Security & Spam Issue w/ Butterfly Marketing (TAF) "Tell a friend" Script
This has happened to me twice. You know the old saying…
You got me once, shame on you. You got me twice, shame on me…
Well, that’s how I felt when this happened the second time because I overlooked a known security issue in the butterfly marketing script.
I thought I’d bring this to light and I hope it’s something that eventually gets removed from future iterations of the script.
Anyways – let’s get to the point shall we?
When you install the butterfly marketing script on your domain there’s a built in promotional tool called a “tell a friend” (TAF) script. In theory it’d be great if all of your members were to tell their friends about your site and thus get you some viral exponentially growing waves of traffic. However, in reality, this TAF script is going to bring you much more trouble than it’s worth.
Twice now I’ve been had by unethical members who make a living of going around to every butterfly site they can find, signing up, and then abusing the TAF script.
Here’s what these low-life scum bags do:
1. They sign up for your site.
2. They go to your tell a friend script and either pay someone in a third world country to do it, or design their own “robot” type of script to do step 3 automatically…
3. They replace your default promotional message with their own nonsense including their own affiliate link. It will likely be a promo email that has absolutely nothing to do with your site or anything you’ve ever heard of and it will break all the rules of email marketing.
4. They use YOUR TAF SCRIPT to email THOUSANDS of people by importing lists of email addresses that they scraped up off the web or purchased somewhere.
The worst part of all is that all the email headers will contain YOUR server information so when it’s time for your host to come down on you it’s ultimately going to be your fault for letting it happen.
My advice: Remove the tell a friend script from your promotional tools page on all of your butterfly sites and ALSO be sure to remove the php file that makes the script work. Otherwise, an advanced hacker/spammer can still send out their spam garbage on your behalf.
This is the file you need to remove from you butterfly script to make sure this doesn’t happen to you, I suggest making this part of your personal checklist when installing and administering new butterfly sites:
do.taf.php
This file is located in the top-level directory.
Hope this helps spare you some of the major headaches it’s caused me… twice.
Did you like this post? Share it!
Subscribe now to never miss a post!
Add the ProFromGo blog's RSS Feed to your favorite feed reader and never miss a post again.
4 comments
Speaking of spam issues – I’m sure glad I got all those 14,000+ spam comments wiped out with a single swipe… Now I’m ready to start adding new posts again…
Just ran the following SQL command on my wp_comments table:
DELETE from wp_comments WHERE comment_approved = ‘spam’;
Thank you for pointing this out. Removing the file completely is definitely the safest thing to do.
The problem is that the script allows visitors to insert their own message, and the validation of the input is weak. It would be a relatively easy change to the script to flow in the allowed names and email addresses to a message they cannot edit, and just give a preview of it.
It would also be smart to script in a limit to the number of TAF messages that can be sent. 5 a day ought to be plenty.
Those changes would make the script useless to spammers.
I’m putting them on my to do list for my own customers, and I’ll share the resource when it’s ready.
Thanks for the headsup on the Gapping hole in the Tell a Friend script.
I’ve knocked it out of commission till I can get back to it to tighten it up…
Cheers
Tim
Hi thanks for this, I had a client who was accused of spam, when i looked at his system he had it turned on. ive since removed it and now all is well.
So thank you.
Ivor did you complete the mods you were talking about in your post?
James