10 Ways to Block Spam Registrations in Drupal

Spam Blocking

If you’re going to use popular software like Drupal, one of the downsides is that you’ll need to deal with spam.

A lot of OSTraining members report that they receive many spam user registrations on their sites.

In this blog post, we’ll look at 10 of the best ways to avoid getting overwhelmed by spam users.

#1. Core approval features

Drupal has a default feature that allows you to either completely block or moderate all user registrations.

Go to Configuration > Account settings. You can set “Who can register accounts” to a couple of useful settings:

  • Administrators only: this will block all registrations.
  • Visitors, but administrator approval is required: This will require you to manually approve all users.
media_1392315048536.png

#2. E-mail verification

Another Drupal core feature allows you to require e-mail verification before a user account becomes active. This add a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.

media_1392315191694.png

https://drupal.org/project/user_verify add some more sophisticated options to the email verification process, including the requirement for the user to enter a special token.

#3. Block certain user details

If you have a lot of spam registrations, there’s a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as “John Smith” or using .ru email addresses.

https://drupal.org/project/user_restrictions allows you to block both emails and usernames based on certain patterns. Here’s an example which blocks .ru domains:

media_1392319168945.png

#4. Captchas

A Captcha presents a visual challenge that is supposed to be difficult for spammers to solve. https://drupal.org/project/captcha provides easy integration with your Drupal registration forms.

media_1392319245875.png

However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.

https://drupal.org/project/riddler is an interesting variation on a captchas. It allows you to ask a question that will probably stump spambots:

media_1392319431807.png

#5. Honeypots / Secret form fields

One spam-defeating technique that we’ve found to be very effective is hidden fields. You add an extra input field to every form and then hide it with CSS. Humans never see the field but spambots do and when they fill in the field the form is discarded.

https://drupal.org/project/spamicide is a module that makes it easy to create hidden fields.

This technique is often called a Honeypot and there’s a module with the same name: https://drupal.org/project/honeypot. Click here to read the modules’s author explaining the meaning behind the name “Honeypot”.

There are some funny variations on this idea. For example, https://drupal.org/project/simpleantispam add a visible checkbox marked “I’m not a spammer” and a hidden checkbox marked “I’m a spammer”:

media_1392321166535.png

#6. Block by location

http://drupal.org/project/geoblocker allows you to black-list or to white-list access to a Drupal site by countries.

It’s not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.

Certainly it’s worth considering if your site is specifically focused on one location and you have little to no interest in overseas users.

#7. Secret codes

If you have a site without a large audience, you could consider giving out a secret code to potential members.

https://drupal.org/project/mothermayi allows you set a secret code that people must enter in order to register successfully.

#8. 3rd party spam tools

There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. Here are some of the most popular:

Here’s an introduction to Mollom. This video is part of our class on using Mollom to beat spammers:

{snippet mollomintrovideo}

#9. Delayed roles

https://drupal.org/project/role_delay is an interesting approach. It allows you to slowly give users more permissions over time.

For example, a brand new user might not be able to post comments or forum posts. Over time they can automatically be moved into Drupal user roles with more permissions.

#10. Warning message

https://drupal.org/project/warning made me smile. Instead of providing a sophisticated technical solution, the Warning module simple tells your users that won’t tolerate spam. Here’s how the module create describes it:

“I wrote this module because my personal blog was listed in do-follow lists and generated up to 30 spam comments per day that were not filtered by Mollom. After adding a simple (default) warning for comment submission about the fact that I do not tolerate unrelated links and the comments are moderated, this number dropped to 3 spam comments on average.”

Find more spam blocking options

There is a huge list of spam-blocking modules at https://groups.drupal.org/node/77093.

Author

  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

0 0 votes
Article Rating
Subscribe
Notify of
19 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Juan Pablo Donoso
Juan Pablo Donoso
10 years ago

Thank you Steve, grate job, is good to see that this simple tips stop spam!

steve
steve
10 years ago

You’re welcome, Juan. Glad it’s useful.

kalabro
kalabro
10 years ago

I hope your are not going to use configuration from the third screenshot in real life.
// Kate from Moscow

steve
steve
10 years ago
Reply to  kalabro

No, I promise we won’t 🙂

James @ Symposium Digital
James @ Symposium Digital
10 years ago

Honeypot should be #1 and the rest should follow only once Honeypot stops working. Honeypot is unobtrusive to the user and stops 99% of spam for most sites that are plagued with the usual bots.
If your site is getting specifically targeted by a spammer that avoids Honeypot then you’ll need to look at putting something else in. It also has the added benefit of protecting various other forms across the site.

Nancy W.
Nancy W.
10 years ago

[url=http://drupal.org/project/email_verify]http://drupal.org/project/e…[/url]

steve
steve
10 years ago
Reply to  Nancy W.

Thanks Nancy. I was going to put that under option 2, but was hesitant due to “Maintenance status: Unknown”

Nancy W.
Nancy W.
10 years ago
Reply to  steve

That just means that the maintainer hasn’t filled that out since it was added to D.O. You have at least one in your list that hasn’t had a commit in 3 years, so I went ahead an mentioned this one.

Wendy Wentzel
Wendy Wentzel
8 years ago
Reply to  Nancy W.

that’s a good one – thanks for adding it.

bugfolder
bugfolder
10 years ago

We’ve used honeypot fields, required profile fields, and pattern-recognition of automated registration attempts, which have taken the number of bogus registrations per day down from a maximum of 300 attempts/day down to just a few. (We also block IPs that match spammer signatures, and our blocked_ips table now has over 8000 entries.) But we found that the Windows password manager “1Password” sometimes fills in honeypot fields by mistake, so honeypots are not a sure-fire way of distinguishing between spammers and legit users.

Mary Briggeman
Mary Briggeman
9 years ago

There’s also a nice module for Drupal called SpamBot that checks the new visitor against the StopForumSpam site’s records of reported forum spammers and can automatically block them based on the criteria you set for matching. It also lets you report new spammers to StopForumSpam. I’ve found it very useful.

Wendy Wentzel
Wendy Wentzel
8 years ago
Reply to  Mary Briggeman

We use this one on all sites that allow registration (along with honeypot, and often some pattern-matching rules) – it blocks a lot of spammers.

dibya
dibya
9 years ago

very good article ..useful to

David Latapie
David Latapie
9 years ago

Excellent list. I went with riddler for [url=http://xmrmonero.com]xmrmonero.com[/url], we’ll see if it suffices (admin approval + email definitely did not suffice, although the first one at least prevented comment spam, if not spam registration).

itefixnet
itefixnet
9 years ago

Thanks a lot for a nice wrap-up … [url=https://www.drupal.org/project/httpbl]https://www.drupal.org/proj…[/url] does also a decent job

Muhammad Khadafi
Muhammad Khadafi
8 years ago

thanks man, i really annoyed about spammer,.. there 10-20 and more user register on my marketplace

Abhi
Abhi
7 years ago

Modules like [url=https://www.drupal.org/project/spamfree_email]https://www.drupal.org/proj…[/url] can be used to prevent email harvesting.

mowamed
mowamed
7 years ago

great post it solve my spam problem thank Steve

mbremer
7 years ago

Hi,

I use User restrictions to block certain email from registering. Unfortunately I cannot select user roles here. I would like to block some domains for a specific user role. Any suggestions?
Thx,

Marcel

19
0
Would love your thoughts, please comment.x
()
x