Lately, "form spam" has been the bane of my existence. Anyone who runs more than one or two Web sites has probably had the experience of dealing with what can amount to hundreds of junk messages a day coming through different types of Web-based contact forms. "Report a bug," "Contact the Web team," "Write a letter to the Editor," etc. -- they're all targets for malicious spam bots and their ilk.

Recently I decided to double my previous efforts to find some solutions to Web-based form abuse.

Many of the organizations that I'm working with rely on a number of different systems to deliver content to the Web, which makes it more challenging to find a one-size-fits-all solution. That said, they all use a LAMP stack and several of them are using the Drupal content-management system in some capacity, e.g., to provide some front-end interactivity, user management, etc. So, the real opportunity was to find something that either played nice with Drupal, or was built in PHP/Perl/Python so that it could be integrated with Drupal where necessary.

The biggest challenge was that I'd been using a Web-form processing script that I was pretty happy with until now; it made it possible to set up a number of rather complicated forms with relative ease and lots of processing flexibility (automated e-mail responses, etc.). The shortcomings were no form protection and the data wasn't stored in a database. So, the first options that I looked at were ways to simply improve the existing forms with a "captcha" or something similar. The short-list of options were:

• Safer Contact Forms Without CAPTCHA’s
• Captchas.net - Free CAPTCHA-Service
• Jcap (Captcha Validation Javascript)
• Simple Javascript CAPTCHA
• HTML_QuickForm

And, last but not least, the rather socially-responsible reCaptcha -- a service that helps the folks at Archive.org to digitize books.

Looking at reCaptcha got me thinking about Drupal again. Since the release of Drupal 5, I hadn't done a good review of what "Web form" capabilities and options were available -- so I thought it might be a good idea to have a quick look there too. A scan of the Projects page revealed a number of potential options including:

• Advanced Contact
• Contact List & Forms

Both of these only deal with Drupal's basic site-wide contact form ... so they weren't quite right for my needs. Next stop was the Feeback module (which is maintained by Khalid Baheyeldin of DrupalCampToronto fame), which was quite close to what I was after, but didn't have enough form customization flexibility and appeared to have an issue with captcha integration.

Last stop was Web form (my new favourite module!). It offers complete form flexibility, validation and post-processing rules, and a great form data management interface. I guess this module's been around for a while, but this was the first time I'd taken the time to install it and play around.

After a quick tip from Adam Ma'anit that lead me to the Form store module, I was able to create some test contact forms and attach math-based "captcha points" to them.

And, finally, to make it possible for these Drupal-powered contact forms to play nice with non-Drupal pages, Webform allowed me to drop in a hidden field with a "%server[HTTP_REFERER]" variable, which pretty much reproduced the behaviour of the old forms by grabbing the URL of the referring (non-Drupal) page.

Score one for the good guys. Next up: making Forward module's "Send this page to a friend" functionality play nice with non-Drupal pages.

Good article quoting the usual suspects over at Charity Village:

Unless you work in IT, you probably don't give much thought to whether the software you use is licensed or open source, freeware or shareware; you just want it to work properly. But with the flexibility and affordability that open source and shareware programs can offer, some nonprofits are taking a closer look. Find out about the available software alternatives and whether they might be right for your organization in this week's cover story at: http://www.charityvillage.com/cv/news/cover.asp

(Not sure how long that link will work, so let me know if it's not working.)

Also fun to see that all those lessons on dealing with spam have finally paid off for Mark Greenspan. Mark was over for dinner on the weekend and couldn't stop talking about the Net Neutrality panel (lots of familiar names there) that he is helping to program at Next Media 2007.

Recently, I asked a colleague why I couldn't comment on their fancy, new, corporate blog and this was their response:

Yeah, it's pretty unfortunate at the moment, I've had to turn off commenting for unregistered users on the site, because we were getting spammed so heavily and even though I had the Spam filter on at full strength many were still getting through. I'd like to find a better solution, though, because right now you have to create an account to be able to post comments (which nobody will do, I'm sure). If you have any wisdom or suggestions from your Drupal experience on how to deal with such massive spamming issues, I'd love to glean some knowledge

At the risk of attracting a line-up of comment spammers determined to make me look bad, I offer the following recipe for fighting comment spam with Drupal (as I do on my Drupal-powered blog): * First, I use the Captcha module without the image captcha (instead, it uses a simple math question to confirm that the comment is from a human) * Then I add the Comment Mail module (to get notifications of new comments) * Next, I stir in the Comment Info (which allows people to check a "remember me" button) * Finally, add a quick dash of Spam Module v2 (just in case the occasional brute force attack on the math question slips through*)

This way, I don't require that people log-in, or create an account, to leave comments.

The results:

• People actually comment (on occasion) because there are fewer hurdles to jump over
• Increased security, because there are no "privileged" accounts on my system
• No spam: ever. (Though, I'm hanging my ass out a bit with this posting!)
• No need to pre-screen comments, as the only ones that get through are legit

There you go: a Drupal comment-spam fighting recipe fresh from your friends at Community Bandwidth. Go Drupal!

* Update: Laura Scott of Ping Vision reported on the last Drupal shops call that she was getting the occasional spam still using a similar recipe -- so, if you have an experience to share -- or, better yet, another recipe -- please post it here!