Drupal websites don't always need to allow users to register themselves with an account. This site doesn't, for instance. Anonymous commenting is turned on. The contact form is enabled for anonymous users. And those are the only thing that any member of the public would need to do - other than read. So nobody needs to set themselves up with a login.
Other sites, however, allow users to create a login for themselves. Perhaps you need an account before you can comment. Perhaps there is a shopping cart on the site, so a user account would keep track of order history and address details. Perhaps some content is only available to registered users. Perhaps a site has more than one editor.
So a few other Drupal sites I operate do allow users to create accounts. This causes problems - with spammers. Spammers search the web for sites that have a Drupal user-registration page, and then use a "bot" to sign up for an account. You can tell those bots - they almost always attempt to visit the URL for adding content to the site immediately after they sign-up. This is a menace - the list of registered users fills up with fake entries. The server hosting the website sends out large numbers of e-mails to these spammers confirming that they have registered successfully - and often those e-mails are bounced by the receiving mail server. That clogs up mail queues, and could even affect the IP-address reputation of the server.
One way people try to solve this is by requiring that an administrator approves a request for a new account. That doesn't solve the problem, however, because the pending new user is still sent an e-mail to let them know that their account is awaiting approval.
There are a number of Drupal modules that help with this, but one I've found very helpful is Spambot. I was recommending this to someone just the other day, so thought I'd write up about it here.
Spambot taps into a website called Stop Forum Spam. This is a database that keeps track of the e-mail addresses, usernames and IP addresses used by known spammers of forum sites. The data is built up in a number of ways, but mainly by forum administrators using automated or manual processes to reporm spamming activity.
Spambot taps into this, by giving you the option to check the credentials of any new sign-up against this database. If the person creating your account is listed there, they get blocked. You can choose whether to check their e-mail address, IP, username, or more than one of these. You can also specify how many times the offending data has to be listed before someone is regarded as a spammer. For example, someone's e-mail address could appear on the list once or twice because of a misunderstanding, but if they are there 50 times it's a pretty big clue. So you could say that you only block someone's e-mail address if they are listed at least 10 times.
You also have the option to have Spambot check through your existing users and block and/or delete any that are subsequently found to look like spammers. If you do this, you are in full control of how fast the module attempts to check your user list - you can balance the need to keep the impact on load down with the need to check users faster than they register. The benefit of this is that sometimes a spammer comes to your site as one of their first hits, so they are allowed to register. However, if you check their credentials a few hours later, it's very clear that they should have been blocked.
There used to be a feature to report spammers through to the Stop Forum Spam website, but that feature is almost entirely withdrawn. Stop Forum Spam was having to deal with too many false positives, so they began to require a much clearer trail of evidence pointing to someone's malicious activitiy, making it hard to prove on these automated tests alone.
So if you're having a problem with user-registration spam, try the Spambot module.
Add new comment