How to (almost) eliminate comment spam with Drupal

A few weeks ago I was ready to turn off the comments on my blog. Despite having Mollom running, I was left with a non trivial amount of spam comments to manually deal with each day. It felt like a waste of my time. I love the great comments I get. But there are always people who want to ruin the party, and for the web, it is spammers.

On its own, Mollom is not effective enough.

Mollom does a great job at reducing spam, but it does leave behind enough spam to make you question allowing comments at all.

But here is the thing - you don't have to rely on one single system. As soon as I mentioned on Twitter that I wanted to turn off comments due to spam, I got some great replies with various options.

Outsource comments

One option is to use a 3rd party system like Disqus, Livefyre, Facebook or Google to handle the comments. These are nice solutions and they take a lot of the pain away. However, it does mean outsourcing your comments to a 3rd party, which is something I decided against.

Use Hashcash

According to its website, Hashcash is "a proof-of-work algorithm, which has been used as a denial-of-service counter measure technique in a number of systems."

Sounds funky. Friends of mine have said that it worked for them.

There is a Drupal module

There is also and the Drupal module Proof-of-Work CAPTCHA, which uses the same concept (but a different algorithm).

Add Honeypot

Honeypot tricks spam bots by adding a field that only they fill in. The field is named something like "homepage", so they think it is a real field. In fact, only spam bots see the field and it is hidden from real people. If the field is filled in, the comment gets blocked. Honeypot also uses time detection. So if a comment is created in less than 5 seconds, it is more likely to be a spam bot than a human, so it gets blocked.

Check out the Drupal Honeypot module

Add captcha questions

Image based captcha's are generally annoying for users and not totally effective. Spam bots have found ways to complete them. Mollom actually uses an image based captcha if it detects a possible bot.

But there is an alternative which people have had success with: question based captcha. Rather than showing the user a difficult to read image, present them with a simple question, such was "what is two plus ten" or "what is the capital of france". This seems to be more effective against bots, and also a nicer experience for humans. Sure, you have to apply some thought to come up with the answer. But isn't that easier than trying to figure out the characters in image based captchas?

Check out the Drupal Captcha question module.

Other modules to check out

Here is a list of Drupal modules to take a look at, in addition to the ones mentioned above.

What did I do?

I wanted to try the option that would be least intrusive for users first and see how effective it was. I am already running Mollom, so the obvious next step was to add the Honeypot module. Mollom has honeypot built in, but adding the Honeypot module seems to give it an extra boost.

And I am happy to report that it has eliminated pretty much all spam! There is still some left over, but it is significantly lower in number and therefore totally manageable. Success.


Big thanks to the following people who helped me on Twitter: Michael Prasuhn, Tine Müller, Sean Burlington and Marcin Pajdzik


Last week I came to the same conclusion: Mollom was letting through 5-20 comments entitled "Add new comment | Dcycle" every day. Honeypot eliminated them. Mollom and honeypot is a good solution for now. Still, how hard can it be it for spambots to figure out how to detect a hidden field. It's only a matter of time before we are "forced" to outsource comments to third parties, something with which I too do not feel too comfortable.

I had given up on Mollom, and just disabled comments on my site. Both the CAPTCHA and Text Analysis ended up with so many spam comments, and it was a huge waste of time trying to moderate them.

I've just enabled Honeypot... we shall see how it goes. Thanks for the tip(s)!

Blair Wadman's picture

Good luck! Let us know how it goes.

Try http:bl in combination with mollom. It keeps out all known IP's of spammers and hackers. Mollom or honeypot then can easly take care of the rest of the spam.

Try Simple Anti-Spam module
It saves me from spam comments.

Blair Wadman's picture

Thanks for the tip. I've added it to the list

Any suggestions for spam user registrations?

Blair Wadman's picture

Honeypot, Mollom & the various captcha options will help with user registrations as well.

I recently have success using the User Registrations module to block spam user registrations. It allows you to block users by specific patterns such as domain name. Very handy if you notice a lot of the spam is from the same domain.

try BOTCHA It contains several test if the user is bot.

I was having lots of sign up spam on one of my sites, and after a while, Mollom became less and less effective. After installing the Honeypot module spam sign ups have tricked to almost none, and there has been no noticeable adverse affects on legitimate sign ups.

Great to have a list of different options all together. Mollom's been pretty reliable on its own for me; I just wonder if the continued HTTP requests in the background aren't a performance hit. I seem to get three or four spam comments a minute at certain times of the day; I dare say they're the biggest performance hog on my rather under-visited website.

For a while, I did trial a simple homegrown Field API/CCK-based question/response challenge, the Comprehender:

The premise was a bit like captcha questions, but using a field on each node to source the question & multiple-choice answers. The theoretical advantage was that, because the question/answer was different for each item of content, it would catch misunderstandings as well as spam. That meant if you were writing about something contentious you'd get fewer comments going off at the deep end!

However, it was tricky to reliably stop Mollom from checking the content regardless, even if the Comprehender check failed, so it's fallen into disuse a bit. It might still have its use for *someone*, but if Mollom does start failing for me I think I'll try something on this list instead, like Honeypot,

I have been using both mollom text analysis and botcha for a combination of honeypot and other spamicide measures for quite some time now, and have basically eliminated spam on my sites.

I went the Mollom + Captcha route. I got busy/lazy and didn't realize that my site filled up with over 10,600 spam comments in moderation just running Mollom alone. I was getting 100's of spam attempts per day so I installed the Captcha module which drastically reduced the spam however I was still getting tons and tons of attempts, and the Captcha module uses a good deal of processing power to make the captchas for each attempt which got me in trouble with my hosting provider b/c I wasn't being a good neighbor. I ended up having to switch to Media Temple which has way higher limits on processor usage. So that's something to keep in mind.

Interesting that Honeypot is still working for many people. I switched from Mollom to Honeypot several years ago when Mollom became innefective (or at least unreliable) for me, and it worked great for a long time.

But the last two months Honeypot also started letting through large amounts of spam comments. Changing the field name and setting a higher time limit did not help.

Hey Blair and all,

I wonder if anything has changed with Mollom? I mean for about three years it worked great for me only letting in about one spam comment a week - then a few months ago spam comments started getting through regularly and now I get about ten a day in the approval queue :(

I am going to try honeypot but I am just wondering is there a way with Mollom or something else to distinguish comments with links ie to say "comments without links can be published immediately without approval but comments containing links must be queued for approval?"


Blair Wadman's picture

I noticed the same thing with Mollom - it was great and then suddenly it stopped being effective.

Regarding publishing comments without links - I don't think there is a way to do this with Mollom as it stands and I'm not aware of anything else that does this. But it does sound like a great idea!

But the last two months Honeypot also started letting through large amounts of spam comments. Changing the field name and setting a higher time limit did not help.

New comments for this tutorial have been turned off.