Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

Fighting Spam in Drupal with Mollom and Hashcash

Parent Feed: 
Share this

I hate spam. Of course, I imagine the overworked, underpaid dupes in Pakistan dishing it out at 5ยข per hundred comments don't particularly like it much either. It's just their job.

So anyway, about a year ago, the spam on this site was getting a bit out of control. Fortunately, Mollom had just whipped out their new, free spam-blocking service about the same time, so I gladly installed it. As you can see in the graph below (the orange being 'Spam attempts blocked'), this has been a fantastic boon for the site, with over 700,000 spam attempts blocked in the past year.

Mollom blocks spam (2008-2009)

Looking at that graph, you can see the spam attempts really dropped off sometime in April or May. I really don't know why; if anything, the traffic to this site has steadily increased over the year. I suspect that whatever methods spammers were using were not paying off as well, perhaps in part due to the diligence of the great folks over at Mollom?

How it's been fairing lately...

The purpose of this post is not to speculate about such things. The purpose is to zoom in a bit to the past two weeks. Let's do that now:

Mollom blocks spam (July 2009)

Here you can see in more detail recent activity. Notice the little green lumps at the bottom, which represents "Ham (not spam) operations accepted".

Well, not quite. Each of those little green lumps actually represents about 20 minutes a night filtering through all my comments and deleting a bunch of new spam that's managed to bypass their filters. Not really how I want to spend my free time.

I don't know what Mollom thinks about it all, or what new things they have planned (which I suspect they do). But I did decide to review my options and add a new line of defense to things.

First, how does Mollom work? For the end user, what seems to happen, at first, is nothing unusual. They simply submit a comment as normal. But before publication, the comment is sent to Mollom's servers, who compare it against a bunch of arcane things, such as what kind of text is there, are there suspicious links, does it come from a known spamming IP? If it fails any of these tests, back it comes to the user, with a Captcha challenge, similar to the following:

Mollom blocks spam (2008-2009)

Then the user (or intelligent program) tries to figure out what those letters and numbers say, and enter them, a little Turing test to weed out the humans from the robots.

Since (for now) Mollom's letting a few more slip through (it used to be about 4-5 a week, and now it's about 25-50 a night, then up to about 100 over the past two nights), I decided to add a new line of defense.

Hashcash to the Rescue (I hope)!

I remembered a demo of WebHashcash written by David Schneider-Joseph, a former student of mine at a Sudbury School (though I can take no credit for his mad computer skills, and he can also play a mean game of Go). This, in turn was based off the Hashcash algorithm by Adam Back, which was developed originally to fight e-mail spam.

The Hashcash algorithm, when used on the Web, is a JavaScript function that's run to fill a hidden text field, to be validated after submitting the form. The catch is that it can take a few seconds for most computers to compute the challenge (which might look something like '1:20:090723010931:example_hash::5OSqavyzeco:2z2O' in the end). The end user won't even notice it. Sadly, neither will some poor chap in Pakistan.

However, the automated spam servers will notice it. They'll be sending out a million pieces of spam, and suddenly, *blip* the computer slows down for a bit. And that's assuming it even processes JavaScript. (The routine intentionally does not degrade gracefully.) Enough sites use it, the CPU cycles end up costing more than the return, and they're forced to remove the sites from their lists.

I thought tonight that I would write a Drupal module for the routine. Luckily for me, I learned that Simon Rycroft (sdrycroft) had long ago beaten me to the punch.

So now I've added the Hashcash module to this site as a second line of defense against spam. I'll let you know how it goes!

Please note that this post is not meant as a criticism of Mollom! They provide an invaluable service, which I also intend to continue using. Even though 25+ spam comments a day is annoying, they're still blocking sometimes a thousand more a day. Thank you, Mollom!

AttachmentSize
26.71 KB
23.44 KB
20.88 KB
17.15 KB
12.52 KB
Author: 
Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web