I've recently been looking into the spam that hits drupal.org and yesterday I've finally found out why they do that and that it actually works. Until I block the accounts at least.
A blocked a account will give any visitor a "403 access denied" message. Drupal logs these incidents. It also logs the referer of these requests, so I am able to see which page the visitor was looking at when he clicked on the link to the blocked account. Most of these pages are search resulte of google and other search engines. And of course the visitor was looking for porn of all different flavours.
This is not really something new. What really surprised me was the good google ranking that the drupal.org links had. Even for relatively unspecific two word search phrases we often ranked on the second or third page of search results. For more specific requests we often rank among the top 5 or even right at the top.
This is why spamming drupal.org makes sense for spammers: Our high page rank enables them to target their audience rather efficiently. And since googlebot loves drupal.org (https://association.drupal.org/node/332) their links show up in the search results in no time.
Now that we have looked at the business motivation of the spammers, let's look at the porn seekers.
I've taken a snapshot of our watchdog table. It contains almost 120000 "access denied errors" for user pages where there is a referer and the referer is not from drupal.org itself.
Visual inspection shows me that indeed most of these are from search engines and the search terms are of a sexual nature.
The snapshot covers the time of 13.5 hours yesterday (10:15 to 23:45 UTC). That means we have almost 9000 requests for porn on drupal.org per hour which remain unsatisfied.
The requests come from 87000 different IPs so we can conclude that most people don't fall for the same trick twice.
The geographical distribution of the IPs is as follows:
| # of 403s | Country |
|---|---|
| 30181 | United States |
| 9246 | United Kingdom |
| 7776 | Germany |
| 7520 | India |
| 4569 | Turkey |
| 4416 | Canada |
| 4119 | France |
| 3835 | Italy |
| 2207 | Norway |
| 2082 | Netherlands |
| 1941 | Poland |
| 1853 | Pakistan |
| 1771 | Australia |
| 1767 | Indonesia |
| 1649 | Brazil |
| 1624 | Spain |
| 1467 | Greece |
| 1416 | South Africa |
| 1292 | China |
| 1171 | Egypt |
| 1154 | Saudi Arabia |
| 1042 | Iran |
| 1000 | Romania |
(Showing only countries with 1000 or more entries)
The geographical distribution has been calculated using the data from maxmind after importing it into MySQL using this handy How-To.
The results are probably somewhat skewed due to not taking a full 24
hours into account.
One final notice: A friend who works for a security firm has informed me that the business of the spammers is not only porn. They are more interested in infesting the computers of the porn seekers with malware. So the porn seekers should be glad we blocked these accounts.
