I run the website for a large local non-profit and I have people signing up for accounts every week. The problem is most of them are spammers, and some simply don't belong; website accounts are for members only. I have four solutions to this problem:
- Spam protection (using Mollom)
- Notice on the signup page (using blocks)
- Custom account management screen (using Views)
- Automatic account filtering (using Rules)
In this blog post I'll walk through all four. The first three solutions didn't quite take care of the problem but the last one will.
Spam Protection: Mollom
Mollom is a spam filter, but it's more than that. Most spam filters use a technique called CAPTCHA, which is where you have to type the letters you see in a picture on the screen. That's old school. Mollom actually reads the post and decides whether it's legit or a spammer. It's got a central database and performs heuristic analysis. If that doesn't work, it uses CAPTCHA as a fall back. It's industrial level protection, free for low-traffic sites, and it's the only anti-spam solution you'll ever need. Here's how to use it.
1. Install Mollom
Use your favorite method. I like drush:
drush dl mollom drush en mollom
2. Sign up for an account
Go to https://www.mollom.com/ and sign up for an account. Free for personal, non-profit, and low volume users.
3. Assign forms
Go to yoursite/admin/config/content/mollom and add forms, eg. comments, user registration, etc. On the options page you can choose whether you want it to do analysis or just CAPTCHA. CAPTCHA is more foolproof, but it adds an additional hoop for legitimate users to jump through.
That's it! Mollom comes with excellent reporting so you can see how much spam it's protected you from. On one website alone, Mollom saved me from 650 spam posts in the last 242 days, while letting in all the legitimate posts.
Signup Notice: Blocks
This one is pretty simple. Go to yoursite/admin/structure/block/add and create a new block with instructions on how to sign up. Then specify that the block is only to show up on specified pages, and add user/register to the list. Now you've got a signup announcement that only appears on the signup page, and you didn't even have to use panels or templates.
In my case, I added extra fields to the signup page and put up an announcement that accounts will be rejected unless they meet certain criteria. So if you're a human being and you're actually reading the instructions, you'll know what the right answer is. Seems like a pretty easy gate to open, but spammers aren't good at that kind of thing.
Account Management: Views
I get several signups per week, so I created a custom View that lists users with some details to help me figure out who's legit. It's a simple table layout that gives the user name, "about me" field, date they applied, and a couple links to view or edit the user. It automatically filters out users who are already approved, so it's only showing me users who are still waiting for approval. I exposed this filter in the View so I can view all users if I want. I added this to my menu and restricted it to administrators only.
Using this table, I can tell at a glance who's a legitimate user and who's a spammer. Here's what my configuration looks like:
Automatic Filtering: Rules
Rules is one of those "meta" modules that you can ignore until you need it. The idea is that when an event occurs on your website, such as a blog post, there is a rule for what will happen next. This is not to be confused with the core module called Triggers, which kinda does the same thing, but with far less functionality. You don't need Triggers but you do need Rules. Once you install Rules, it refers to actions as "reaction rules," which makes more sense.
In my case, it was fairly simple to create a reaction rule with a simple task. Whenever someone applied for a new account, it would check to see if they had selected a certain option on the signup page. If they chose the wrong option, it delete the account, send an email to the user explaining why it was rejecting the account, and send another email to me letting me know. Here's what my configuration screen looks like:
Here's how you get there:
- Event: "After saving a new user account." In other words, when someone signs up. (This also counts if you create the account as an administrator.)
- Conditions: I chose "data comparison," then I picked the right answer from the field on the registration form. Then I checked the box for "Negate," which means the rule will only trigger if the user does not select the right answer.
- Actions: A few things happen here.
- Send mail: I sent two emails, one to myself explaining that the user was deleted, and another to the user explaining that they were deleted (and why). I also offered recourse in case they were deleted unfairly. For the return address I put "no-reply," because I don't want a spammer getting my email address.
- Delete entity: The system actually deletes the account, saving me the trouble. But it also sends me an email letting me know it's done so, so I can at least supervise.
I know this seems like a lot of steps to keep out spammers. But the result is a system that works well, still allows legitimate people to participate, and keeps your workflow to a minimum.