Spammers are always evolving and that means spam management is, too. Here are some of the best current spam management tools and tactics for Drupal.
Honeypot modules are designed to trick spammers into filling out hidden fields that a human would not see. If the hidden fields are filled out, we know it’s a spam submission and ignore it, put it in a spam bin, etc.
Pros: No extra user input required.
Cons: Spammers are evolving to catch on to these modules. Some modules now offer the ability to change up the hidden field or hidden question so that the spammers can’t catch on as quickly.
https://www.drupal.org/project/hidden_captcha (D7, D8 Core)
This is your classic challenge, with a variety of options for asking the user to verify that they’re a human.
Pros: Pretty much spam-proof.
Cons: can’t cache a page with captcha on it, annoying to users.
https://www.drupal.org/project/captcha (D7, D8 beta)
There are many add-on modules with other options:
CleanTalk is a newer SaaS spam protection solution with a Drupal module. It protects everything for you by using a variety of methods on their backend. It’s not a free service, but seems like a worthwhile one if spam is an issue for you and you don’t want to bother your users with a captcha field. It can handle forms, comments, and registration.
Pros: handles a lot for you with no work, no extra entry for users.
Cons: requires paid service.
Hashcash is a proof-of-work system that requires your users’ devices to provide a hash value that’s difficult to calculate, yet trivial to validate. The idea is to make the act of submitting the form carry with it a small computing cost which reduces the cost-effectiveness of spamming your site. Spammers, whose operation depends on their ability to make many submissions as quickly and cheaply as possible, have little incentive to target a site that increases their costs and slows down their operation.
Pros: Free, administrators select which roles & forms must pass a check. Can work with caching.
Cons: Seems to require some more advanced understanding to enable and set up.
https://www.drupal.org/project/hashcash (D7, D8 dev)
AntiSpam provides protection using the Akismet service. This is the successor to the Akismet module.
Pros: Leverages the much-beloved and very effective Akismet service.
Cons: Requires paid service
Why didn’t we mention Mollom? If you missed it, the end-of-life announcement for Mollom was made in the beginning of April 2018. It’s no longer supported.due to a security issue the maintainer didn’t fix. See Mollom - Critical - Unsupported - SA-CONTRIB-2018-038 for details.
Other things you can do:
Don’t allow user signup unless you truly need to (only allow admins to register accounts)
Don’t allow comments unless you really want them - are you getting quality comments?
Be on top of your security best practices - you don’t want to allow any nefarious entities to compromise your site and send spam from your website.