What are people using to prevent spam signups and spam posts (and comment spam)

Spam filter on all content posted by anon and general registration users.

Captcha on posting anon content. (Sometimes on registration.) However, I've found that the bots often are able to guess through brute-force trial and error the simple math questions. Textimage works great, but accessibility becomes an issue there.

Report spam for trusted users only.

Troll module for banning users, though using the spam filter on troll content can be very effective.

Laura
pingVision, LLC

I've really only ever had issue with comment spam (The sites I've created haven't required anon content, and aren't big enough to attract human spammers).

The way I see it there are three main approaches and you need to decide based on where your resources are.

1. let the machine handle it:

   This includes things like spam.module which uses Bayesian logic to filter content, or Akismet which sends the content to the Akismet mothership for checking via several tests, or Bad Behavior which looks for spammer-like activity and blocks those users.

   Setup for these types of solutions tends to be a bit of work, also they can slow your site down considerably depending on the amount of spam that you get and the power of your server.

2. Let the user handle it:

   This includes turing tests like captcha.module which presents a math problem or "numbers embedded in an image, or KittenAuth - the cute alternative, you're presented 5 images of animals and you pick the kitty. There's also things you can do in comment.module setup like requiring contact information, or requiring previews.

   The problem is that image captchas don't do so well with screen readers or cell phones. This makes it impossible for people with vision problems or other accessibility problems to use your site. And Spam bots still get past the math captcha about 5% of the time. If your users have low technical abilities they may not know to hit the "submit" button after they preview. Or the extra click may "not be worth their time".

3. Let the admins handle it:

   You could disallow commenting without approval in admin/access and/or something like Comment Mail which sends an email with approve/deny links to the admin every time a comment is submitted. Or you could have an army of content mederators to delete spam when they find it.

   This method is of course a lot of work for your people, and depending on your method, there's either a delay in content getting posted, or a delay in spam getting taken down.

My method of choice is currently a combination of:

• math captcha
• optional contact info (But I've removed the "email" and "homepage" fields via form_alter() in a custom module)
• preview required
• maybe commentmail.module

dave hansen-lange

For comment spam, Akismet has worked very well for us.

For non-anon posts, we've (so far) found that having a required, custom profile field seems to be enough to stop the bots.

It would be nice if someone rolled this method into a drupal module:

one or more fake form fields are added to the form. But style sheets are used to make them "invisible". To further confuse the attacker, the fake form fields are given names like "subject" and such suggesting to the bot that these are the form fields they are looking for. However, whenever a form is submitted with content in a "hidden" field, it is discarded. I am not talking about the classic hidden form fields that are not user changeable, but form fields that are marked with "display: none" like:

<input name="subject" style="display: none;" type="text">

Sure, in particular after I write this article, attackers may catch on. But there are many ways to mark a form field as "invisible". You can randomize the names of your form fields to further confuse them. In short: you again increased the workload on the spammer without affecting the regular user.

dave hansen-lange

User registration spam is a tricky one, but in addition to the Akismet module, take a look at mod_security for Apache. http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security/ looks like a good article on configuring it to fight comment spam.

I wonder if we could come up with a list of "likele spam user" names or components and add them to the Access Rules list. Would that block people from signing up with user names like that?

For example, any user name with "Casino" or "Viagra" in it would be disallowed.

I would be happy to regularly flag user accounts that look like spam users, but there is no easy way to do mass user administration (is that coming in 5.0). For example, search for all users with "Viagra" in the name, and then update them to be "blocked".

http://www.CivicActions.com
http://www.GregoryHeller.com

I takes a lot of clicking to manualy look into profiles and delete those new registered spammers :(

Over on a Wordpress blog I run (yes I know - one day it will be moved to Drupal!) we've been using Akismet for about 6+ months. However recently it has begun marking genuine comments as spam too.

So we're running a trial of Spam Karma 2 which, on paper, appears to have a good selection of ideas which are combined to produce a barrier to the annoying comment spam.

It could be a starting block for something to be ported to a Drupal module?

