Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'd like to thank you for your clever work.
I like this module cause it prevent spam but also keeping accessibility and usability in mind!
I'm not a php developer, so i can't improve any features by myself, but while thanking you, i would suggest to make the label description "To prevent automated spam submissions leave this field empty." costumizable by the user, so also simple user can modify the message (which is supposed to be read by screen-reader or similar) with every message, without any change in the core files.
thank you!
Comments
Comment #1
MrGeek CreditAttribution: MrGeek commentedI 2nd this request - maybe;
Would not the autobots be able to read this description and learn to skip these fields? If this is possible, then I 2nd the request.
If the bots cannot read this field, then, nevermind..
Comment #2
tiikeri CreditAttribution: tiikeri commentedI dunno, i'm using this module on a production site, but it seems that two bots was able to register on site. I disabled registration because it is unnecessary for this site, but maybe some bot learned to avoid this field.
I'm very interested to use this module on an other production site (for no-profit purpose) which require accessibility. This site is very open to comments but i fear it is not enough for spambot.
Comment #3
richH CreditAttribution: richH commentedHi,
I'd really like to be able to configure the message "to prevent automated spam submissions leave this field empty" or have it removed. When I look in google/bing search terms, my site gets listed on a SERP page because of this term.
So it seems to me logical that hackers look for this fixed term and then know how to avoid it. It seems to be a gaping flaw which undermines the purpose of the module.
cheers
Rich
Comment #4
etron770 CreditAttribution: etron770 commentedJust change the line 66 in spamicide.inc
Comment #5
richH CreditAttribution: richH commentedHi,
ok - did that straight away of course after my last post. Just as an aside: I'm using spamicide to try to stop annoying spam subscriptions to my newsletter. I didn't want to have to have the subscriber deal with confirmaiton mails because I don't want them to think twice!!
But just after my last post, when I'd been seeing the "to prevent..." term appearing in SERP pages I started to get massive spammy subscriptions (lots from @mailnesia,com) addresses.
So I get the feeling that this method isn't really foolproof. I've activated the confirmation emails now on the subscription and that's put a stop to the spam registriations.
Cheers
Rich
Comment #6
mralexho CreditAttribution: mralexho commentedHi Rich,
I suggest using a double opt-in email service like MailChimp or Campaign Monitor to handle your clients subscriptions.
You can integrate MailChimp with this module http://drupal.org/project/mailchimp.
Best,
Alex
Comment #7
mralexho CreditAttribution: mralexho commentedHi tiikeri,
Have you thought about using a captcha option? I know most people frown upon them, but they do a decent job against bots.
My preferred captcha is Text Captcha. Hope that helps a bit.
I installed Spamicide and have found it to eliminate 95-99% of spam registrations so far. There will always be a few that leak through.
Best,
Alex
@mralexho
Comment #8
tiikeri CreditAttribution: tiikeri commentedHello alex, i have to reconsider some things about the issue request.
I was unexperienced with spamicide when i opened the issue.
After some experience with it, i believe that this module is a good prevention better then botcha (lots of false negative hard to manage) or captcha (i always hated it also as simple user).
For others interested in this:
You can simply change your message in the translation interface, and i'll recommend to write something not containing words like "spam" "prevention", "blank". In this i'm more lucky because i can use italian words... english speakers need to be more creative ;).
This is important because even if the field is hidden by CSS, we must not forget that the module aims to accessibility, so our targets could read the message!
Be sure to configure the module for all exposed form. In the project i mentioned in post #2 i forgot to add spamicide to some forms.
Comment #9
etron770 CreditAttribution: etron770 commentedI my experience the spammer are detecting hidden fields or maybe the css tags.
I installed the chaptcha for user registration because I got lots of automated registrations a dy also with spamicide (with changing the text).
Comment #10
lipcpro CreditAttribution: lipcpro commentedI've added the ability to add a message/description to spamicide on a global basis (it will show for all spamicide fields) I may try to rework it so each field can have a different message but overall I believe it's in a good state for now.
