I have the latest version of Blog for vb3.8 and it still has this bug. Spam can still be sent via the Send To Friend functionality with no way to turn that off!

Here is a bit more detailed explanation of how to edit blog.php to stop the spam:

Find:
if ($_POST['do'] == 'dosendtofriend')
and add the things shown in red:
if (FALSE && ($_POST['do'] == 'dosendtofriend'))

Also find:
if ($_REQUEST['do'] == 'sendtofriend')
and add the things shown in red:
if (FALSE && ($_REQUEST['do'] == 'sendtofriend'))

Be sure to include the last closing parenthesis in both of those. That disables the send to friend functionality. To get rid of the link showing up in your template, you have to edit the blog_show_entry template. In that template remove this block of code:

<if condition="$show['emailentry']">
<a href="blog.php?$session[sessionurl]do=sendtofriend&amp;b=$bloginfo[blogid]"><img src="$stylevar[imgdir_misc]/blog/email_go.gif" border="0" class="inlineimg" alt="$vbphrase[email_blog_entry]" /></a>
</if>

Thanks to raywjohnson and Dan Druff for pointing me in the right direction on how to fix, unlike a lot of threads about spam coming from vBulletin. Most tell you to check the usergroup permissions and make sure 'send to friend' and 'email members' is off for unregistered, banned, etc., usergroups. If you tell them it is, and that it is still happening, then the assumption is that you're hacked or some plugin is doing it. Well, it's a plugin alright, but an official one (vBulletin Blog)!

send to friend users a usergroup permission for the blogs. Are you sure you checked the usergroup permissions properly?

I will reply to this because it is the same question where VB support seems to not want to acknoledge the answer. Yes, I changed the permissions. This is not a problem with permissions. It is a spam hole/bug that spammers exploit that BYPASSES the permissions altogether. Permission settings DO NOT effect the ability of spammers to use the "senttofriend" functionallity. They are not members, not guest, not using the web inteface at all.

I did have some logged evidence at one time. I no longer have that. I have been waiting to be hit again to try to log the activity. I think it was via a spambot. (not sure anymore).

If I do figure out exactly how they are exploiting this bug (if the bug still exists). I will post what I discover.

It is possible there's a bug in the old 3.8 blog module. You can try the code edits above and see if that helps.
The 3.x blog module hasn't been sold for many years and it is not going to be developed further as it's obsolete, so there isn't much more we can really suggest.

vB3 blogs have a usergroup permission to turn off the e-mail to friend facility.

Delete the file completely from your server if you feel that permissions are not enough to fix the issue.

This is an unnecessary and childish post. It is intended to diminish the fact that there is a real issue with the VB code. It also shows disrespect for all members trying to resolve a serious issue. Wayne Luke seems to think he is above helping the "low class" members. Maybe you should always give this "advice" for every posted problem. Just delete the file. Problem solve. Soon, all files deleted and no more problems.

Yes. I will repeat this again.

THOSE PERMISSIONS ARE TURN OFF!
THOSE PERMISSIONS ARE TURN OFF!
THOSE PERMISSIONS ARE TURN OFF!

And yet the issue is not resolved.

I agree. I do not think I have had the issue with VB4. I did have the issue with VB3.8. Seems to be fixed since the upgrade.

There are only two ways you're going to sort this.

1. Try the code edits kindly posted by a customer (note we can't provide support for this)
2. Delete the file from the server if you're not using blogs.

As stated, the vB3 blog module has been obsolete for years and hasn't been sold since 2009. It's not going to get any developer time to bugfix it, and the likely result even if it was, would be to remove the code as suggested in point 1.

It's not just VB3.

This exploit also exists in VB4. Honestly, you guys should be providing support for this.

I just got an e-mail today from yet another forum owner whose site is being used to spam via this feature, and even removing the blow_show_entry e-mail code hasn't stopped it.

It appears that only a code change of blog.php solves the problem.

For those wondering, here is what I did:

1) Go to blog.php

2) Search for: if ($_POST['do'] == 'dosendtofriend')
... and comment everything out between the { and }

3) Search for: if ($_REQUEST['do'] == 'sendtofriend')
... and comment everything out between the { and }

For those not familiar with what I mean by "comment everything out", add /* in the line right below the {, and then add */ in the line right below the }

The suggestion to add a FALSE && in the if statements (see the post by xorlof in this thread, about 10 above this one) will also work.

Did you actually log the issue in Jira ?