Let’s say you learn of a Drupal security flaw. Let’s say it permits an unauthorized SQL injection. Let’s say you figure out how to insert a backlink into the Drupal link list using that exploit.
Drupal is a popular Open Source content management system, in use on hundreds of thousands of websites. Itis very good, and very flexible. It is free, but installation and configuration (customization) may cost a few thousdand dollars in consulting fees. Basically, it is free of licensing fees but a real, commercially used product.
So you go to Google, and search “password and instructions will be sent to this e-mail address, so make”, and you find a list of 167,000 URLs of Druapl sites. Then you hit each of the first 1000 of those with your exploit URL .. one at a time… from a free or cheap web hosting account. And then you hit a different Google datacenter for another 1,000 sites.
Or, you could have narrowed your search for on-theme websites (more valuable back links?) by adding a keyword to that Google search such as “seo”. That way you only get the best sites for your back link spam.
How long do you have to act on one of these newly-discovered security vulnerabilities? Many months, as many of the webmasters do not patch or update their Drupal installations once they are deployed. I can’t blame them too much, because once you have customized the installation there is often plenty of work required following any update process.
Often a patch can easily be applied directly to only that part of the Drupal system that was flawed. However, application developers who deploy Drupal for their clients don’t often see direct patching as economically beneficial to them, so they may try and bundle the patch in with some other unfinished (and billable) work for the client. No sale, no patch. In fact, many clients don’t even know they are running Drupal. They paid a consultant for a CMS, and got one that worked.
Spam is not rocket science. Consequently, spamming can be stopped by some simple (albeit tedious) attention to detail. Usually, we are too lazy. Do we therefore deserve to be spammed?