Posted by peacekaat on October 25, 2012 at 2:23pm
We are currently using mollom to prevent spammers. This worked fine until about a month ago, when a couple of very invasive spammers somehow managed to get through mollom -- using complete and obvious garbage -- and post it 20-50 times a day to our site.
Does anyone have a best practices solution, or does anyone have other suggestions on how to beat spam?
We are running D 6.20.
Thanks in advance.
Comments
My library has been using
My library has been using mollom as well, and we've been having the same problem, to a lesser degree. Comments that are clearly spam are slipping through.
I'm sorry that I don't have any suggestions, just wanted to let you know that it's not just you, mollom seems to be having a rough month.
I'm going to be following this thread- I'd like to see what everyone comes up with.
Captcha
You all probably already know the CAPTCHA module, but just to inform that I've been using it here and very few spam ever came through.
I also suggest you upgrade to D 6.26 as it includes critical security patches that are not in 6.20.
Captcha module is not necessarily a CAPTCHA
CAPTCHA = Completely Automated Public Test for Telling Computers and Humans Apart.
The default test provided by the CAPTCHA module is an eyetest. Humans with impaired vision will be locked out by it. It cannot tell computers and humans apart. In other words, it is not a CAPTCHA.
Even worse, eyetests are a form of disability discrimination, so may break the law in some countries if used in certain ways. They're unjust, so please don't use it.
Similar comments seem to apply to the reCAPTCHA, CAPTCHA Pack, KeyCAPTCHA, Draggable CAPTCHA and Image CAPTCHA - and to Mollom as well, actually. Avoid all of those. The TextCaptcha, Riddler and Egglue Semantic CAPTCHA may be OK.
Going back to the original question: what's the best practice? The absolute best is designing the site so that there's insufficient return for spammers to be interested (very hard with drupal because drupal-spambots are pretty cheap to make now) and that human moderators can cope with anything that gets past the automated tests (so you need some way to recruit more moderators as your community gets larger - not sure if there's a nice drupal module to suggest new recruits, based on how many approved submissions they've posted).
The best automated tests I've seen which haven't already been mentioned are the Spam module (lets you define rules that should keep out obvious spammers) and BlogSpam.Net - but in general, this arms race is still going on.
It's been my experience over
It's been my experience over the past few years as a developer that solutions such as Re-captcha and Mollom are a double edged sword. On one hand, they have the most support and are the strongest against attacks (in theory). On the other hand... they also make for the most lucrative targets. If you can get past Re-captcha or Mollom, you've gained access to hundreds of thousands of sites. Even better, they tend to use the same class's and ID's along with dom structure, making detecting forms that use them REALLY easy!
My personal favorite workaround that some smart spammer figured out was that they would actually just run out and get a human to get through the human test. There's a plethora of fake Torrent and other illicit content websites out there that promise to deliver the content if you can just successfully fill out the ReCaptcha shown to prove you aren't a robot! Only you aren't actually filling out a ReCaptcha on their website... you're filling out a ReCaptcha for a spam robot somewhere waiting to send a library an email about Gucci purses! Apparently highly motivated individuals will fill out the Captcha 8-12 times before they realize it's not going anywhere. Clever clever!
I recently setup ReCaptcha for a freelance client I work with, and not only did Recaptcha fail to provide spam protection, but it also has gotten too complex for many less computer savy (and patient) users. Don't even bother click the audio button to hear how that works either. It's been known to cause spastic fits of rage in older marketing indviduals (I've witnessed two).
Implementing your own captcha is relatively easy actually as far as the PHP code goes. Leveraging it into Drupal is another story. There are a variety of simple PHP libaries assembled to quickly create your own captcha leveraging the GD imaging library. You can even run with custom images, and open source fonts from FontSquirrel or anywhere else to really help make yours extra unique. Put in 20 some odd basic patterns, and an equivalent amount of open source fonts that are somewhat tricky, and you've got your own quite unique Captcha setup! In the end, you aren't a lucrative target for spammers, as deciphering your one off (and wildly varying) Captcha gains them access to very little! It also winds up a lot more easy for a human to understand as well.
Another solution that I typically use in addition is the Hidden CAPTCHA technique: http://drupal.org/project/hidden_captcha
It just places a hidden form field on all of your forms. Robots (and Google!) are technically blind, so they don't view a form in the same way we do, they simply grab the DOM and traverse the form elements and fill it full of spam. Most don't check the CSS properties on a particular element (a lot more complex to code and a lot more time consuming to execute the relationship checking) so they'll just fill out the hidden form that no one else sees and not get through on that note alone.
Best of luck,
Jesse Nicola
A guy who used to work on Drupal Library Websites
Jesse Nicola -- Shredical six different ways to Sunday! -- My Portfolio
Homemade solutions can work well
Great comment above about notable spam services being double-edged swords. If you use a recognizable service you're going to attract spam as much as defend against it. Last month I finally gave up on captcha. It just wasn't helping much anymore. I considered implementing Mollom so this discussion is interesting to see.
Instead I went with a solution something like what is suggested in this SlashDot thread. Just adding an extra unusual field, easily passed by a human, but not something a spambot would know to seek out, has been very helpful.
Check out the Drupal module I
Check out the Drupal module I linked in my above long comment. Does exactly that :)
Jesse Nicola -- Shredical six different ways to Sunday! -- My Portfolio
spambot
I have great success with the spambot module, it blocks spammers from signing up on the site.
Thoughts on Spam control
Hi Melissa,
Having just faced a similar situation where one of our clients, using the base CAPTCHA module, had 10,000 spam comment in ~2 months. Given this, the suggestion above of “more moderators” seems mute.
The best solution we've found has been the combination of:
http:BL - http://drupal.org/project/httpbl and
CAPTCHA - http://drupal.org/project/captcha
The http:BL needs both these mods to be fully effective:
http://drupal.org/node/1855304
http://drupal.org/node/1833648
CAPTCHA needs to be configured to use Image CAPTCHA (part of CAPTCHA), with some Distortion and noise.
With the above we cut their 100-200 Spam comments a day down to under 1 per day. (D5 site)
The same configuration can be seen on another of our clients, http://upc-exchange.com/ (D6 site)
Hope this helps,
Sam
Note: We've used and discarded these modules:
Mollon:
By itself, in a heavy spam environment, it will bring a production site to it's knees resulting in frequent error 500s. It also has no method for a human to post to your site once they have been triggered as false positive spam.
Hidden CAPTCHA:
Even after customizing the question, spam gets through 3-10x over our above solution.
Drupal Managed Hosting includes Quarterly Updates, Data Migration, ...