How to Prevent Spam in Drupal

How to Prevent Spam in Drupal

Today I would like to touch upon a ‘pain subject’ called Spam, one subject regarding which we get maximum amount of queries.

 “How to prevent Spam on your Drupal-powered website?”

Well, there is no quick-escape from this menace. Having said that I am of a certain belief that Drupal powered websites are the least susceptible to Spam attacks thanks to the many wonderful modules combating the menace of Spam.

Although the basic anti-spam mechanisms like the good old Captcha have managed to prevent robot generated attacks, however it has been witnessed that Spamming occurring today is largely the work of individuals who are bypassing these Captcha codes and even going to the extent of creating dummy accounts for Spamming discussion forums and blog posts.

In an effort to educate Drupal users on the many Anti-Spam mechanism available for a Drupal website, I’ve profiled the following Drupal modules built specifically for protection against Spam.

Description of each has been extracted verbatim from each of the respective module pages on


A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. The purpose of CAPTCHA is to block form submissions by spambots, which are automated scripts that post spam content everywhere they can.

The CAPTCHA module provides this feature to virtually any user facing web form on a Drupal site.


ReCaptcha ties into the ReCaptcha service, which is a slight extension of the basic Captcha module.


The Spam module provides numerous tools to auto-detect and deal with spam content that is posted to your site, without having to rely on third-party services.

The Spam module provides a trainable Bayesian filter, automatic learning of spammer URLs, flagging of content with an excessive number of links, the ability to create custom filters, and more.


Mollom provides a one stop solution for all spam problems and can protect the following Drupal forms. It offers and intelligently combines:

* CAPTCHAs — both image and audio CAPTCHAs
* text analysis
* user reputations

and can:

* block comment form spam
* block contact form spam
* protect the user registration form against fake user accounts
* protect the password request form
* block spam on any node form, such as forum topics, articles, stories, pages, and more


AntiSpam module is the successor of the Akismet module, and it provides spam protection to your drupal site using external antispam service like Akismet.

AntiSpam module is fully compatible with Drupal 6.x (Akismet module for Drupal 6.x release had many compatibility issues and was not usable as it was), and it expanded the support of the external antispam service with TypePad AntiSpam and Defensio service as well as Akismet service. Now you can choose one of the antispam service you wish to use.


The purpose of Spamicide is to prevent spam submission to any form on your Drupal web site. Spamicide adds an input field to each form then hides it with css, when spam bots fill in the field the form is discarded. The field, and matching .css file, are named in such a way as to not let on that it is a spam defeating device, and can be set by admins to almost anything they like(machine readable please). If logging is set, the log will show if and when a particular form has been compromised, and the admin can change the form’s field name (and corresponding .css file) to something else.

The install routine sets some default forms as a minimum defense, and admins can turn it off for these, but it’s not suggested, it’s really the reason it was installed.

Spam Span

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. It implements the technique at the SpamSpan website (a German version is also available). The problem with most email address obfuscators is that they rely upon JavaScript being enabled on the client side. This makes the technique inaccessible to people with screen readers. SpamSpan however will produce clickable links if JavaScript is enabled, and will show the email address as example [at] example [dot] com if the browser does not support JavaScript or if JavaScript is disabled.

This technique is unlikely to be absolutely foolproof. It is possible in theory for a determined spambot to harvest addresses from your site no matter how you disguise them. But research suggests that the by far the great majority of spambots do not bother to attempt to collect addresses which have been hidden using JavaScript. Indeed, most spambots cannot currently read JavaScript at all.

Comment Lockdown

Comment Lockdown is a drug of last resort in battling comment spam. You should not use this if you haven’t tried something less likely to cause side effects like Mollom. You should continue use of Mollom with Comment Lockdown. This module has some very specific rules for comments, and unlike Mollom, is incapable of learning, has no settings, does not care what kind of user you are, and rejects anything written in a language other than English.

These rules aren’t arbitrary; they’re based on experience with The New York Observer’s massive database of spam comments. This module won’t help sites that accept comments in languages other than English.

* Link (A) tags cannot account for more than 20% of all characters.
* No more than 20% of all characters can be non-ASCII–this accounts for words like “fiancé” while preventing comments in other languages.
* At least 10% of all words must be in the list of top 100 English words.
* Javascript must be enabled. This isn’t foolproof by any means, but a spam robot would have to be customized to defeat it.

These rules are currently not flexible. If interest develops in this module, I might consider allowing admins to tweak thresholds, disable the JS checker and add role-level permissions for it.

Bad Behavior

Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots. It goes far beyond User-Agent and Referer, however.

The problem: Spammers run automated scripts which read everything on your web site, harvest email addresses, and if you have a blog, forum or wiki, will post spam directly to your site. They also put false referrers in your server log trying to get their links posted through
your stats page.

As the operator of a Web site, this can cause you several problems. First, the spammers are wasting your bandwidth, which you may well be paying for. Second, they are posting comments to any form they can find, filling your web site with unwanted (and unpaid!) ads for their products. Last but not least, they harvest any email addresses they can find and sell those to other spammers, who fill your inbox with more unwanted ads.

Bad Behavior intends to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts.


Very Useful information, this is both good reading for, have quite a few good key points, and I learn some new stuff from it too, thanks for sharing your information.


Thank you so much

This page is really useful if you (like me) are relatively new to drupal and want to learn a bit about defeating spam on this platform. Very informative text and easy to follow up on.

Thanks a lot!