Submitted by chrishu on Sun, 10/13/2013 - 09:25


These days putting up even a simple low-traffic website can attract large quantites of spam submissions (many of them automated) as soon as you expose any forms (registration forms, comment, contact forms etc.) the automated spambots start sniffing around. 

Having to wade through and inspect  long lists of comments in the approval queue just to make sure you don't miss the one or two genuine ones is both time consuming and soul destroying. The ability for spammers to use automated processes to find and submit forms means they don't have to worry too much about their hit rate so long as something sticks occaisionally, mostly they are just trying to get a link into a comment or a user profile page, sometimes they may be more malicious and looking for sites with open registration that allow them to post content.

This site slowly began to be targeted until eventually I was recieving upto 20 spam submissions on a bad day. 

Fight automation with automation

There are contrib. modules and services which allow you to fight spam without wasting your own time, but Drupal 8 doesn't have many contrib. modules yet, I was delighted to find that the Honeypot module had both commited to having a working version for Drupal 8 and also had versions for Drupal 8.  The Honeypot module provides two spam fighting techniques:

  • A concealed field that is not intended to be filled by humans
  • A time check, that blocks forms that are filled in impossibly fast

There are a number of configuration options that allow you to use one or both methods, and target particular forms on your site to add protection to. Currently Honeypot is successfully dealing with virtually all spam submissions on this site.

Currently Honeypot is about the only option if you are running an experimental D8 site.

Mollom is not the only game in town

The default reaction of many Drupal developers to spam is Mollom (the module is here), Mollom is a fairly heavy-weight approach however, you need to set up an account also. Recently I inherited a complicated D6 setup of related multi-sites (sharing users) with custom registration code etc. Previous devs. had installed Mollom, subsequently broken it with custom registration code, hacked Mollom to make it work, broken the processes again when SSL was setup and now there were hundreds of spam submissions a day. 

Rather than fix the mess I removed Mollom, installed Honeypot and virtually all the spam was stopped. The sites in question were pretty high traffic so had atrracted the attention of more serious spammers, there was one bot that tried multiple submissions on every attempt (including not filling fields and faking a long submission time) I wrote a small extra validation function for the registration form that stopped that. 

Mollom is very useful if you a suffering from large volumes of human spam, real people artfully trying to weave their spam and links into your comments etc. but most sites won't attract much of this attention (it is not worth their while), for a lot of the automated variety though it is overblown in my opinion and the complexity of it means that even despite it's pedigree I doubt there will be a Drupal 8 version for some while

If you have a small site (or even a large one in many cases) running on D6 or D7 or D8 with an increasing spam problem then try Honeypot, a few minututes installation and setup and you will probably be grinning later on :). 

Installation (this is still Drupal 8)

There is a release of Honeypot to got with the alpha-3 release of D8 and the dev, version for D8 is tracking D8 dev. pretty well, but you may have one or two installation issues depending on your exact code mix. I had to tweak a couple of things and am raising issues and supplying patches where I can. 

I will also also be attempting to get this site up-to alpha-4 code (currently it is technically about alpha 3.75 ;)) when that is released shortly so I will make an effort to submit any patches I need to apply to the Honeypot module over the next couple of weeks. 

Blogging distribution

Honeypot is the only contrib. module I have installed (aside from blog). I expect there will be a few more. Eventually I hope to roll them all together into a stable, simple blogging distribution for D8.



Anonymous (not verified)
Sun, 10/13/2013 - 12:31

I agree that Mollom gets more praise than it deserves.

I find honeypot gives a very comparable result to captcha and Mollom and none of them will stop all spam.

I don't like the idea of having Mollom automatically block spam because its algorithms don't seem to be accurate enough, so I would have its captcha feature enabled. In my experience users have to enter the captcha pretty much every time.

I also think captcha in general is a horrible user experience, so I prefer honeypot as a solution in general.

There is also the botcha module but it seems a pretty heavy solution. I prefer the simpler honeypot module.

PROMES (not verified)
Sun, 10/13/2013 - 13:01

There is another Honeypot module: As of today there is no D8 version, but I am sure it will come.
It blocked for me on one site allready over 15000 requests. And this is only a very small site (less then 35 nodes).

Franz (not verified)
Sun, 10/13/2013 - 14:51

same here - small sites, webforms, lots of spam, D6 and D7

Honeypot did help.

Jeff Geerling … (not verified)
Mon, 10/14/2013 - 02:17

Thanks for this post, and for validating my work in getting Honeypot working with D8 (it's been quite a chore—but a fun one!—to keep tracking Drupal 8's dev branch since the first alpha!). Also, note that also uses Honeypot (currently the D6 branch), and is a pretty big site :)

One question I'm asked fairly often is whether Honeypot works with other spam prevention modules (like Mollom), and the answer is yes! You just need to be careful in how you configure them.

Mister G (not verified)
Mon, 10/14/2013 - 16:03

Hi Chris,

Thanks for the post, I hope you don't mind but I've posted your artical on my site we've had a nightmare with spam since we launch about a month ago and I would like to draw every ones attention to the problem so if you know of any other articals you've come across please post them on the site. I surprised that you say it will be some time before mollem has a release because I believe Mollom is actively developed and maintained by Dries Buytaert. But you could be right, I'm wondering more when will Drupal 8 be released

Anonymous (not verified)
Fri, 10/25/2013 - 16:25

We added this to our site 9 months ago. We were getting hundreds of bogus user accounts registered every day, and dozens of spam comments. Now spam comments have dropped to nil and we are only getting a few bogus user accounts registered. It's saving me hours in cleaning out the cruft. Glad to see it is available for D8, even though we won't be using that for a while.

Anonymous (not verified)
Sat, 01/18/2014 - 14:44

Just recently in the past 2-weeks, I am finding that the honeypot module for Drupal 7 is not as effective as it once was. My site has been getting comment spammed about 5x-6x a day. It is not much, but someone or something is getting through! I wonder if spammers have found a way around the honeypot module and have automated it. It does not appear to be too difficult, especially if I probe your page's source code and see "honeypot" in the form fields and know your honeypot field name. I could just set my autobot to not fill those honeypot field values in.

Are there are any other new alternatives around?

Fri, 01/24/2014 - 09:43

In reply to by Anonymous (not verified)

You can also set a time threshold (which I am not using on this site), Yes a bot can be programmed to get around anything (unless you make things so difficult that you inconvenience real people as well), but most if not all of the spam is not specifially engineered to hit your particular site.

Currently Honey Pot is blocking about four spam comment submissions per minute on this site, not because I get a lot of traffic but because I come high on a couple of search times and the bots finds anonymous commenting (so it has a go), most of these thing are scatter gun approach and there is no 'brain' working against your site. 

On the sites I work on at work though we are seeing increasing spam directed from Humans (poorly paid, human spammers in second/third world countries). Eventually if you get too much of that you may have to start looking towards services like Mollom or Askimet.

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.