The Secret to Stop Form SPAM in Drupal
Not long after you launch a Drupal site, the Spam bots will sniff you out an immediately start sending junk through your forms and create fake users through your registration form.
99% of the time spammers use automated programs that comb your website, looking for emails to grab and forms (contact forms, comment forms, forum forms, etc) to post information into. I’ve even seen Drupal specific bots register for accounts, log in, access the /node/add page and then try to continuously add new nodes. Crazy.
As the website owner, it’s your duty to defend against such attacks. Why?
- Wastes your bandwidth
- Causes your site to slow down
- Clogs your email queues
- Fills your site with spam pages (which could get indexed in google and drop your ranking)
I Hate Captcha
I know hate is a strong word, but I really, really don’t like Captcha. It deters legitimate users from filling your forms. It’s often very hard for even humans to read. The Audio captchas are difficult to understand. If you get them wrong, they sometimes wipe out your entire form. Overall, they not user-friendly and cause more problems than they were intended to prevent. Moving on…
I used to be a firm believer in Mollom (https://www.drupal.org/project/mollom) to protect my sites. It smartly interprets the submitted form and determines if it looks like spam or not. Then it presents a captcha if it suspects spam. It’s logically a great method to protect from spambots.
Every time I would launch a site, I would generate a Mollom API key and get my protection for the first 100 emails per day – after that you have to sign on to their paid service or just deal with the extra junk mail. I actually hit the limit of sites I was able to add to my Mollom account – 30 sites.
Then I went through a period last year after our server crashed where none of my sites could connect to Mollom, causing long page load times. Mollom apparently was “calling home” on every page load, looking to validate my api keys. Since it couldn’t connect, the 10 second timeout period had to expire before a single page would load. Ouch.
In the end, we finally discovered the issue was a server problem on our end, a bad DNS configuration, but regardless, I don’t like the fact that Mollom even had the potential to make my sites crawl.
So I thought… there has to be a better way.
Bad Behavior & Spambot
My next tag team of spam fighting modules then became Bad Behavior (https://www.drupal.org/project/badbehavior) and Spambot (https://www.drupal.org/project/spambot).
Bad Behavior prevents spambots from even entering your site by analyzing the type of browser they are using and comparing those to the profiles of know spambots. It actually works really well and you get a report showing you what it has defended against.
Bad behavior does require an API key and it also has to call home from time to time to validate the key, so you can experience a minor speed hit while using this module. It also blocked me from accessing my site using Opera mobile and sometimes with Firefox, plus it blocked my uptime detection service (uptimerobot.com), so I eventually had to stop using it.
Spambot specifically protects your user registration form by verify the potential user against a database of known usernames, email addresses, and IP addresses. I was surprised how many it found on a few of my sites. There are some nice settings that allow you to fine tune how sensitive it is and what happens to the account if it finds a known spammer, such as block the user or delete the user.
Like Bad behavior, it also requires an API key and to be honest it can be difficult to get a key because it’s a bit of a confusing process to get one and sometimes they don’t even allow new API keys to be generated.
The good news about Spambot is that it only calls home during the user registration process, so if it’s ever down, the whole website won’t suffer. The bad news is that it won’t catch everyone. It’s only as good as it’s database of know spammers, so it’s very possible for unknown ones to get right through. So it’s not 100% protection, but it is decent.
Antibot & Honeypot
My current favorites are Antibot (https://www.drupal.org/project/antibot) and Honeypot (https://www.drupal.org/project/honeypot) primarily because they rhyme. Kidding. They are both super lightweight, no API keys, and super effective.
So adding Honeypot into the mix may seem a bit redundant, but I use it just in case something were to get past Antibot. Honeypot places a hidden field within your form that only bots can see. If a bot fills out the hidden form field, then we know it’s a bot, and it throws away the submission. Simple reverse logic.
Just be careful with the time limit setting. If you submit a form too fast, it will assume you’re a bot. I usually disable mine because it can prevent legitimate users from doing things like submitting Add to Cart forms.
With these 2 modules in place, I rarely see form spam anymore and on top of that, these modules don’t require any API calls to make my sites slow down, so it a big win for me and my clients.
At the end of the day you won’t be able to beat a real, live, non-bot spammer. But the good news is most spammers are lazy and under-paid. They are looking for the low hanging fruit, so it’s extremely rare to see a live human spammer