We discovered that someone was using the Tell A Friend script on our RC2a based web site to send spam. Turning off guest access to Tell A Friend did not block this nor did the Verify Email with DNS option setting. This contribution adds measures to prevent this from happening.
1) If a customer id is set it is checked. If it is not valid the file immediately redirects to Log Off. Otherwise the from name and email from the database are used.
2) The process checks the address from which the form is posted. If the form was posted from anywhere other than the current web site's Tell A Friend file it is an attempt to send spam. The web site owner will be emailed a notice of the attempt with details of what was to be sent and the IP address of the attempted sender and the file will terminate.
3) The message is checked for links. Any links found to another web site in the message will trigger an error message and no email will be sent.
Installation is as simple as replacing the two Tell A Friend files. WARNING: This version is for osCommerce RC2a and earlier ONLY. Do NOT use it for osCommerce 2.3.x.