I see there are various modules and methods that have been mentioned over the years, but what is regarded in 2009 as the best way to stop spam bots from creating user accounts on drupal sites? Thanks


dnewkerk’s picture

I've had almost complete success with the Captcha module, augmented with the optional sub-module for it, Recaptcha (which is a free 3rd party service). Captcha alone using its obfuscated text or simple questions method would probably be fine, but I prefer Recaptcha (it has built in options for disabled visitors to use). It also helps the service properly digitize books at the same time. Alternately, consider the Mollom module/service. I use it on my blog and it works well. It's free for all but high-volume sites. It's a concept that's something like a anti-spam scanner for your website's incoming content - it scans incoming content from untrusted roles for signs of spam and if it passes, then there is no captcha required... if it decides it might be spam or is not sure, the user is presented with a captcha question, and if they pass it, then the content is submitted as usual. If it misses things you can click to report it to the service so it can improve its detection.

I have occasionally got a non-automated spammer who of course can bypass this and still post spam, however that is much more rare than automated spam bots. In this case Mollom is likely to still catch and stop the spam based on scanning the content.

mediafrenzy’s picture

I'd been thinking that the Captcha module would probably be the best place to start. I'm wanting to keep it as simple as possible, as I'm already using quite a few modules.

fishdude’s picture

I've tried using several of the captcha modules listed in the modules section and I don't know if I'm doing something wrong or they are actually broken as none of them will accept a correct entry. In other words if I use them no one is able to register.

Any help would be appreciated because I've had to block 3 bots in 2 hrs and I can't seem to get the access rules modules to block their email domain (mail.ru)

Please help, thanks

wwwoliondorcom’s picture


what is your best solution for free captcha on large website now ? (>50000 nodes)


Nada Abou Dehn’s picture

you must deny this spammer access to your website. Use your Access Control rules to deny access (administer >> access control >> account rules > add rule)

To deny his email use: %mail.ru%

To deny his host use: mail.ru

and then try to create a new account for example(ccccc@mail.ru) u will notice that this will not work.

adam_b’s picture

Sorry if this seems obvious, but does your registration require e-mail verification? (under /admin/user/settings)

Nada Abou Dehn’s picture

yes sure

Rhino’s picture

I have captcha (not Mollum - it had a long period of false positives for me), email verify, "click this if you're human" and a whole bunch of required bits to fill in, just to create an account.

I get around 100 manually created (5-8 minutes apart) spam accounts a day. Every day. My solution is now to rely on moderation before approving accounts. No idea why my place has become such a spam magnet.

avskip’s picture

I used to get a lot of these and do still get a few. What I did was to create (over time) a lot of rules. I have permanent rules for a LOT of domains that are not allowed to register. On occasion, a real person needs to be put in as an exception though. I also use CAPTCHA and the ReCAPCHA add-on for all registrations.

If I have any doubt, I check their email address against the "Stop Forum Spam" site's search function. They are at http://www.stopforumspam.com/ and a pretty good resource. They have an API for automated verification but there is no Drupal module that I know of, but I wish there was one.

I tried Mollom twice, but it's just not for my site apparently. I do use the now defunct Akismet module to find those that get past all the barriers and it seems to work fairly well (I'm on Drupal 5.x). The email verify module "caught" more real people than it did spammers so I removed it. I also use a module called "Troll" that helps me with IP blocking.

The reason you are getting the spammers is probably due to your search engine ranking.

In the end: look for similarities such as domain, ip address, email server, etc. and set system rules to block them.

Hope this made sense as I'm trying to do two things at once...

I just found a potentially good module that works with Drupal 6.x and the "Stop Forum Spam" API. It's at http://drupal.org/project/spambot

nachenko’s picture


In the end, most method have the side-effect of being annoying for real visitors or require Javascript. But I found an easier way:


It's silent and invisible, a real Ninja method for SPAM control.

I have plans to make this method a module. And if it fails, just tell me, I know some other Shinobi tricks.

DRCrowder’s picture

Hey Mediafrenzy,

The company I work for offers solutions to control unwanted automated processes but in particular we have a free product which will help you get a much more concrete idea as to how bad your problem really is. The product is called BotAlert (http://www.pramana.com/botalert/), it installs a lot like Google Analytics and will get you a daily report detailing your human vs non-human activity for the pages you choose to install the code. It is 100% free so please don't think I am trying to get you to buy anything.

We do have an invisible CAPTCHA product that is very slick and extremely effective but it does cost.

I hope that helps!


mpolito1969’s picture

My site is not so interesting for bots, I guess, as I only have a couple of spam messages a year. Anyway, I have tens of registered users which were clearly bots.

In the "Administer/User Management/User settings" section (Drupal 5.6) I checked "Visitors can create accounts but administrator approval is required" and filled in the "User registration guidelines" message with "if you are a human choose a username starting with XYZ".

When I get an email saying that someone has applied for an account I can immediately check whether it's a bot or not.

This work mainly because my site is not so popular, if I had ten registrations a day I should look for something better.


saihukaru’s picture

let check my solution :)