Stop SPAM in your Drupal site by being slow.

In this article on SPAM control, we created a tasty honeytrap for our SPAMbot. This trap actually catches about 98% of the SPAM attempts at my site, but we can do better.

The other article used the fact that SPAMbots fill all form elements, even those that are invisible to people. Now we're using the fact that they do it too fast. A person needs time to write on the form. A bot doesn't, unless deliverately the coder introduces in the SPAMbot the ability to wait.

I call it "the timegate method".

Step one: timestamp our form

In the other article on SPAM control, we created a mini-module for our custom code. Now we're adding some stuff. We take the comment form alter function we created, and add some code to timestamp our form.

function [--foo--]_form_comment_form_alter(&$form, $form_state) {
$form['#validate'][] = 'timegate_check';
  // Timegate method
  $form['timegate'] = array(
    '#type' => 'hidden',
    '#title' => 'Timegate',
    '#weight' => 5,
    '#required' => false,
    '#default_value' => time(),

Notice [--foo--] is your module's name. If you don't know what I'm talking about, check the first article.

Our form is now timestamped. We know when it was build.

Step two: check the timestamp

Now we add the following function to our module:

function timegate_check($form, $form_state) {
  if (time() < ($form_state['values']['timegate'] + 10 ) ) {
    watchdog('spam', 'SPAM attempt at '.$form['form_id']['#value']
      .' form, stopped by TIMEGATE method', NULL, WATCHDOG_NOTICE);
    form_set_error('honeytrap', 'We KNOW you can\'t be THAT fast.');

That's it.If a user needs less than 10 seconds to receive, fulfill and submit a comment, it can't be a person, it must be a bot, and it will be rejected. Doubleplusgood!

Good stuff! I would love to see a Drupal 6 module for this function. Very cool. Thanks for documenting this method.

Thanks for visiting, Mark.

Can't promise a module, but maybe one day...

Another great idea! You could definitely incorporate this into the honeypot module. I think you could use the #type => 'value' to totally hide the input in the exposed form as well.

Thanks Chris for your comments. I take note of your suggestions.

best regards.

I am currently using the module. Maybe i combine the two methods.



does this still work ?

Yes, it works. This very own site uses it.

Thanks much for these valuable functions.

You're welcome!