A semi-relevant proposal from back in May can be found here: http://drupal.org/node/64861

Sorry if it's a little off-topic, but I just found it today.

captcha module and text image module.

http://xamox.NET

edit: minor updates & corrections

I use the spam and captcha modules. I have my systems set up to notify me (using the advuser and notify module) by email when new users register or post content which I then review (we are still fairly low traffic, so this is workable.) If I see spam, I block the user, update the spam filter(s) if necessary, and add access rules that block the user from ever registering again with the email address (or variations).

I've noticed an interesting referrer log pattern that precedes a spam posting by a new user (almost all have been 'cell phone' spammers trying to post free classified ads for cell phones and other electronics on my sites) - and all have been humans, as far as I can tell due to some of the features of my classified ads module. (We did get a small amount of bot-generated site feedback form spam, but enabling the captcha.module stopped it cold.)

The new user almost always arrives at my site via a particular google (or other engine) search that identifies my site as 'open' to visitor posts, and the keywords have nothing to do with my site topic - all generic keywords having to do with posting free ads. A search for the new user's email address on yahoo or google provides fast verification that the user's email address has been used to post similar content on dozens if not hundreds of sites. This is interesting to me, because I think it is possible to automate the process on new user sign-up, and block the user, or flag the new user's posts (unpublished, moderation, etc.) so that the spam never shows up on the site. (Well, a guy can dream, can't he?)

I think that spambots look for user registration forms having certain field types visible on the registration form beyond the standard email address/password fields.

For example, text fields (textarea), URL fields, etc. I've blogged about my most recent attack
here.

(I'd paste it here, but I don't want to duplicate the content)

Hope this helps,

Mike

The link to the content below might be helpful if and when it receives replies from the g.d.o gurus.

What are g.d.o's policies to remove spam & spam user accounts? How does g.d.o prevent spam?

Walt Esquivel, MBA; MA; President, Wellness Corps; Captain, USMC (Veteran)
$50 Hosting Discount Helps Projects Needing Financing

I notice that most of my spam account signups have come from *@gmail.com, *@yahoo.com, *@hotmail.com, etc. While not really 'spammy', these domains (and especially yahoo, in my case) are favorites with the spam account signups.

So, on some sites, I've created access rules blocking account signups with email addresses matching '%@hotmail%, %@gmail%, %@yahoo%.

Yes, this will block legitimate users. I've not received any complaints as yet, and on the two sites that were still receiving non-bot spam accounts, I've not seen any more spam accounts in the last week. The jury's out whether this is worth the trouble, but I'm quite happy with the results so far.

Michael Curry
Exodus Development | Drupal and other developer info

On smaller (younger) sites, I review every new user account - I check the user's email address, and if a google or yahoo search shows that the new user has dumped spam on other sites, I block/delete the user and/or ban the email address that was used to sign up.

I've recently taken over as maintainer of the advuser module, and I've added a new feature that can be a great help - the module has always had the ability to notify by email when a new user signs up or an existing account is modified.

I've recently enhanced the notification feature that allows insertion of the new user's email address, and also inserts a link to a google and yahoo search for the user's email address into the notification email - this allows me to just click a link in the notification email, and I know very quickly if I'm dealing with a spammer.

Michael Curry
Exodus Development | Drupal and other developer info

Comment Mail
Registration Code
Spam
Troll

I do not allow anonymous comments, and the Registration Code module has worked great so far in blocking automatic registrations. I post the current registration code as an image in a block just below login so human visitors know what to enter to initiate registration. For those who may block images, the title of the image is the current registration code.

I also do as inactivist and block some email domains.

Is groups.drupal.org using the captcha module for authenticated users?

strangely enough, I am constantly getting comment spam from comments posted to this particular thread - and from no other comments from posts on other drupal groups. Irony abounds!

Same here. Does this suggest a technique for luring spam to an innocuous post? ;)

I am having a problem with spam user registrations. So far I have had no spam posts or comments and I am running Akismet, but how do I stop spam registrations?

I've also made a "invisible captcha" challenge for Captcha module. It’s based on the algorithm of Scott Allen (http://www.hybrid6.com/webgeek/plugins/wp-spamfree), a captcha free plugin for Wordpress.

I would appreciate feedback on it: http://blog.ag-prime.com/2009/06/drupal-captcha-invisible-captcha-challe...