Chapter 21. Using the Recommend Us Module

Unfortunately, this is another module that I'm going to put in the same category as the Feedback and Members List modules, which I'm recommending you disable.

The Recommend Us module's purpose is innocuous enough. As shown in Figure 21.1, your users simply enter their name and e-mail address (which is already filled in by PHP-Nuke for registered users), and then enter the name and e-mail address of a friend. A canned message about your site is then sent to said friend, inviting them to check out your site.

Figure 21.1. The Recommend Us module.

The problem is that users can type anything they want for these names and addresses, meaning that they can have your site sending e-mail to anyone and have that e-mail appear to be coming from anyone. Because the module uses plain HTML forms to collect this data, it can also be fooled into accepting "recommend us" submissions from automated software programs, which can send literally hundreds of e-mails an hour from your site. Every one of those e-mails will include your site address, too, making it easy for irritated recipients to track you down and scream at your service provideran action that can get your site pulled offline pretty fast, in some cases.

If you insist on using this module, restrict it to registered users only, who may be less likely to get you into this kind of hot water. I recommend, however, that you take the safe route and disable this module completely.