Hackers usually create doorways in subdirectories of legitimate sites. Sometimes such directories cannot be used for storing custom content (e.g. wp-includes in WordPress) so if we see links to such subdirectories, we suspect that the link is spammy. The are also other signals that may help us detect suspicious links.
Affecting: Any web site (no specific target).