Some of you might not know this, but I manage two different Drupal sites. This blog (obviously ;) ) and the website for Freaky Tiki Productions. And for Freaky Tiki, spam comments were quite a problem. The first way I tried to handle this was to require all comments to be approved. Well, I'm pretty sure we knew what happened with that. I wouldn't log in for months at a time, and have handfuls of spam comments to delete, but also if someone put in a legitimate comment, they would have to wait just as long to have it posted. Not the best thing to do if you want people to continue posting comments... damn you instant gratification.
So I decided I would use CAPTCHA's to help me out with this. Grabbed the Drupal's CAPTCHA module installed and configured it. Now to be honest, I HATE CAPTCHA's. But at that moment I did not know of any other alternative that would allow me to protect my site while also not having to approve every comment. So I made a personal compromise to use a text based CAPTCHA instead of the image-based one because I felt that the text was less annoying. A couple of mouse clicks later, the settings have been applied. And I had a nice warm fuzzy feeling inside. I checked up on the site a couple of days later, and there was five or six spammer comments on the site. I wasn't happy. So logged into the site and deleted those comments. After doing that I took a quick moment to find out how I could make sure it didn't happen again and that is when Captain Obvious slapped me upside my head. I took a good look at the test-based CAPTCHA (examples below):
What is the fifth word in the phrase "oqun oza edazoc qivu asic"?
What is the second word in the phrase "yuyow ufif qugoto op ivasu oxadewa"?
That slap hurt, but it caused me to realize that the format is very static and thus easy to automate. And just to prove it I whipped up this little kluge
in PERL:
Of course, text based CAPTCHA's weren't going to protect my site. So the first thing I did was change to image based CAPTCHA's. My dislike of them still exists, but as the better of two evils I accepted them... what else could I do?
Days passed, the site is still comment spam clean (that I'm aware of anyway), and I was talking to my good friend OJ, who happens to write his own blog, about my experience. And through the natural progression of the conversation he shared his secret with me on how he doesn't need CAPTCHA's on his site. For WordPress there are tools to automate comment filtering. I wasn't aware that tools like this existed. (Yeah, I should have thought about that, but I've never done this before, so there is still a learning curve.) So it was only a couple more clicks until I found these same tools for Drupal. And after some research, I decided to use the Mollom module.
I'm not sure how well it'll work out. But for the price (free) it can't hurt to try it.
PS..
.. how did you embed that file from bitbucket? I haven't seen that before!
Well then...
I guess I have my next blog post. Which is good, because I needed an idea anyway.
And that is why captchas tend to suck :)
Nice post buddy. Like you, I really hate captchas. The only ones that seem to work well are just as abrasive to end-users as their are to automated attacks. As soon as you get one that a user can enter without too much pain, you're open to being scripted. The one on this blog is also a target for scripting. I reckon you'll start to feel that pain when you get a little more traffic to the site over time.
As I said to you on IM the other day, the ones that I use on my site are Akismet and Spam Karma 2. The latter appears to be a Wordpress only plugin. The former works, but doesn't catch 100%, which is why I use it in conjunction with SK2. With both of them enabled, I haven't had a single spam comment make it through to the blog.
One thing I failed to mention during our chat was that it's smart enough to email me if it's not sure! So sometimes a comment will be borderline. When it is, it's caught and held for moderation (it doesn't mark it as spam). It waits for you to sign in and indicate whether the comment is valid. When it gets comments like this, it emails me and let's me know. I've had 2 emails in the last year that fit this description. One was spam, one was not. Either way, it does a damned fine job.
I actually like to get notification of any comment on my site so that I can make the effort to respond to it. In the case of a high-volume site with a lot of comments, this might not be an option. But having the option to get mails when the spam catcher isn't sure is a great compromise.
Keep us posted one your experience with Mollom! :)
OJ