen Cart on my site but I’m not using Tell a Friend. Would it be safe to delete the Tell a Friend php file?

  2. Edith @ TerraNetwork March 14, 2011 at 10:02 pm #

    Deleting tell_a_friend.php is safe. If it’s called in anywhere by mistake (eg a sitemap), it will simply result in a “404 page not found” error. Deleting the file if not in use is a good way to remove any potential for abuse – what’s not there, can’t be misused.

  3. Vanesa March 16, 2011 at 4:31 am #

    Very useful info, thx!!

  4. Matthew March 17, 2011 at 7:08 pm #

    Hi Edith,

    Thanks for the post. Just though I’d throw something out there.

    Most users who might forward to a friend are most probably not log in, meaning they would not be abel to use the service.

    Thus switching this feature off for those users not logged in, means it may not be worth using it at all.

    What’s your thoughts?

    Best Regards

    Matthew @ Sight Direct

  5. Edith @ TerraNetwork March 17, 2011 at 11:02 pm #

    Hi Matthew – the social network buttons include mail links, plus the popular facebook “like” and twitter, so for me, that’s the best option at the moment. I’ve used “addthis” on sites before, integrates very well, and uses the addthis server for sending mail.

  6. Leonard February 1, 2012 at 6:50 pm #

    Thanks. Saved 30+ minutes looking for the problem and the solution for OSCommerce. The receipt of a large number of bounce messages caused me to go look for things.

  7. shamik November 13, 2012 at 12:52 pm #

    Very helpful. Thanks. I have secured my site. I came to know from who is online page that some one always using tell a friend. even for few days.
    can they write automated login script? if yes how to secure the registration page or login page.

  8. Edith November 13, 2012 at 1:09 pm #

    Hi Shamik – the exploits are normally done by bots (automated scripts). Hackers can also write automated login scripts, but I haven’t seen any Tell a Friend exploits where a login was involved. Hackers usually go by “maximum impact with minimum work”. If you do want to make your registration more secure, a CAPTCHA script will do this. CAPTCHA requires the user to type in letters and numbers from an image to prove they are human. But it can annoy customers who may find it tricky to type in the correct code, so in my view, this should only be done on sites which have a known login abuse problem.

  9. Carol Willkins June 25, 2013 at 4:11 pm #

    Hi! Thanks for helpfull information! Just want to say that I saw an interesting solution recently – a private sale script from Plumrocket. A number of magento extensions and magento private sales theme. And there is possible to find more information about magento extensions and its configuration (in particular there is Magento Invitation Extension, that allows your site customers to invite friends)

  10. Chris October 14, 2013 at 4:32 am #

    Hi, many thanks for the info.

    Our cart is osCommerce selling in the UK.
    I noticed we had a few ‘guests’ lurking with similar IP addresses so we did a IP look up at to try and identify where they were coming from. Turns out most are from ISP: Philippine Long Distance Telephone?

    I then looked at our logs in Action Recorder (Tell a friend) and noticed many spam entries “Get paid now…” and it was then that I realized our cart was being used for email relaying spam by ‘Guest’!

    Thank you for the solution, it was the first result I came across on Google.
    My only problem now is waiting to see if the fix works as the buggers are still online according to the who’s online feature 😉


  11. Chris October 16, 2013 at 5:04 am #


    The solution provided above only prevents guests/none registered from sending emails.Spammers are still able to send emails by registering false accounts, plus there are spam bots (scripts) that they can use to automate the process.

    Apparently the safest solution is to delete or comment out tell_a_friend.php
    instructions for oSC 2.2 version:

    I’m 2.3.1 so I’ll keep looking

Leave a Reply



Google Plus

Follow Me on Pinterest