Security & Spam Issue w/ Butterfly Marketing (TAF) "Tell a friend" Script
This has happened to me twice. You know the old saying…
You got me once, shame on you. You got me twice, shame on me…
Well, that’s how I felt when this happened the second time because I overlooked a known security issue in the butterfly marketing script.
I thought I’d bring this to light and I hope it’s something that eventually gets removed from future iterations of the script.
Anyways – let’s get to the point shall we?
When you install the butterfly marketing script on your domain there’s a built in promotional tool called a “tell a friend” (TAF) script. In theory it’d be great if all of your members were to tell their friends about your site and thus get you some viral exponentially growing waves of traffic. However, in reality, this TAF script is going to bring you much more trouble than it’s worth.
Twice now I’ve been had by unethical members who make a living of going around to every butterfly site they can find, signing up, and then abusing the TAF script.
Here’s what these low-life scum bags do:
1. They sign up for your site.
2. They go to your tell a friend script and either pay someone in a third world country to do it, or design their own “robot” type of script to do step 3 automatically…
3. They replace your default promotional message with their own nonsense including their own affiliate link. It will likely be a promo email that has absolutely nothing to do with your site or anything you’ve ever heard of and it will break all the rules of email marketing.
4. They use YOUR TAF SCRIPT to email THOUSANDS of people by importing lists of email addresses that they scraped up off the web or purchased somewhere.
The worst part of all is that all the email headers will contain YOUR server information so when it’s time for your host to come down on you it’s ultimately going to be your fault for letting it happen.
My advice: Remove the tell a friend script from your promotional tools page on all of your butterfly sites and ALSO be sure to remove the php file that makes the script work. Otherwise, an advanced hacker/spammer can still send out their spam garbage on your behalf.
This is the file you need to remove from you butterfly script to make sure this doesn’t happen to you, I suggest making this part of your personal checklist when installing and administering new butterfly sites:
do.taf.php
This file is located in the top-level directory.
Hope this helps spare you some of the major headaches it’s caused me… twice.
Chris Vendilli says:
Wednesday, June 2, 2010 at 4:20pm
Speaking of spam issues – I’m sure glad I got all those 14,000+ spam comments wiped out with a single swipe… Now I’m ready to start adding new posts again…
Just ran the following SQL command on my wp_comments table:
DELETE from wp_comments WHERE comment_approved = ‘spam’;