13 March 2017

Abusable tell-a-friend scripts considered harmful

Many websites provide ‘tell-a-friend’ forms allowing visitors to recommend a page to an acquaintance. Unfortunately, fraudsters and other spammers constantly abuse such forms.

Example

Here is a typical advance-fee scam that was spammed through a haplessly operated website:

Received: from allthingsformom.modwest.com (allthingsformom.modwest.com [204.11.245.237]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by virusscan-2.nebula.fi (Postfix) with ESMTP id 99802A4D70B for (email address removed); Thu, 13 Oct 2011 08:21:50 +0300 (EEST)
Received: (qmail 30137 invoked by uid 33); 12 Oct 2011 14:53:56 +0000
Date: 12 Oct 2011 14:53:54 +0000
Message-ID: <20111012145354.30099.qmail@allthingsformom.modwest.com>
To: (647 [sic] email addresses removed)
Subject: Mr. David Robert Miller has sent you a message from All Things For Mom
From: ciaukllp9246@hotmail.com
MIME-Version: 1.0
Content-type: text/html; charset=utf-8

All Things For Mom <http://www.allthingsformom.com/>
Mr. David Robert Miller <mailto:ciaukllp9246@hotmail.com> thought you would like to see the All Things For Mom web site.
Message from Sender:
Capstone Investment Advisors UK LLP A symbol of entrepreneurial relationship and growth, 21, St. Thomas St, London, SE1 9RY. Dear Director, I write to you based on a request by an investor and his need for investment/funding in your country. My name is Mr. David Robert Miller, the chief financial consultant of Capstone Investment Advisors UK LLP. My company most times represents the interests of very wealthy investors. Due to the sensitivity of the position they hold in their society and the unstable investment environment of their country, they evacuate majority of their funds into more stable economies and developed nations where they can get good yield for their funds. A Reserved Client, whom I had personally worked with few years ago with a proposal, recently, approached me that he wants an individual in your country who will assist him to invest $328.2 Million US Dollars on his behalf in a good profitable business in your country for a period of 10 years for a start. We extend hands of investment to you with the intend of making good profit for us all and all we need from you to accomplish this is your total commitment, cooperation and trust. Looking forward to hear from you soon, Best regards, Mr. David Robert Miller Chief Consultant, CIA UK LLP.
Click here to visit our site <http://www.allthingsformom.com/forward//email_ref>

This is a great service for criminals – apparently, the fraudster was able to spam 647 email addresses with a single HTTP request. Consider how many recipients a spammer can victimise by sending e.g. one such request per second for an hour or a week.

How to avoid being part of the problem

Here are a few things you can do to avoid having your tell-a-friend facility abused:

  • Consider whether you need a server-side application at all. Alternatives include sharing services such as AddThis as well as dynamically generated mailto: links allowing the visitor to send mail through his or her email client software.
  • If you do want to enable visitors to send mail through an application hosted your website, only allow them to enter their own email address and that of the recipient. Have your application add the name, description and URI of the page. Free-form text fields, whether you intend them to contain the visitor’s name, a message or something else, can be used to carry a message from a fraudster or other spammer. To avoid backscatter, set the reverse-path (the address to which non-delivery reports are sent) to one of your addresses, not to the address the visitor provides.
  • Also, ensure that the application is coded in a secure fashion. Remember that attackers are not confined to the web form you provide; they can use customised HTTP requests to exploit any feature or bug in your application.