Popular content
- Gorgeous wallpapers
- The Paulding Light
- My New Macbook Pro!
- Rebuilding a BMW intake: S52 to M50 intake manifold conversion, day 1
- Nolo: Law articles without the cruft
- I love dirty tea
- DrupaLMAO Interview
- How to Keep a Macbook Cool
- My latest patch: fixing links and breaking modules
- Drupal 4.7 is out! So is my new video...
Reducing Drupal blog spam
Spam—we all hate it and it’s not just for email anymore, hello Drupal comment spam.
To determine what is effective at preventing Drupal spam, I decided to run a little case study when I redesigned this site and the following are the conclusions I drew from trying a number of different combinations:
- A Drupal 5 site that allows anonymous user comments will be consumed by spam. I was receiving over 500 spam comments a day on this site.
- Changing the comment settings to force a comment preview for anonymous users reduced spam by 80%, but I was still seeing around 100+ a day.
- Adding in the captcha module reduced spam even further by about 90%, to only a dozen or so.
- To catch the remaining spam, I added in the Akismet module which was then able to filter out the remaining 98-99% of spam, with only possibly 1 or 2 every few days slipping by.
Of course, if I forced my users to signup and verify their accounts I probably wouldn’t have much of a spam problem to begin with, but why should I put that extra burden on my users? :-)
Leave your comments, but eat your own spam :-)
19 comments
Code examples and downloadable zip files of code are licensed under a Creative Commons License.
All other content, unless where noted, ©2010 Theodore Serbinski. All Rights Reserved.
All other content, unless where noted, ©2010 Theodore Serbinski. All Rights Reserved.
Nice little article, thanks for taking the time to test things and let us know what happened.
I’m in the midst of redesigning and Drupalizing my own site, so I’ve been pondering whether to allow anonymous comments and the best way to do it.
Bookmarked!
I recently suffered from Drupal Comment Spam too – however I already had the Spam module and the Captcha module installed – but the spammer(s) were persistant.
I ended up using a “phonebook to kill a wasp” approach by simply blocking that ISP’s subnet. I wrote it up on my blog; From Russia Without Love.
Thanks for sharing your experiences with us but I’ve got a few noob questions:
1. How did activating Akismet affect the server / bandwidth / etc.
2. In general, how did activating captcha and forcing preview affect genuine comments, i.e. do you think your articles are receiving less comments now?
3. Do you think captcha/forcing preview is really necessary when Akismet is activated, i.e. have you tried it the other way around, first Akismet than the others? Or is there another reason for this, maybe linked to my first question?
Thanks, Dan
Registration does not help in itself, automated registration bots are also visiting Drupal sites, and after registered, post comments. So some kind of registration blocker (eg. a captcha) is still needed.
I’ve had good success with the captcha math test as you have enabled here.
I had enabled trackbacks briefly, without the captcha protection, and got pelted immediately with trackback spam. I disabled that module.
One problem on relying on captcha module is the module is something of a mess. Just look at the issues/bugs queue for it. I’m using an older version.
Shouldn’t something like captcha that’s so important be in Drupal core, as it is for, say, phpBB? Just a thought. But unprotected, Drupal 5 is going to be a spam magnet and quickly rendered unusable if one wants comments.
FYI, I just entered the correct answer to your math question and was told it was incorrect. 4+2 is 6, right?
Yes, that’s an annoying bug of captcha module. Most of the time (almost certain when preview comment.) I had to enter the question twice to get it pass…
Something new to consider is the reCaptcha module. It uses reCaptcha which is something being put out by Carnegie Mellon University.
Haven’t tried it yet but I have been a user when commenting on other sites.
Akismet is a great tool: (www.akismet.com) Mi Wordpress blogs have got akismet plugin that block all the spam.
I don’t try spam or captcha module, but I think akismet is the better option for blogs now.
Thanks for your suggestions :)
For my sites, captcha math test, and comment mail do the trick.
No need for akismet.
Don’t forget about access rules. Mass blocking of large amounts of domains (e.g. *.biz, *.ru) is quite effective.
I force user signup and I still get spam. Also, there is “user profile spam” even if you don’t allow comments — people sign up with profile names or fields that have spam URLs in them.
Access rules aren’t perfect, but you can block emails with “nasty” domain names. It should probably be extended to be the blocking mechanism for anonymous comments, too.
@Dan, great questions!
1. I’m on a shared host with Site5.com so the performance for my little blog was negligible.
2. I don’t think forcing a preview and answering a quick math question prevents a whole lot of valid comments. Forcing users to register certainly would prevent a significant amount of comments :-)
3. I added the Captcha/force comment preview to reduce the load sent to Akismet, as well as reduce the number of spam comments to sift through, in case I was trying to find valid comments.
@mfer, that is a great idea! I had not seen the reCaptcha module but will have to play with that soon and post results.
When you say captcha you mean the math question, right, not the image captcha (aka Textimage)?
If found that the math question was solved by many spammers lately and it is not working for me. The main issue here is mono-culture. If many sites use the same simple question then it is worth the spammer’s time to solve it.
Have a look at a new module called Captcha Riddler, I think it is going the right direction: http://drupal.org/project/riddler
Also, the Captcha module went through some cleanup recently, I think it is improving.
Akismet does not work for me at all. Yes, it does stop most spam, but it still notifies me and I still have to clear the queue (being careful not to delete any good comments). Lots of boring work.
An finally, the trackback module. It seems broken to me. Even though it is configured to moderate all trackbacks, it still publishes them right away. Did anyone else experience the same?
Not sure if there is a solution to trackback spam in general, since there is no human intervention when a trackback is submitted.
Marius
I too use the captcha math/Akismet combination and have it found it to be the most effective method for controlling comment spam.
While Drupal spam has gotten worse over the past few months, it still doesn’t compare to the amount of spam I’ve seen through a Wordpress site of mine. A Wordpress of mine has received over 16,000 comment spam in the past year. It wouldn’t be bad except it’s a blog that doesn’t receive much traffic!
Bryan
I’m using Akismet and comment mail, currently. I’d love to add a math captcha back into the mix, but that module has been pretty broken for awhile now (note: I’m simply stating the reason I don’t use it, not complaining about its current state. My own contrib modules haven’t been getting as much love as they should get lately either, I know what it’s like).
Akismet has been fantastic.
I love it..
My spam panic has now ended!
Thanks
I’ve not had any comment spam posted to my Drupal 5.1 site yet, though I’ve had numerous attempts at automatic registration and direct comment access. Since I have a business site, I require registration for some features, such as comments. I’m using these modules:
Comment Mail Registration Code Spam Troll
I created a block to used with Registration Code that contains an image with the current registration code and instructions on where to enter the code. I decided to do this as an image to prevent the code from being spidered.
So far it’s been working great. I had a couple of dozen automatic registration attempts in the past two days and all have failed.
Thanks for this small and easy tutorial.
I suffer from spam every day, and thanks to this article, I hope that the number of spam will decrease.
Ann
What about the new Mollom service? Check it out: http://mollom.com/ http://drupal.org/project/mollom
And a recent update from Dries: http://buytaert.net/mollom-status-update
(Well, apparently I look like a spammer AND this site is using Mollom right now…!)
really interesting and well written article.
Add your comment