Drupal Basics -- Dealing with Spam

If you allow any kind of user generated content on your Drupal site including comments, you will invariably start to see users crop up with user names like: "gyigrrgq", "porn", and "buy viagra". At best, the users sit in the user's table and do nothing. At worst, the users probe and then blast your Drupal instance with more spam than you can shake a stick at. Often the technique will be to leave comments on old content in the hopes that site managers won't notice it but it will generate some clickthroughs to whatever site the spammer is targeting.

What I like to do is set up a block of recent comments. Sometimes it is public and sometimes it is private to a single role depending the on the site-owner's needs. This is a very simple thing to do and will allow you to see new spam comments at a single glance. If you check your site every few days, you'll catch any spammy ugliness.

1. Go to /admin/build/block
2. Assign "Recent Comments" to a region
3. If you want it private, click on edit and scroll down to "Role specific visibility settings" and choose a role
4. From this page you can also choose to show the block on specific pages if you desire
5. Scroll to the bottom and "Save Blocks"

Secondly, I generally don't like anonymous comments. If someone wants to post to my site, I'd like them to register. This way, if a user leaves inappropriate comments, I can block the user rendering the email address useless for future spamming on the site.

1. Go to /admin/user/access
2. Scroll down to "Comment Module"
3. Allow anonymous users to "Access Comments" but nothing else
4. Allow registered users to post comments and post comments without approval (if you don't want to review each comment before allowing it to go live)
5. Scroll to the bottom and "Save Permissions"

Next, you can use a module like Captcha to have a user "prove" they are human. If you are allowing anonymous comments, this is nearly essential to avoid an avalanche of spam on your site. You can also use a service like Mollum, which is currently in public beta.

What to do when you receive spam?

1. Don't just delete the comment.
2. Don't delete the user
3. I right click on the user's user name in the thread and open up a new window
4. Click on the user's edit tab
5. Change the status of the user from "Active" to "Blocked"
6. Scroll down and click "Submit"
7. Close the window
8. Click delete on the comment (if you want to unpublish but keep the comment in question, click on edit and then use the administrative pull down to unpublish the comment)

By blocking the user's account, the email address associated with that user can't be used to register on your site any longer. If you simply delete the user, that user could re-use the email address and continue to use it to spam your site.

If one user has spammed your site heavily--go through steps 1-6 and then head over to "Content Management"

1. Go to /admin/content/comment
2. Check the boxes for all the spam comments from the user you just blocked
3. Change the "update options" to "Delete the Selected Comments"
4. Click on "Update"
5. It will bring up a "Warning this can't be undone" message. Click "Delete Comments" if you are sure you want to delete them.

OR

1. go through steps 1 and 2
2. Change the "update options" to "Unpublish the Selected Comments"
3. Click on Update

This is helpful if you have comments that you feel you should hold onto for any number of reasons, but don't wish to have public.

Using a variety of different techniques can keep your site spam free with not a huge amount of effort. My suggestions here are just a few ways you can foil the efforts of others to plaster your site with phony comments.

Spam is such a persistent problem whether you're a email or website administrator, blogger, or just a web user, period. I appreciated the extensive Drupal tips for how to deal with spam. I'd like to open up the conversation to ask how people deal with spam on their platform of choice (be it Drupal, WordPress, Joomla, etc.) Do you use captcha at all? Allow anonymous postings? Moderate all posts? Please let us know how you handle spam.

Best,

Megan

Joomla has a CAPTCHA module as well as an audio Captcha.

Additionally, Joomla uses a javascript library that can be enabled to encode all emails making them invisible to spambots. EG. When you type an email into a content item, Joomla recognizes it and encrypts it automatically.

The manual way that Matt describes above can be a bit cumbersome for the Admin. At least it was for me. I've been there... with LOTS of SPAM on a community site and you still have to manage the comments.

If you're getting a lot of SPAM comments, it's a losing battle for the admin to weed through and attempt to moderate.

Captcha + comment approval = no spam.
(Joomla has a component that allows for "comment approval" by clicking the link in the email notification - so you don't have to log in every time to approve comments.)

There was a collective sigh of relief in the Joomla community when that component came out. :-)

.

Drupal has Captcha as well and both Joomla and Drupal can make use of Mollum. In some instances that is the best solution and in others it isn't.

I personally have no desire to moderate comments and I think it is counter to Web 2.0 sensibilities. I would far rather allow folks to post comments as they will, and then deal with the few folks that get through what-ever regimen (Captcha etc) after the fact by blocking the account. I think it makes for a more immediate community.

indeed....Mollum. I agree...assuming you have the traffic.

Weeding out the SPAM is a pain regardless. I've also used the "Flag a comment" function for volunteer site mods to quickly "Unpost" comments that were clearly SPAM. Never had an issue with this being abused.

In case any of you are like me and not familiar with Mollum:

The Mollom service helps evaluate content quality, stop spam and lets you concentrate on building and improving your site.

Best,

Megan