If you allow any kind of user generated content on your Drupal site including comments, you will invariably start to see users crop up with user names like: "gyigrrgq", "porn", and "buy viagra". At best, the users sit in the user's table and do nothing. At worst, the users probe and then blast your Drupal instance with more spam than you can shake a stick at. Often the technique will be to leave comments on old content in the hopes that site managers won't notice it but it will generate some clickthroughs to whatever site the spammer is targeting.
What I like to do is set up a block of recent comments. Sometimes it is public and sometimes it is private to a single role depending the on the site-owner's needs. This is a very simple thing to do and will allow you to see new spam comments at a single glance. If you check your site every few days, you'll catch any spammy ugliness.
- Go to /admin/build/block
- Assign "Recent Comments" to a region
- If you want it private, click on edit and scroll down to "Role specific visibility settings" and choose a role
- From this page you can also choose to show the block on specific pages if you desire
- Scroll to the bottom and "Save Blocks"
Secondly, I generally don't like anonymous comments. If someone wants to post to my site, I'd like them to register. This way, if a user leaves inappropriate comments, I can block the user rendering the email address useless for future spamming on the site.
- Go to /admin/user/access
- Scroll down to "Comment Module"
- Allow anonymous users to "Access Comments" but nothing else
- Allow registered users to post comments and post comments without approval (if you don't want to review each comment before allowing it to go live)
- Scroll to the bottom and "Save Permissions"
Next, you can use a module like Captcha to have a user "prove" they are human. If you are allowing anonymous comments, this is nearly essential to avoid an avalanche of spam on your site. You can also use a service like Mollum, which is currently in public beta.
What to do when you receive spam?
- Don't just delete the comment.
- Don't delete the user
- I right click on the user's user name in the thread and open up a new window
- Click on the user's edit tab
- Change the status of the user from "Active" to "Blocked"
- Scroll down and click "Submit"
- Close the window
- Click delete on the comment (if you want to unpublish but keep the comment in question, click on edit and then use the administrative pull down to unpublish the comment)
By blocking the user's account, the email address associated with that user can't be used to register on your site any longer. If you simply delete the user, that user could re-use the email address and continue to use it to spam your site.
If one user has spammed your site heavily--go through steps 1-6 and then head over to "Content Management"
- Go to /admin/content/comment
- Check the boxes for all the spam comments from the user you just blocked
- Change the "update options" to "Delete the Selected Comments"
- Click on "Update"
- It will bring up a "Warning this can't be undone" message. Click "Delete Comments" if you are sure you want to delete them.
OR
- go through steps 1 and 2
- Change the "update options" to "Unpublish the Selected Comments"
- Click on Update
This is helpful if you have comments that you feel you should hold onto for any number of reasons, but don't wish to have public.
Using a variety of different techniques can keep your site spam free with not a huge amount of effort. My suggestions here are just a few ways you can foil the efforts of others to plaster your site with phony comments.