Spam! How you can stop it clogging your Drupal site

Spam is everywhere, in our emails, in websites, in social media, but how can you stop it appearing on your site? There are a few ways, some easy, some hard and it depends on your situation which method is best for you (I strongly believe a one method fixes all doesn't exist). Below are three methods, with modules, you can use to help fight the mass of spam that exists.


This is my least favourite method. The module itself is very well built and customisable with a range of options, allowing you to define a math or image challenge to submissions, add additional forms (such as webforms) and allow certain roles to skip the need to complete a captcha. It's also easy to install and configure, allowing you to get up and going very quickly.

The downside isn't the module but the method instead. Forcing users to complete an extra step when entering information into a form is a pet peeve of mine and a user experience nightmare. In all cases you want a form to be as easy as possible for the user to ensure you get the needed data, if a user gets a captcha wrong a couple of times they're much more likely to leave completely then persist with it. You can grab the module here. You can also opt to use the recaptcha service available via a module here.

The settings page - click for a larger image


This method attempts to block spam by catching behaviour bots will follow but humans will not. The classic example is a field, hidden by css so that humans can't see it but bots will fill in. Validation kicks in and blocks the submission if the hidden field contains data - simples. There's a handy module (helpfully called) honeypot that is easy to set up, configure and provides two ways to detect bots.

The first method is by adding a hidden field to forms you select (including node/add and webforms) which if filled is rejected with your standard form error. The second method allows you to set a time limit in seconds, if the form is submitted within that time it's rejected again (for example if a form is filled in within 3 seconds you can reject it as a bot submission).

You want to know the best thing about this? You can add it to custom forms as well! The module provides a great API, allowing you to add hidden fields or time protection to your own form, providing protection across the site. The only downside to this method is that it's not as foolproof as the first method, but considering there's no annoyance to your users a fantastic method all the same. You can get the honeypot module pictured below here, but there are other similar modules available.

The settings page - click for a larger image

Web Services

There are spam filtering services provided by third parties that automatically analyse form submissions and filter spam - it's kinda like magic, but real. The one I'm going to mention here is Mollom. Created by Drupals very own,Dries Buytaert, once set up form submissions can be sent to mollom to be analysed. If the submission is identified as spam it is blocked, if it identifies it as 'ham' it is let through. If the system is unsure it defaults to manual moderation or a captcha.

This is the hardest method to set up and configure and takes the longest time to do so as well. For each node or comment form you can decide if you'll use text analysis or a captcha, check for spam or profanity, set how strict the check should be, define how it should handle 'unsure' posts and what to do if it identifies spam. For webforms you cannot define how to handle unsure or spam submissions.

For all options you can opt to allow content to be moderated from the mollom moderation platform rather than Drupals core system. The system also allows you to add blacklists for any value or to emails, users and IPs for spam, profanity or 'unwanted' text. Alongside this it supplies statistics so you can view how much spam the system has blocked.

There's a great deal of detail in a system like this, far more than I can go into now. It's really robust and great for large scale sites providing you're willing to pay the small subscription fee. The only downside is the time it takes to set up, particularly if you're creating new webforms frequently.

Comment form settings page - click to enlarge,

There are other services available, three of which link into the antispam module (Akismet, TypePad AntiSpam, and,Defensio) each with different pricing options and settings.


The end bit

As (almost) always, there are a range of modules that can help you in any situation and dealing with spam is no exception. Above are just a few I've found to be useful, it's up to you to analyse your situation and choose the best one for you to get the job done. Until next time happy spam killing!