If you have a tell-a-friend feature on your website, disable it right now

Email notification on a laptop

Sitthiphong/Getty Images

Comment below if this resonates with you:

You wake up. You have that first life-giving cup of coffee. Then you take a glance at your email, just to see if anything’s on fire. Suddenly, you get this horrible feeling in the pit of your stomach. You’re not exactly sure what’s happening, but one glance at your email and you know something’s terribly wrong.

Also: Scammers target older people online: 3 warning signs to watch for

For each of us, the “something” can be different. It could be a complaint from a customer. It could be a mean missive from a manager. Or it could be hundreds upon hundreds of bounced emails sitting in that email box.

No matter what it is, you suddenly know your day has been knocked off its axis. Deep sigh. Today is no longer what you expected. Instead, today is now a damage control day.

For my friend, it was all those emails. What they mean and the important lesson I recommend you learn from her experience is the rest of this story.

Wayback Machine

Before I tell you her story, I’ll need to tell you mine. For that, we need to jump into the Wayback Machine and look at an article I wrote for CNN on May 20, 2009. In that article (written before I was here at ZDNET), I explained how one of my websites had been attacked by tens of thousands of computers per second.

Technically, it was a distributed denial of service attack — except the attackers weren’t trying to deny my server from providing its data. Instead, they were trying to hijack my “send email to a friend” page and use it to send their own spam messages out.

Also: How to block someone on Gmail quickly and easily

Effectively, they were trying to use my server as an email relay for their spam. It was automated, it was intense, and it pretty much killed the site for about a week.

I learned my lesson that day almost 14 years ago. I turned off the tell-a-friend page on that site and all my sites, and I never looked back.

Back to the future

The tell-a-friend feature isn’t all that popular now — probably because it’s been used for spamming. But back in the day (especially before social media), it was a much-desired feature of commercial sites. While new sites rarely deploy it as a feature, some older sites still have one buried in the outer reaches of their older pages. That’s what happened with my friend.

Also: I asked ChatGPT to write a WordPress plugin I needed. It did it in less than 5 minutes

So now, let’s talk about my friend. About 18 months ago or so, she acquired a small, hobby-oriented, e-commerce site. I helped her move the WordPress installation from the original owner’s hosting provider to a more reliable player. I went through and updated all her plugins, and generally made sure her site was safe to operate.

But I missed something. And that brings us to her terrible, horrible, no good, very bad morning.

Like I said, she was getting hundreds upon hundreds of bounced emails in her Gmail. Worse, she discovered she couldn’t send outgoing emails any longer. Gmail had blocked her ability to send emails.

Within a few hours, what had been a very bad morning for my friend became an unpleasant and stressful afternoon for me. I did some digging.

Also: Millions of Facebook users are entitled to a settlement payout. How to file a claim

As it turns out, she had a tell-a-friend form on her site. As far as we could tell, no pages linked to that form. But if you knew the URL, you could use it to send email messages out. Some crook somewhere somehow found that URL and sent out a few hundred thousand spam messages by the time we caught on.

I located the plugin that was supplying the form and turned off the form. That way, the spammer could no longer send out emails. The spam attack was over.

The rest of the story

There were consequences. With her acquisition of the site came a transfer of the small single-user Google Workspace account the site used for customer service. That was the Gmail account the tell-a-friend used to relay the outgoing messages. And that was the account that Gmail disabled.

Fortunately, all Google did was temporarily suspend sending emails from that account. It reset after about 24 hours, so she had her email back again. But that kind of spam flood could well have resulted in Google completely shutting down her account, which could have been catastrophic. While that did not happen, she spent a very troubled night wondering if it would.

Also: Email is our greatest productivity tool. That’s why phishing is so dangerous

Her forms database was also filled with more than 200,000 tell-a-friend forms that were filled in. That’s a lot, even for MySQL (the database underlying WordPress). So she went through every page, selected the “choose all messages” option, and hit “batch delete”. Unfortunately, the forms engine could only handle about 15,000 at a time before timing out. So she had to repeat this process over and over again, which took hours.

But what about that tell-a-friend page? How did the spammers find it? The answer is: We don’t know. We scoured the site, looking for links to the hidden URL for that form. We didn’t find anything. It seemed that someone out there had been cataloging tell-a-friend URLs for years and recorded the URL back when the tell-a-friend page was active on the site.

Also: Were you caught up in the latest data breach? How to tell

My guess is that when the spammer wants to send out spam, they just pull up the next available tell-a-friend page URL from their database, test if it works, and then send their spam until it’s shut down by a site operator.

It’s possible this spam problem had impacted the site before my friend took it over. Otherwise, why would all of the tell-a-friend links have been removed, yet the form still be there? It’s also possible the URL to the form was buried in a Google index somewhere and the spammer found it. Whatever the case, the spammer did find it.

The cautionary tale

Now that we’ve reached the tail end of this story, I’m going to recommend you use this as a cautionary tale. First, if you know you have a tell-a-friend page on your site, turn it off right now.

If you acquire an existing site, as part of your due diligence, please check out every form and mailing feature the site has. I scanned her site back when she got it, but I didn’t dig into each form through the plugin’s back-end interface. I should have.

Also: The best VPN services right now   

Don’t assume that if you don’t see a feature on the visitor-facing end of the site, it doesn’t exist. Sometimes, somewhere in the weeds of your site are vulnerabilities the bad guys are just waiting to exploit.


You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

READ MORE HERE