Why porn spam has been appearing in Moodle sites

From MoodleDocs

Porn spammers

Porn spammers are people who desire to drive internet traffic (in this case users looking for porn on internet search engines) towards their own sites, either to sell porn or to trick the users into downloading viruses onto their computer. (More information)

The best way for spammers to achieve this result is to improve the rankings for their pages in search engines (so their links come up on top) through "search engine optimisation", and the best way to do this is to get lots of named links on many different pages around the web all pointing to their sites (the search engines automatically use this information to determine what is "important"). As a result, spammers are constantly looking for places where they can place links, and you'll find such spam everywhere on blogs, social networking sites, email, and so on. (More information)

Spammers are often fairly sophisticated in their use of technology and often use programs ("spambots") to search the web looking for such places and placing spam content there automatically. (More information)

Moodle as a target

Moodle is our free open source software that many people download and use to build their interactive education sites. There are around 50,000 active sites that we know about, and many more that we don't know about (registration is voluntary).

In cases that have been publicised recently, spammers have discovered that some Moodle sites were configured so that anyone could place search-engine-visible content on a page within that site, so the spammers took advantage of that. The spammers don't care (and may not even know) that these were school web sites. Remember their target is not the people on the site - it's for people searching for porn in search engines. (More info on spamdexing)

Because the spammers are inserting their content into the "user profile" pages of Moodle sites, this particular attack is known as profile spam.

Moodle configuration

Not all Moodle sites are vulnerable this way.

The difference lies in the configuration of the software, which is ultimately the responsibility of the person who administers that particular installation of Moodle. Moodle has many different configuration settings which allow it to be customised for different institutional needs.

There are two Moodle settings that, when combined, allow the common form of profile spam:

  1. email authentication, which allows anyone to create a user profile on the site (including a text field to describe themselves), and
  2. forceloginforprofiles, which can access to these profiles to the outside world (i.e. search engines).

This allows spammers to create an account on the site and put their content in the user description field, then get search engines to index the resulting page.

Unfortunately these were the default settings in very old versions of Moodle (before the spam problem was known) and many administrators did not know enough about the issue to change these settings, so there are still quite a few vulnerable sites out there.

How we have been addressing it

We changed the defaults for forceloginforprofiles for all versions after Moodle 1.7.2 (30 March 2007, MDL-8385), and email authentication for all 1.8 versions Moodle 1.8.6 and later, and Moodle 1.9.2 and later (11 July 2008, MDL-15544). Since then we have also added a lot more warnings into Moodle for various settings to educate administrators better about the risks.

We have been quietly sending out alerts and warnings to those administrators of old sites that we know about, to either change the settings or upgrade to a more recent version (so they get warnings that way) for over a year but of course we can't force them. There are unfortunately still many old sites around where those settings have not been fixed or upgraded in several years and these are the ones that spammers are attacking.

We have recently stepped up our efforts with more public front-page announcements (see Moodle news) and a forum for Security and Privacy. Articles in the press also help if they recommend that Moodle administrators visit http://moodle.org/security for full information.

We have also stepped up our campaign to search for the administrators of many affected sites and contact them directly, even though this sometimes takes a lot of research.

How you can help

If you would like to help alert administrators of old and insecure Moodle sites you can try searching Google for typical sex keywords and add "moodle" to them. Once you find a site, try and remove things off the URL until you get to the home page, and look for some way to contact the administrator. If that fails, try using http://www.whois.net/ to research the owner of the domain and notify them.

Don't panic

Finally, remember that the porn content is generally not visible to other users of the affected Moodle sites.

The spammers don't (and usually can't) enrol in courses and their "user profiles" are not exposed to students, teachers or even admins on those sites. You generally will only find those pages if you are actually searching for porn on the web. This is why so many site administrators have not been aware their sites are affected.

The fixes are easy: see Reducing spam in Moodle for full information.