Comment #11
etron770 CreditAttribution: etron770 commentedAdditionally its a good thing to crate a fail2ban rule (if you have access to) for drupal spammers
after banning those IP I have a decreasing amount of f.e registrations and webform bots. decreasing from about 50 a day to 10 now.
for debian: /etc/fail2ban/jail.local
Fail2Ban configuration file
/etc/fail2ban/filter.d/drupal-spammer.conf
Comment #12
etron770 CreditAttribution: etron770 commentedAs I am using a hard coded "Spamicide Description Message" since April 2013, I can confirm that this is working fine. F.e I had one webs pace with an average of more than 10 registrations a day. I have now, after changing the code to a Bavarian idiom ;-) an average of one registration a week.
Comment #13
lipcpro CreditAttribution: lipcpro commentedAgain, I've added the ability to change the message on a global basis (everywhere not per field) in the dev version. I'm looking for feedback on that. When the community changes the status to reviewed by the community, I will promote it to the stable/production version. Also added is the ability to change the name of the directory so "spamicide" doesn't show up in the markup so the bots that learned that will be fooled at least till they learn the new name, then you can change it again.
Comment #14
etron770 CreditAttribution: etron770 commentedI can confirm its working. Blocked about 100 tries by bots a day. Just a question for the future development: What about the idea to add the ability to uses any kind of randomly changed strings and directories, predefined by the admin? This would prevent a bot to find the hidden field by try and error.
Comment #15
lipcpro CreditAttribution: lipcpro commentedAs I discussed in #456770: Why not random? it may not be a good idea to be constantly thrashing the file system with randomly generated files and or directories especially on a busy server/site, they have enough concerns with high loads on the database or the apache server. The intent of this module is to provide a light weight, fast spam bot prevention routine.
I will not entertain further "feature requests" to do so, they are starting to sound like "demands" and not requests. I will entertain ideas to further enhance Spamicide if the ideas are interesting or worthwhile so long as it doesn't grow the module in size/performance hit substantially.
When anyone notices that a bot has learned the particular directory/filename the interface allows you to change these things quickly and easily. I am going to continue working on making Spamicide better, but not at the cost of speed.
Comment #16
etron770 CreditAttribution: etron770 commentedYes that's true, sorry. First of all thank you for your work its now again a great help to prevent bots.
But what about any other mechanism (Please do not be annoyed)
The reason: As we all know the bots learned the old files/terms. At that day I had a lot of new user accounts an much more answers in the forum after one day. I need a long time to delete all users and searching the answers in Russian and for the well know medical treatments. I am afriad to come back to the the site when I was out of office for a couple of days ...
F.e could spamicide count the wrong tries by day (maybe also by day of week) and change the files/directories if they decrease significant.
I agree that it is a problem on busy server but its also a problem to reset all files and user accounts when the bots find the way around spamicide on busy and big sites. F.e I mus have a look on all new user accounts and decide whether this could be a bot or a human - f.e firstname and name are the same -> bot
Comment #17
etron770 CreditAttribution: etron770 commentedThe bots are back again, I must enable graphical captcha again :-(
Comment #18
etron770 CreditAttribution: etron770 commentedI added the fail2ban module and I am blocking the bots with no retry means after one try.
This is blocking about 80%, the rest are blocked by captcha after tree retries
Comment #19
tiikeri CreditAttribution: tiikeri commentedEtron770, Just wondering, because i don't know exactly your situation.
If you have so many spammers, i think to 2 possible scenarios: you have a very large and well-indexed site with lots of form exposed to visitors, or maybe your server is an aim for spambot, and you may consider to ask a better protection to your provider or look for a better service.
Blocking the IP addresses which are known as spammer usually limit lots of spambot, even if, by blocking IPs, you block a range of possible user and sometimes some bot use unaware user like "zombies".
Maybe i'm saying things that you already know, but i think that spamicide is intended to help sites that require exposed forms and need to be accessible for people with some disabilities.
I think that accessibility is always a good choice, and captcha is less usable for some people, but it could be needed in some cases.
In my experience some bots exploit the drupal registration form (and bypass spamicide), but they are blocked because they use fake emails. there are some methods to prevent injecting code throughout URLs from .htacess file, but i failed in it.
I tried botcha module (not visible spam prevention), but it cause lots of false positive, don't know if there is some module with database-based prevention, but there are some module with less invasive captcha (like asking simple math operations).
Comment #20
lipcpro CreditAttribution: lipcpro commented