Spam Be Gone! 10 Spam Blocking Drupal Modules

Spam Be Gone! 10 Spam Blocking Drupal Modules

drupal spam pizza Maintaining and marketing the LevelTen website comes with it's positives and negatives. Big positive: we get tons of traffic. Big negative: we get tons of spam. As a marketer, it's in my best interest to build LevelTen's community as best I can. On the LevelTen domain, this means encouraging and responding to blog comments. But it's difficult to keep this up when 7 out of every 10 comments are spam. With all the signals I have to pay attention to as an Internet marketer, it becomes easy to tune out blog comments if I know 70% are spam. We've tried systems such as Captcha & Mollom for blocking spam, but each time, spammers seem to find ways around it. While each were great at blocking robot generated spam, we found that actual humans were going through and individually leaving spam comments. These users even went through the trouble of creating user accounts on our website, and then posting lengthy passages from unrelated books, filled with anchor text link spam. What an ordeal for the spammer! In an effort to prevent spam on your Drupal website, I've identified 10 modules built specifically for spam protection. Descriptions taken from each module's Project Page


A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. The purpose of CAPTCHA is to block form submissions by spambots, which are automated scripts that post spam content everywhere they can. The CAPTCHA module provides this feature to virtually any user facing web form on a Drupal site.


ReCaptcha ties into the ReCaptcha service, which is a slight extension of the basic Captcha module.


The Spam module provides numerous tools to auto-detect and deal with spam content that is posted to your site, without having to rely on third-party services. The Spam module provides a trainable Bayesian filter, automatic learning of spammer URLs, flagging of content with an excessive number of links, the ability to create custom filters, and more.


Mollom provides a one stop solution for all spam problems and can protect the following Drupal forms. It offers and intelligently combines: * CAPTCHAs -- both image and audio CAPTCHAs * text analysis * user reputations and can: * block comment form spam * block contact form spam * protect the user registration form against fake user accounts * protect the password request form * block spam on any node form, such as forum topics, articles, stories, pages, and more


AntiSpam module is the successor of the Akismet module, and it provides spam protection to your drupal site using external antispam service like Akismet. AntiSpam module is fully compatible with Drupal 6.x (Akismet module for Drupal 6.x release had many compatibility issues and was not usable as it was), and it expanded the support of the external antispam service with TypePad AntiSpam and Defensio service as well as Akismet service. Now you can choose one of the antispam service you wish to use.

Blog Spam

BlogSpam provides a central location where comments can be checked for various spam indicators. Checks available: The BlogSpam service makes use of a plugin architecture to provide checking. If you are running your own blogspam server then the plugin list may vary. At present the following plugins are available (and running on the public BlogSpam server at
  • 00blacklist Is the given IP blacklisted?
  • 00whitelist Is the given IP whitelisted?
  • badip Block a comment if the IP address it has been submitted from has been locally blacklisted. The local blacklist is read from /etc/blogspam/badips and each line is assumed to be a Class C address.
  • bogusip Is this an internal IP? That might be fine for local use, but in the real world such IPs are not going to be seen and can be safely marked as spam.
  • dnsrbl Test whether the IP address submitting the comment is listed in the DNS RBL
  • dropme This plugin is a simple test one - if a comment mentions the IP address it is coming from in the subject along with the key then we'll always report it as spam.
  • emailtests Perform some simple tests on the submitted email address.
  • lotsaurls Block if we find more than a given number of links in message. The default is 10 links, but this may be changed by the caller.
  • requiremx If we've got an email address make sure that the domain : a. Has an MX record.
  • sfs Test whether the IP address submitting the comment is listed in the database.
  • size Is the given post too large, or too small?
  • stopwords Block if we find some particular stop-words in the body of the message.
  • surbl Lookup each URL in the body of the comment and test against
  • wordcount Block posts that are only a few words long.


