How to deal with comment spam in Drupal

When you create a blog or website, without the user participation and comments its not really going to fly. Comments give more perpective to articles, questions asked by users expand the scope of the article. So user comments are absolutely needed to make a website successful. Question is how do you avoid spam bots and thousands of spammers waiting to bombard your site with useless comments and automatic posts.  EDIT - 24th Mar 2014

Stick to basics

  1. Install CAPTCHA module  and use Image Challenge. Also check CAPTCHA Pack — and add-on for the CAPTCHA module that adds different methods.
  2. Spambot - Checks member details against the Stop Forum Spam system. An effective method but will not work for  anonymous posts. So to use this you will have to stop anonymous posting and also be prepared
  3. Not So Fast module — This is a variation on CAPTCHA , it requires actual action from the user to prove that they are human. In this case, if the anonymous user enters an email address that has not yet been approved for posting, that user gets an email with a link he or she has to click on before the comment gets approved. The admin can see in the comment queue which comments are from people with verified emails and which are not. This works because Bots will never leave a valid email address, and should stop most of them.
  4. Honeypot uses both the honeypot and timestamp methods of deterring spam bots from completing forms on your Drupal site (read more here). These methods are effective against many spam bots, and are not as intrusive as CAPTCHAs or other methods which punish the user [YouTube].

    The module currently supports enabling for all forms on the site, or particular forms like user registration or password reset forms, webforms, contact forms, node forms, and comment forms

  5. Use one of the modules like SpamicideBOTCHAHidden CAPTCHA. They all work on same principle. Hidden text field which spam bots can see and will fill blocking them and they cannot proceed

  6. Implementation of http:BL for Drupal. http:BL can prevent email address harvesters and comment spammers from visiting your site by using a centralized DNS blacklist. It requires a free Project Honey Pot membership. This module provides efficient blacklist lookups and blocks malicious visitors effectively. http:BL has been adopted for use to enhance protection on

  7. This blogspam service offers a simple interface which allows you to test whether a submitted blog or forum comment is spam or not. BlogSpam provides a central location where comments can be checked for various spam indicators.

  8. GoAway is a dirt-simple, light-weight "Ban By IP" module. It works by redirecting offending anonymous users to a local page or remote URL specified by the admin. The module possesses the following features:

    • Separate permissions for (1) settings, (2) banning, and (3) unbanning
    • Either a local page or a remote URL may be used as the redirect destination
    • Adds display of IP address to anonymous comments for easy tracking (only displayed to users with 'ban' permission)

    For high-traffic sites which can't (or don't want to) bear the combined load of the Statistics and Tracker modules. The entire purpose of GoAway is to make IP banning as easy as flagging a comment.

Professional Services

  1. Akismet (created by Matt Mullenweg and Automattic, who are the original developer of WordPress)  and Mollom (created by Dries Buytaert) are the most popular services available. They have their differences, but they work on the same basic methodology. Comments submitted to your site are sent to Akismet or Mollon servers, there they are analyzed and flagged as spam if they fail the analysis. For more details see How Mollom Works and How Akismet Works articles. Mollom however has some issues so better research the services before you buy.
  2. CloudFlare-powered websites are protected from many forms of malicious activity including: comment spam, email harvesting, SQL injection, cross-site scripting, and DDoS (denial of service) attacks. Using cloudflare module is optional to integrate with cloud flare services.

External Comments - Not using Drupal comments

You can disable Drupal Comments system if you are not able to control the spam andonly use third party comment services like Disqus, Facebook, LiveFyre, Google+. For a complete integrted experience you can use Quicktabs module and build a block with multiple comments services like Disqus, Google+, Drupal comments. Multiple comments system should be used only for High Traffic sites, else you will lose visitor interests.

The advantage of usind Disqus or similar services, is that user authentication and comment moderation can be done remotely on Disqus. Its very easy to install and use Disqus.

Related Posts

You will have to refer to other posts on this website ,, and then make an informed decision on what service you want to use. Free modules can always be used, but there is a risk of preventing legitimate users from posting. Keep trying different methods and read more about the methods I have highighted above. Over the period of time you will find the right match and would have prevented comment spam on your drupal website.