SPAM! Why should I have to worry about spam, right? This is a pretty low traffic site (sigh) and who’s going to spam on me? I had a post a bit ago about passing a spam right of passage and enabling a bit of security to get around it. Well, the spam dude was not done with me yet! No sir, I kept getting hit, kept having traffic eaten by spam-spewing robo-jerks, and it was getting pretty tiring having to isolate every ip, and then ban them one…at…a…time. So, I overhauled my security and thought I would actually spell out here exactly how I set it up…
First of all there is the wonder full Troll module. It’s greatest strength was the ability to download a regularly updated ip blacklist from SPEWS and redirect them to a custom ant-spam/anti-troll page. GREAT! Problem = SPEWS is no more. If anybody can tell me what url to now use instead, that would be great, but until then, all of the fancy things that Troll does to the blacklisted ip’s are lost. Troll module then acts as little more than an ip banning module, which already exists in Core. It can also ban by user, so that’s neat. But it is not enough.
Captcha! Every site needs some sort of Captcha-ing. It’s simple and very effective, just enable the module and users have to answer a simple math problem (as I have enabled on this site), a logic puzzle, type out a word, or any number of nifty Captcha add ons that can be found on the Captcha module page. After enabling Captcha, and placing Captcha challenges at different places on the site, my spam rate dropped dramatically. I highly recommend this. Problem = It’s intrusive to human users. I don’t like putting a barrier on my site between potential users/commenters/guests and the site itself. I want to remove barriers and enable and encourage participation, not get in the way with bloated security protocol.
So so the search continued, and I added Bad Behavior to the stack. I am very impressed with the concept of this module, and decided to play beta tester. This one analyzes the actual requests coming into the site, looks for identifiable behavior patterns and holds them against the behavior/request patterns of known spam-bots. Sweet. It’s written in php, seems pretty light weight, and just sounds all smart and cool and sophisticated. It’s been turned on for a bit now, and no errors popping up, so I assume all is working well 🙂
But for the final sake of complete and absolute security, I have found the wonderful Mollom. Written by the founder and lead Drupal guy, Dries Buytaert, I figgure it must be well suited to Drupal! From the Mollom project page,”Mollom intelligently combines text analysis, reputation models and both image and audio CAPTCHAs to block all spammers in the most optimal and least intrusive way.” Sounds good to me, and I have read some great reviews on Mollom, so I put it in.
So, on top of Core permissions (and the Node Access module for fine tune permission tweaking), and Core ip banning, I have Troll (just sort of sitting there now, waiting for a good list server), Captcha (which I may disable in favor of Mollom’s Captcha ability), Bad Behavior, and finally Mollom. Too much? More than likely. That’s why I plan on turning off modules and playing around with these to find out the easiest way to go, probably just Mollom, but…since enabling all of this stuff, not one spam. We’ll see how it goes, I had to turn off comments in the Gallery installation I serve into Drupal through the Gallery integration module since there was nothing but spam links hiding in those comments. Sigh.
So, that’s the scoop! That’s the security going on here, and I’m pretty happy about it. But I am always looking to tighten things up, heighten efficiency and all that, so…Suggestions?