The purpose of Spamicide is to prevent spam submission to any form on your Drupal web site. Spamicide adds an input field to each form then hides it with css, when spam bots fill in the field the form is discarded. The field, and matching .css file, are named in such a way as to not let on that it is a spam defeating device, and can be set by admins to almost anything they like(machine readable please). If logging is set, the log will show if and when a particular form has been compromised, and the admin can change the form's field name (and corresponding .css file) to something else. The install routine sets some default forms as a minimum defense, and admins can turn it off for these, but it's not suggested, it's really the reason it was installed.

Spam Span

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. It implements the technique at the SpamSpan website (a German version is also available). The problem with most email address obfuscators is that they rely upon JavaScript being enabled on the client side. This makes the technique inaccessible to people with screen readers. SpamSpan however will produce clickable links if JavaScript is enabled, and will show the email address as example [at] example [dot] com if the browser does not support JavaScript or if JavaScript is disabled. This technique is unlikely to be absolutely foolproof. It is possible in theory for a determined spambot to harvest addresses from your site no matter how you disguise them. But research suggests that the by far the great majority of spambots do not bother to attempt to collect addresses which have been hidden using JavaScript. Indeed, most spambots cannot currently read JavaScript at all.

Comment Lockdown

Comment Lockdown is a drug of last resort in battling comment spam. You should not use this if you haven't tried something less likely to cause side effects like Mollom. You should continue use of Mollom with Comment Lockdown. This module has some very specific rules for comments, and unlike Mollom, is incapable of learning, has no settings, does not care what kind of user you are, and rejects anything written in a language other than English. These rules aren't arbitrary; they're based on experience with The New York Observer's massive database of spam comments. This module won't help sites that accept comments in languages other than English. * Link (A) tags cannot account for more than 20% of all characters. * No more than 20% of all characters can be non-ASCII--this accounts for words like "fiancé" while preventing comments in other languages. * At least 10% of all words must be in the list of top 100 English words. * Javascript must be enabled. This isn't foolproof by any means, but a spam robot would have to be customized to defeat it. These rules are currently not flexible. If interest develops in this module, I might consider allowing admins to tweak thresholds, disable the JS checker and add role-level permissions for it.

Bad Behavior

Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots. It goes far beyond User-Agent and Referer, however. The problem: Spammers run automated scripts which read everything on your web site, harvest email addresses, and if you have a blog, forum or wiki, will post spam directly to your site. They also put false referrers in your server log trying to get their links posted through your stats page. As the operator of a Web site, this can cause you several problems. First, the spammers are wasting your bandwidth, which you may well be paying for. Second, they are posting comments to any form they can find, filling your web site with unwanted (and unpaid!) ads for their products. Last but not least, they harvest any email addresses they can find and sell those to other spammers, who fill your inbox with more unwanted ads. Bad Behavior intends to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts.
Having tried Mollom and both Captcha services at one point or another, the two modules that are most interesting, and that represent the best candidates for solving our spam problems are Comment Lockdown and Blog Spam. While other modules are mostly built for blocking robot spam and contact form spam, both of these modules seem focused around blocking comment form spam. What I like about Blog Spam is its ability to check back with multiple spam filters. I can see this tactic coming in handy as spammers continue trying to find ways around our spam protection. Comment Lockdown provides a set of strict rules for finding comment spam, which I also like, but could find limiting down the road. What have you found to be the best Drupal modules for preventing spam?

Related Drupal Articles

Photo Credit

Related Posts

Stop Spam, Not Your User - The un.captcha.lous Module Demo

Michael Kasberg
Read more

Facebook's New Spam Filter - Small Bark, Big Bite

Michael Kasberg
Read more

Selecting and Installing Drupal Modules & Themes

Tom McCracken
Read more

Drupal Lingo: Modules, and Nodes, and Views! Oh my!

Read more

The Top Five Frequently Overlooked Drupal Modules

Chris Sloan
Read more

Five Easy Drupal Usability Modules

Chris Sloan
Read more