SPAM! Why should I have to worry about spam, right? This is a pretty low traffic site (sigh) and who’s going to spam on me? I had a post a bit ago about passing a spam right of passage and enabling a bit of security to get around it. Well, the spam dude was not done with me yet! No sir, I kept getting hit, kept having traffic eaten by spam-spewing robo-jerks, and it was getting pretty tiring having to isolate every ip, and then ban them one…at…a…time. So, I overhauled my security and thought I would actually spell out here exactly how I set it up…
First of all there is the wonder full Troll module. It’s greatest strength was the ability to download a regularly updated ip blacklist from SPEWS and redirect them to a custom ant-spam/anti-troll page. GREAT! Problem = SPEWS is no more. If anybody can tell me what url to now use instead, that would be great, but until then, all of the fancy things that Troll does to the blacklisted ip’s are lost. Troll module then acts as little more than an ip banning module, which already exists in Core. It can also ban by user, so that’s neat. But it is not enough.
Captcha! Every site needs some sort of Captcha-ing. It’s simple and very effective, just enable the module and users have to answer a simple math problem (as I have enabled on this site), a logic puzzle, type out a word, or any number of nifty Captcha add ons that can be found on the Captcha module page. After enabling Captcha, and placing Captcha challenges at different places on the site, my spam rate dropped dramatically. I highly recommend this. Problem = It’s intrusive to human users. I don’t like putting a barrier on my site between potential users/commenters/guests and the site itself. I want to remove barriers and enable and encourage participation, not get in the way with bloated security protocol.
So so the search continued, and I added Bad Behavior to the stack. I am very impressed with the concept of this module, and decided to play beta tester. This one analyzes the actual requests coming into the site, looks for identifiable behavior patterns and holds them against the behavior/request patterns of known spam-bots. Sweet. It’s written in php, seems pretty light weight, and just sounds all smart and cool and sophisticated. It’s been turned on for a bit now, and no errors popping up, so I assume all is working well 
But for the final sake of complete and absolute security, I have found the wonderful Mollom. Written by the founder and lead Drupal guy, Dries Buytaert, I figgure it must be well suited to Drupal! From the Mollom project page,”Mollom intelligently combines text analysis, reputation models and both image and audio CAPTCHAs to block all spammers in the most optimal and least intrusive way.” Sounds good to me, and I have read some great reviews on Mollom, so I put it in.
So, on top of Core permissions (and the Node Access module for fine tune permission tweaking), and Core ip banning, I have Troll (just sort of sitting there now, waiting for a good list server), Captcha (which I may disable in favor of Mollom’s Captcha ability), Bad Behavior, and finally Mollom. Too much? More than likely. That’s why I plan on turning off modules and playing around with these to find out the easiest way to go, probably just Mollom, but…since enabling all of this stuff, not one spam. We’ll see how it goes, I had to turn off comments in the Gallery installation I serve into Drupal through the Gallery integration module since there was nothing but spam links hiding in those comments. Sigh.
So, that’s the scoop! That’s the security going on here, and I’m pretty happy about it. But I am always looking to tighten things up, heighten efficiency and all that, so…Suggestions?
Update: I am switching EVERYTHING off except the Mollom module. I want to see how effective this tool is. The Troll module is nice, but since I do not seem to have access to a nice block-list, I’m opting out. Also, the bad behavior module is a super nifty idea, but it seems to have absolutely no activity in the logs since switching it on. I am wondering if this is just due to overkill
Finally, captcha is off since Mollom has that built in. Let the testing begin!
I am currently setting up a Drupal site and I was wondering which security measures to enable. Both Bad Behavior and Mollom are on my list, and I previously used the first one which actually blocked some attempted intrusions.
Would really like to hear about your experience.
Thanks
Since I switched down to just Mollom, I have had maybe 2 posts slip through, but when I look at the logs that Mollom produces, I see that hundreds of spam attempts have been blocked.
I am quite pleased with Mollum, and highly recommend it.
thanks josh!
so, there has been a rash of spam making it through the mollum filters as of late. this is a bummer, as mollum has been a totally reliable system up until about 2 weeks ago. I just installed the Block Anonymous Links module to pick up the slack. The problem with this is that it will block all anonymous posts which contain links, which does not account for the fact that some comments will contain valid links. It is, in my opinion, a hatchet where I would prefer a scalpel.
If there is a better way here, for a lightweight solution to this problem, lemme know!
I found a module that provides a block for displaying the current Mollom stats. I put the block on the bottom of my pages, so that you can, if you would like, see how active Mollom is being.
Also, since I installed this at the same time that I installed the block anon links in comments module, if the Mollom stats do not change at all, it will be plain that the block anon links module is sufficient to secure a site from typical spam. While it is by far more lightweight than anything else I have encountered, I expect to find that, since it’s filtering method is not as sophisticated as Mollom’s, it will allow offensive content that contains no links. There is the Spam module which allows you to set an acceptable number of links in an anon post, but is a much heavier module, as this current solution adds no tables to my DB at all.
Is there any serious problem with not allowing links to be posted by anonymous users? A bit of a hassle, but you can refer to a site without linking to it…right?