Article Index

Spam Alert

Have you found a lot of hidden spammy links on your Joomla site and don't understand how they got there? Here is a possible explanation.

Recently a case of spamming involving rogue Joomla extensions came to light. The extensions involved were several popular free modules and plugins listed in the Joomla extensions directory, mostly slideshows, twitter widgets and similar extensions. Some examples were:


Autson Skitter Slideshow (mod_AutsonSlideShow)
Share This for Joomla! (mod_JoomlaShare This)
VirtueMart Advanced Search (mod_virtuemart_advsearch)
AddThis For Joomla (mod_AddThisForJoomla)
Plimun Nivo Slider (mod_PlimunNivoSlider)

You can find out more information about this (and a list of other extensions that may be involved) in the original Joomla forum post that brought this to light:
The scam works by including code similar to the following (usually in a template file):-

     Example 1
     echo $credit;

What this does is to fetch the output of a script on the developer's site, which generates the links, and outputs them on your site. However, unless you view the page source of your site you will not see them due to another piece of code that will look something like this:-

     Example 2
     <script language="JavaScript">
     function dnnViewState()
     var a=0,m,v,t,z,x=new  Array('9091968376','888791814987883421333333338896','778787',
     t='';}}x[l-a]=z;}document.write('<'+x[0]+'  '+x[4]+'>.''{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

Although this code looks rather mysterious, what it actually does is to insert a css style tag into your page which makes the links invisible. It is done this way (presumably) in order to hide its function from Google. To Googlebot these will look like normal links, and will pass pagerank, which is what the spammer wants.

It is likely that the spammer was selling the opportunity to embed these links in unsuspecting sites. If you Google 'buy pagerank 9 links' then you will find a long list of sites offering to sell you links, which is ironic really because this is a practice that Google strongly discourages. It is unlikely that many of these links could be obtained legitimately from high quality sites, much more likely they are obtained through methods such as the one we are discussing.


What can I do about it?

If your site uses one of these extensions then you would be wise to check whether it contains the spam-generating code. Not all versions of the extensions do: the versions submitted to the Joomla extensions directory were clean, and it is likely that these were originally legitimate extensions. There are also other versions in circulation which seem to have had some of the bad code removed.

The first thing you can try is to view the page source of your site: if it contains a lot of spam links then it is likely that you have a bad version of one of these extensions. However if you do not see them it is not a guarantee that you do not have a problem, because the offending script may not always generate the links. will scan your site for free and seem to be able to identify one of these bad extensions by finding the dnnViewState() javascript described above. However this may generate false positives: the javascript itself is not actually dangerous, it is the php code in example 1 that actually generates the links.

If you do have a problem, simply unpublishing or uninstalling the extension will solve the problem for you. If you would prefer not to do this then finding and deleting the bad code will work equally well. Remember that it is the PHP code that you need to remove. Doing a simple text search in the extension files using your favourite html or text editor for 'file_get_contents' should pick this up very quickly. (Note that the PHP file_get_contents function can have legitimate uses, such as fetching an RSS feed, so finding it in an extension does not necessarily mean you have a problem).

Was there a way to prevent this happening?

The answer to this is 'no'. The extensions as originally submitted to the JED were fine, there was no way to pick this up. Even if they had contained the bad code it is unrealistic to expect the JED team (who are a small group of volunteers) to conduct a thorough security scan of every extension in the directory. They can only act on information received, which they did in this case.

As a site owner you would do well to contemplate a saying popular among economists: there is no such thing as a free lunch. If a developer gives something away for no charge then they do have a reason for it. Very occasionally it may be because they are a philanthropic millionaire with infinite time on their hands, but this does not happen very often. The quid pro quo is normally that the developer expects some publicity for it and some SEO advantage. It can be a good way to generate some spontaneous links from other sites that review Joomla extensions. Some developers take this too far and include hidden links. A lot of developers did this in the past. Google got wise to this tactic some time ago and probably do not value such links very much now, if at all. So it is just not worth doing besides being morally dubious.

Site owners need to use a bit of common sense and ask themselves why the extension is being given away, what is being gained in return? Take some time to research the extensions you intend to use. Does the developer have a good reputation? Does the website look trustworthy? Does it belong to the developer, or is this another site giving away someone else's extension? Once you have downloaded an extension don't be afraid to take a look at the code, even if you are not a programmer you should be able to get a rough idea of what it does. If there is anything that worries you then posting in the Joomla forums is a good way to get help.>

Fiona Coulter
LInked in Listin Fiona Coilter