Amazon SES Blog

Exercise Caution With Refer-a-Friend Links

So you’ve got your website up and running, and have a great set of customers actively engaging with your content.  Everything is running smoothly, but now you want to try some ideas on how to increase adoption or get some new folks to come to your site.  You might have even seen some other sites with a page that lets you submit a friend’s email address and customize the message that gets sent to them to make it more personalized.  It looks easy to set up, and your users are reputable customers. What could go wrong?

Well, in almost every case that websites support this Refer-a-Friend feature, it gets exploited unless it’s done very carefully.  Imagine the following email:

From: refer-a-friend@mycompany.com
To: me@example.com
Subject: Check out the new widget in the store

Hey me,

Check out the widget (http://www.example.com/widget) at the store.

<custom content>
Hey spam recipient, if you are looking for a job, please check out my shady job site, where I’ll install a virus on your system and hijack it for nefarious purposes. http://www.nefarioussite.com/hijack.

</custom content>

See you soon,

Your Friend

If you’ll notice, the custom content from the Refer-a-Friend feature is explicitly wrapped in a visible tag to clearly demonstrate the exploit that is so commonly used by spammers.  It’s never a good idea to allow free form text to show up in email content from unauthenticated users.  And it’s almost never a good idea for authenticated users either.  Unless you do it very carefully, it will get exploited, your customers will complain, and your ability to deliver email will be impacted.

If you are adamant about having a Refer-a-Friend feature on your website, please take steps to make it difficult to exploit, such as the following:

  • Never, ever allow custom content in the body
  • Only allow one email address to be specified at a time
  • Please only allow authenticated users (someone who has already signed in) to use the feature or at least require a captcha to be completed when using it.
  • When you make first contact with the referred friend, include a link the referred friend can click to opt-in to your active users list. Without this, you are vulnerable to having spam traps added to your email lists.  See this spam trap blog post for why that’s problematic.

As always, take a look at our best practices guide for more helpful tips.  Happy Sending.

02/16/16 Note: The “From” address in the example email was updated to show that the source of the email is the website owner.