Blair Wadman 4 minute read

How to (almost) eliminate comment spam with Drupal

A few weeks ago I was ready to turn off the comments on my blog. Despite having Mollom running, I was left with a non trivial amount of spam comments to manually deal with each day. It felt like a waste of my time. I love the great comments I get. But there are always people who want to ruin the party, and for the web, it is spammers.

On its own, Mollom is not effective enough.

Mollom does a great job at reducing spam, but it does leave behind enough spam to make you question allowing comments at all.

But here is the thing - you don't have to rely on one single system. As soon as I mentioned on Twitter that I wanted to turn off comments due to spam, I got some great replies with various options.

Outsource comments

One option is to use a 3rd party system like Disqus, Livefyre, Facebook or Google to handle the comments. These are nice solutions and they take a lot of the pain away. However, it does mean outsourcing your comments to a 3rd party, which is something I decided against.

Use Hashcash

According to its website, Hashcash is "a proof-of-work algorithm, which has been used as a denial-of-service counter measure technique in a number of systems."

Sounds funky. Friends of mine have said that it worked for them.

There is a Drupal module

There is also HashCash.io and the Drupal module Proof-of-Work CAPTCHA, which uses the same concept (but a different algorithm).

Add Honeypot

Honeypot tricks spam bots by adding a field that only they fill in. The field is named something like "homepage", so they think it is a real field. In fact, only spam bots see the field and it is hidden from real people. If the field is filled in, the comment gets blocked. Honeypot also uses time detection. So if a comment is created in less than 5 seconds, it is more likely to be a spam bot than a human, so it gets blocked.

Check out the Drupal Honeypot module

Add captcha questions

Image based captcha's are generally annoying for users and not totally effective. Spam bots have found ways to complete them. Mollom actually uses an image based captcha if it detects a possible bot.

But there is an alternative which people have had success with: question based captcha. Rather than showing the user a difficult to read image, present them with a simple question, such was "what is two plus ten" or "what is the capital of france". This seems to be more effective against bots, and also a nicer experience for humans. Sure, you have to apply some thought to come up with the answer. But isn't that easier than trying to figure out the characters in image based captchas?

Check out the Drupal Captcha question module.

Other modules to check out

Here is a list of Drupal modules to take a look at, in addition to the ones mentioned above.

What did I do?

I wanted to try the option that would be least intrusive for users first and see how effective it was. I am already running Mollom, so the obvious next step was to add the Honeypot module. Mollom has honeypot built in, but adding the Honeypot module seems to give it an extra boost.

And I am happy to report that it has eliminated pretty much all spam! There is still some left over, but it is significantly lower in number and therefore totally manageable. Success.

Credits

Big thanks to the following people who helped me on Twitter: Michael Prasuhn, Tine Müller, Sean Burlington and Marcin Pajdzik