If you have forms on your website that the public can submit then you will, without a doubt, have to deal with form spam. Fortunately there are some easy steps you can take to greatly minimize spam submissions on your website.
Protects: Registration Forms, Password Reset Forms, Webforms, Node Forms with an additional option to protect all forms on your site.
Project Page: Honeypot
Also Protects: EntityForms with the additional Honeypot Entityform module.
The Honeypot module should be your first line of defense. It’s quite simple to use and works invisibly, behind the scenes without adding any complexity to the form for your users. Just enable it and then select which forms you want it to protect.
The Honeypot module will now look to see if a hidden field (called URL by default) has been filled out or if the form was submitted too quickly. In most cases only a bot would fill in the hidden form or fill out the form too quickly. If either of these conditions is met then the submission will be stopped.
The Honeypot module is typically all we’ll use on a website and in most cases almost completely removes spam. However, there are additional options for further protection.
WEBFORM VALIDATION MODULE
Project Page: Webform Validation
The Webform Validation module is a very flexible add-on module that extends Webforms with additional validation options that include verifying that a field is numeric, meets minimum or maximum lengths, has a number of words, equals a specific value, doesn't contain black list words and more. And if this wasn't enough you can even enter Regular Expressions which can create very complex filters like meeting a area-code and phone number formate.
Protects: Comments, Contact Forms, Registration Forms, Password Reset Forms, Node Forms and Webforms.
Project Page: Mollom
The Mollom module uses heuristics and data matching through a 3rd party service to analyze form submissions. You will need a Mollom account to use this module. Mollom gives you up to 50 legitimate posts free per day. If the form(s) you’re protecting have more than 50 legitimate posts per day you’ll want to look into their pricing.
Mollom is a sophisticated module with multiple configuration options including blacklist words. Each Webform will need to be added manually to Mollom’s list of protected forms and can be configured to always show a captcha or, as recommended, only show a captcha if the form submission looks suspicious. Mollom can be a great addition to your spam prevention methods and between this and Honeypot; almost all spam submissions should be caught.
Protects: User Login, Contact Forms, Registration Forms, Password Reset Forms, Node Forms, Webforms and Custom Forms.
Project Page: Captcha
Another choice is the Captcha module which allows you to present the user with a captcha challenge to prove they are not a bot. There are various types of captchas that can be selected from and more can be installed from other modules that extend the options. In our experience, captchas can be somewhat helpful in minimizing spam but can also aggravate your users who have a hard time figuring out the challenge. We prefer to use other methods that work silently behind the scenes without giving your users more work to do before they can submit the form.
Protects: All forms
Although the details are beyond the scope of this article, another option for minimizing form spam is to create your own form validation function. If you are creating your own forms using Drupal’s Form API then you can simply add your own validation function. If you’re using a built-in form of any other type then you can use HOOK_form_alter() to add your own validation callback to an existing form.
Form spam is going to happen but with a little effort and a multi-layered defense you can minimize it greatly.