honeypot

Post-Mollom, what are the best options for preventing spam for Drupal?

Mollom End of Life Announcement from their homepage

Earlier this month, Mollom was officially discontinued. If you still have the Mollom module installed on some of your Drupal sites, form submissions that were previously protected by Mollom will behave as if Mollom was offline completely, meaning any spam Mollom would've prevented will be passed through.

For many Drupal sites, especially smaller sites that deal mostly with bot spam, there are a number of great modules that will help prevent 90% or more of all spam submissions, for example:

Honeypot is the 'Drupal 8 Module of the Week'

For the past few months, Acquia's Dev Center blog has been running a series of posts about modules that have been fully ported to Drupal 8, and I'm happy to announce that this week's module of the week is Honeypot! See post by Jam: Drupal 8 Module of the Week: Honeypot.

There are a good number of posts already in this series, and more to come, so check out the Drupal Modules topic on the Dev Center blog for more!

Honeypot makes an appearance on the Modules Unraveled podcast

I've been subscribed to the Modules Unraveled podcast since somewhere around episode 40, and it's one of my favorite Drupal-oriented podcasts. I was thrilled to get an email from Brian Lewis last week asking if I'd talk about Honeypot (a popular Drupal module I maintain) on the podcast.

We discussed the module itself, ways to combat spam in general, some reasons why you would or would not want to use Honeypot for your particular site, and also the experience of porting the module to Drupal 8—a three year undertaking.

The full/raw interview is available on YouTube:

Honeypot for Drupal 8, 3 years in the making

Almost three years ago, on Feb 19, 2013, I opened the 8.x-dev branch of the Honeypot module (which helps prevent form spam on thousands of Drupal sites). These were heady times in the lifetime of the then-Drupal 8.x branch; 8.0-alpha1 wasn't released until three months later, on May 19. I made the #D8CX pledge—when Drupal 8 was released, I'd make sure there was a full, stable Honeypot release ready to go.

Little did I know it would be more than 2.5 years—and counting—before I could see that promise through to fruition!

As months turned into years, I've kept to the pledge, and eventually decided to also port a couple other modules that I use on many of my own Drupal sites, like Wysiwyg Linebreaks and Simple Mail.

reCAPTCHAs are easier to read—but they're still a bad idea

From the article reCAPTCHAs are finally readable by normal humans:

Google today announced that reCAPTCHAs served up to humans are finally readable without the need to squint your eyes or bang your keyboard in frustration after typing the wrong sequence of letters five times in a row. Who can even read those things, amirite?

I'm glad Google is making CAPTCHAs easier for humans to read. For the very, very rare times when they're necessary, that's a good thing.

However, I want to make an appeal to the thousands of developers who are thinking of implementing a CAPTCHA to deal with their site's form/registration spam: use CAPTCHAs only as a last resort.

CAPTCHAs - the Nuclear Form Spam Prevention Technique
CAPTCHAs: The nuclear option.

Preventing Form Spam

Spam email folder - Gmail interface

There are many different techniques for preventing form spam on your website, and an important component of the battle against spam is your constant struggle between giving your 'real' users a good experience while preventing spammers and automated bots from spamming you and lowering the quality of the content on your website.

A Constant User-Experience Battle

Usually, the first thing someone will do after having trouble fighting spammers by manual comment/content moderation is place a complex CAPTCHA system on their forms. Something like this:

Spam CAPTCHA text difficult to read

Introducing the Honeypot form spam protection module for Drupal

Now that I've released a Drupal 6 backport of what I originally wrote as a Drupal 7 module, I figured I would write a little bit in the way of introducing one of the simpler, and more user-friendly ways of controlling spam in Drupal (as opposed to other also-helpful methods, like Mollom, CAPTCHA, etc.).

I'd like to thank Flocknote for giving me the development time to work on this module, as we needed something like it for the new 'version 3' launch of www.flocknote.com.