Sites with "Recommend this site" or "Recommend this product" type of forms, take notice.

[Michael D.]

Spammers have, recently that we've noticed, begun using forms on web sites such as "Recommend this product to a friend" or the "Recommend this site to a friend" to send spam. Generally these forms have a "Write a message to your friend" that is included in the product or page recommendation and this is exactly what the spammers are using to get their spam out, using your legitimate site and form.

 

At the end of this message I am going to link to a copy of an actual spam message sent using a legitimate form on one of our customer's legitimate sites. I've redacted the customer's information in the email as to protect their identity, site, and store.

 

If you have a site that has one of these forms it's best if you do one of the following things - which may or may not require support from the script developer. Keep in mind that we cannot provide support for third party scripts so if you need help with this, you'll need to get with the support department of the script developer:

1. Disable the personal message/custom message portion of the form. If somebody really thinks their friend will like the product/page - that really should be enough in most cases.
   
2. If you cannot disable the custom message portion of the form, we would suggest the "recommend XYZ to a friend" form be removed completely. While I can understand that you will want to keep it enabled or it may even be very useful for your site - that is where option number 3 comes into play.
   
3. Get with the script developer to in some way have the form itself check for spam and block it - prime examples are blocking multiple messages sent by the same IP address or multiple messages with the same (or very similar) custom messages. Another option - if it's not a built in feature/option - is to have the option to disable the customized message on the recommendation.
   

 

The example spam message can be seen at http://www.mddhosting.com/spam-example.html

 

If your site is exploited to send spam such as this, we will be in touch with you to work on resolving the issue - depending on how fast the spam is being sent we may have to temporarily disable your script or your ability to send mail which can be devastating to your site and/or store so please do take this warning seriously and do what you can to make sure that this type of spam attack cannot be used against you.

 

We'll always do our best to keep your site online however we cannot do so to the detriment of the mail sending abilities of others on the server.

 

If you have any questions, feel free to respond to this thread, or to open a support ticket.

[fshagan]

Another option is to validate the TO: field to only contain one email address, and then use a regular expression to reject any text that contains a URL. I'm not great at regular expressions, but I did come up with this for one of my "Contact Me" forms:

 

else if(!preg_match("/^[a-zA-Z0-9\s.\-]+$/", $_POST['my_contact_message']) ) {
     $my_error_message .= '<p>' . __('Invalid characters in Message.  Please re-enter using letters and numbers only. ', 'Bold') . '</p>';
     $my_contact_error = true;
     $_POST['my_contact_message'] = strip_tags ($_POST['my_contact_message'] );
   }

 

It looks for any characters other than A-Z and 0-9, and then rejects the submission. It strips the characters out, and then reposts their message in the un-submitted form without them, so they can edit it (if they are not a spammer).

 

I had one customer with a "Tell a Friend" form that you identified early on, and he has just left it disabled for now. He's working with the developer, a shopping cart script, to come up with a suitable alternative.

[Michael D.]

Good ideas, but maybe over the head of many with such forms unfortunately. Many of these forms that are being exploited actually are using only a single recipient as the spammer is using a bot or some form submission software to resubmit the form with a new recipient every time.

[Michael D.]

I removed one recommend form from one of my Wordpress powered sites. I do want to implement it on another one though. Any suggestions as to what's a good plugin to use? Or should I just look for something with CAPTCHA implemented?

 

All my vB boards use reCAPTCHA off hand I cannot think of any other sites that send mail other than the built in functions of WP.

The good bots can even defeat reCAPTCHA and other captchas but it'll will stop some of them. Beyond that, it's a battle to be fought, spammers make the world difficult for all of us.

[frankacter]

For bots, having a pool of niche specific question/answer sets that only your target audience will know the answer to can help cut down on automated spam. Depending on which plugin you are using many have "human verification" options which allow you to define which question to ask. While they ask basic math questions by default (what is 1 + 3), you should be sure to change it to something unique to your environment for maximum effectiveness.

[fshagan]

Its always an "arms race" with the spammers. In my Wordpress installations, I'm using Disqus commenting system now to combat comment spam (seems to work fine), and have challenge questions for registrations, etc. On my IPBoard forums, I figured out a way to have newly registered members restricted to posting messages without links (until they post 3 messages that are approved).

 

All of these things work, but to paraphrase TJ, combating them takes "eternal vigilance".

[Scott]

I just dealt with a large rash of this type of "recommend our site/product to a friend" spam. So here is a bump on this topic to remind everything that it is still happening.

[Michael D.]

Unfortunately we still have users that are using forms exactly like this:

http://www.screen-shot.net/refer-a-friend-form.png

 

This form was responsible for sending over 7,500 spam messages and resulted in an account suspension and some spam clean-up fees. Please, if you are going to run any sort of 'recommend this to a friend' type of form - make sure there is no 'message' field. While you can run such a form if you really want - bear in mind that you are responsible for any spam messages that may originate from the form.

[Leah]

Does this mean that plugin's like Sharaholic are also in violation?

[Scott]

Any form with functionality like what is pictured, can easily be abused to send spam and should not be used.