This video will show you how to use Mollom to protect your forms from spam without bothering legitimate users with cumbersome captchas.

If you would like to allow anonymous users to complete your form, but don't want to leave it vulnerable to spam, you'll need to install some form of spam protection. There are a couple of common ways to do this. Probably the most common is to use a captcha module like reCAPTCHA. Another option (and my preferred method) is to use the Mollom module. Mollom is a third party service that has plugins and integration with a variety of software including Drupal, Wordpress, .NET, Ruby and a number of other systems. One of its most useful features is that it references a central repository of known spam, and everyone who uses it can contribute to and benefit from this central repository.

You can find out more about it at http://mollom.com. It was originally created by Dries Buytaert (the same guy that originally created Drupal) and has been acquired by Acquia (a well established Drupal company), so there's plenty of authority and experience behind it.

Create an account on mollom.com and get product keys

There are multiple tiers of mollom protection. Depending on the size of your site and how many forms you choose to protect the free version may be sufficient. We'll sign up for the free tier by going to "http://mollom.com/pricing". (Here you can see the various tiers and choose a different one if you want.) I'll click "Get mollom free" and create a new account. (At the bottom of the form, you'll see the "captcha" option that mollom provides. This is the typical form of captcha you see across the web, but I'm going to show you a much cooler one once we get it installed.)

And now we see a notice that our password and further instructions have been sent to our e-mail address, so let's go check that and finish setting up our account. I'm going to click the link in the email to log in and set my password now to something that I'll remember.

When I click "save", I'm taken to the "Add subscription" page. I'll go ahead and fill out this page:

  • URL: http://loc.webform.com
  • Type: Personal site
  • Site language: English
  • Site software: Drupal
  • √ I have read and accept the terms of service
  • click "Next"

On the next page, all we need to do is click "Complete subscription" and we're ready to install the module on our site. Click "view keys" to see the Public and Private keys. We'll need these to link our site with the Mollom service.

Installing the Mollom module

  • Download and install Mollom
  • Once it's installed, you'll find it in the "Other" section of your module page. Enable it.
  • Visit the mollom configuration page at "admin/config/content/mollom/settings".
  • Enter your public and private keys into the corresponding fields.
  • Scroll down and choose what to do when the Mollom service is down or unreachable. (I'd recommend "Block all form submissions", but it's up to you).
  • Redirect local moderation pages to the hosted Mollom moderation system (I'm not actually going to cover this option in this series because webform submissions don't have the ability to be "unpublished", and that is required for moderation. This would be used if you were protecting forms like comment forms.)
  • Link to Mollom's privacy policy on forms protected by textual analysis: One way that Mollom can protect your forms is through text analysis, we'll get to this in a minute, but basically it's going to "read" what the user enters into the fields, so you're required to notify them about data privacy. If you uncheck this box, make sure that you do notify users about data privacy in a way that corresponds with the terms of service.
  • √ Enable testing mode: This will let you test mollom without having to flag yourself as spam just to see what happens. We can enter the words "ham", "unsure", or "spam" into protected text fields to trigger the appropriate actions. We can also enter either "correct" or "incorrect" into captcha fields (instead of the actual text that is displayed) to trigger the appropriate actions there as well. As it notes, this option should be disabled in production environments, or users will not be able to successfully complete forms.
  • (Save configuration)

Protecting forms

In order to start protecting forms, we need to tell Mollom which ones we want protected.

  • Click on the "Forms" tab.
  • Click "Add form"
  • From the select list I'll choose: "Webform: Awesome on-site webform form"
  • Click "Next"

On the next page we can choose the Protection mode. "CAPTCHA" is the typical "Type what you see in the box" form of protection. Text analysis is a more advanced, user-friendly form of protection. It will analyze the text of a completed form instead of requiring the user to complete a (difficult to read) captcha. Another way Mollom protects forms is by using a "honeypot". Basically, this adds a hidden field (hidden using css) to the form that users don't see (and therefor don't fill out), but spam bots blindly fill out because they're just entering data into every available field. This effectively reveals them as spam bots, and the submission can be flagged as spam without requiring moderator interaction.

  • Protection mode: Text analysis
  • Text analysis checks: You can protect your form from spam, as well as profanity. Depending on your preference, check the appropriate box(es) here.
    • Spam
    • Profanity
  • Text fields to analyze: Choose which text fields to analyze. As noted below, don't include fields that accept numbers, and definitely omit fields that contain sensitive data like credit card numbers. Remember, this data will be sent to the mollom servers for analysis.
  • Text analysis accuracy: I'm really not sure what the Text analysis accuracy is for… I searched on it, but couldn't find anything. I always leave this set to "Normal", and haven't had any issues, so that's what I'd recommend.
  • Allow content to be moderated from the hosted Mollom moderation system: Since webforms can't be "unpublished", we can ignore this option.
  • Save

Test the form

I'll fill out the form as an anonymous user since, as the site administrator, I can skip mollom protection.

  • You'll notice that when I click "Next page", it asks me to complete a captcha. This is because I haven't gotten to the protected field yet. This is a backup safety feature, and will always be the case for multi-page forms.
  • If I enter "incorrect", I will be asked to try again.
  • Once I've successfully completed the captcha, the form will be accepted regardless of what I enter anywhere else. Even if I enter "spam" in the "Additional comments" field, it will go through. So, the completed captcha basically tells mollom, "A real person is filling out the form, don't worry about it anymore."

To show you the text analysis, I'm going to remove the page breaks so that the form is on a single page.

  • Now when I fill out the form, and enter "spam" in the "Additional comments" field, I get the notification, "Your submission has triggered the spam filter and will not be accepted. So it works!
  • This time I'll enter "unsure". This time, because Mollom is unsure whether or not I've entered spam content, it asks me to complete a captcha to verify that I am a human. When I successfully complete the form, the submission is accepted.
  • This time I'll enter "ham". (Which is just Mollom's clever way of indicating content that is not spam). This time the form goes through on the first time because Mollom has determined that the submission is legitimate.