Add new comment

Fighting Spam In Drupal: Big Pipe to the rescue

Piece of Cake

On a previous post I explained how we are using BigPipe in Drupal 7 (Cheap Pipe (sort of BigPipe) in Drupal 7). Besides all the known benefits of big pipe, there is a less known side effect that might help you fight spam.

Those out there fighting for conversion optimization know that captcha based form protection is a conversion killer (even with the new NoCaptcha from Google). That's why you should always be looking for ways to protect your web application from bots without real users noticing or their workflows being affected.

Even non-intrusive method such as Honeypot or Hidden Captcha are becoming less effective as bots get more sofisticated.

For us, what has been working very well historically against SPAM is using real e-mail verification when capturing cold leads.This basically consists in trying to deliver a fake message to the e-mail address submited to the form. Addresses used by SPAM bots usually do not exist or have been throttled by the e-mail provider. Of course, e-mail verification is the last stand after being able to go through a set of non intrusive form protection techinques (such as honeypot and/or hidden captcha).

A recent change in one of our customer's applications resulted in an increased number of fake leads being sent to Sendy that were able to pass e-mail verification as they were using valid and not throttled e-mail addresses. If you don't know what Sendy is, it's a self-hosted "simple Mailchimp" that can bring massive savings to e-mail based marketing.


So we decided to  force BigPipe on the block that renders the new lead capturing form, and SPAM submissions stopped inmediately. This makes some sense. Content that is rendered using BigPipe is loaded into the DOM through AJAX. I guess that - for performance reasons - most bots probably don't use a full emulated browser and rely on parsing/scanning the HTML response from the server to perform automatic form submissions. What used to be a plain rendered form, is now this to the eyes of the bot:

As a final word, these are the steps you need to follow to completely stop spam:

  • Try with ordinary/site building methods (honeypot, captcha, etc..)
  • Code some custom integration of those methods with your public forms
  • Implement application specific validations
  • Hire someone that knows what they are doing