Supporting multiple users without being buried in SPAM

Date: Sat Nov 03 2007
For many sorts of sites you want to support multiple users. The reasons include:
  • Identifying those who leave comments
  • Helping avoid spam comments by requiring that commenters register with the site
  • True community with lots of users posting and commenting on each others postings

The simplest step to allow multiple users takes two steps, that are sort of the opposite to strictly limiting the set of users. First, in User management / User settings check Visitors can create accounts and no administrator approval is required or Visitors can create accounts but administrator approval is required depending on your preference. Second, in Blocks enable the User Login block.

It's highly recommended to check the Require e-mail verification when a visitor creates an account option. This sends an email to the user, which contains a special URL. They must click on this URL before their account is properly validated. It is meant to verify their email address is correct.

The SPAM community has scripts which know how to navigate the Drupal user registration process, and a Drupal site will see user registrations which are obviously bogus. There are several ways to avoid this fate:-

Email Verification makes some useful checks which are meant to make for a better user signup experience, but it has a nice side effect on some SPAMbots. It does some checks of the provided email address which help people who make typos to correct them right away. A common problem with user registration is to make a mistake with their email address, meaning they do not receive the verification email and never get fully signed up.

If a SPAMbot enters a bogus email address the Email Verification module will prevent them from registering. However there are several simple ways Email Verification can verify a bogus email address, such as if the address has a valid domain which indicates that all email addresses are okay.

User registration notification and User status change notifications both notify the administrator on several events related to user accounts. This helps the administrator(s) know what's going on, and in particular if they see a questionable user registration they can take action right away.

Account reminder helps with the situation of incomplete user registrations. Accounts where they haven't taken the verification step, they get an email reminding them of their account. Inactive User has a similar description.

I've never used Advanced User but some of the featureitis sounds interesting. For example having the notification email include a link prepared to search for it, that ought to help find spammers. Except the bogus-looking addresses I've seen are using random email addresses.

Avatar Approval, Avatar gallery, and Avatar Selection may be useful to help with avatar selection. Avatars are also known as "User Picture", which is enabled in the User Settings area. User pictures (avatars) are shown along with comments and postings made by that user, if this is enabled in the Theme configuration. My experience is that letting users select their own avatars works well enough and there is no need to limit the avatars the users can use. However sometimes users get a wild hair up their butt and use goofy or offensive avatars. I've never used these three modules, but their featureitis sounds like the ticket to reign in a user populace who are selecting wacko avatars.

CAPTCHA is a technique that, in my experience, stops spammers cold. A Captcha is some kind of extra question placed on a user which can only be answered by a human. The idea is to make the user prove they're human. A typical Captcha is an image containing text, this is something a human can easily read but a SPAMbot cannot. Captcha's sometimes cause angst in users.

Invite may help the membership of your site build via word of mouth.

Legal displays terms and conditions and other legalese during the signup process. This can be necessary to ensure your users have agreed to certain ground rules, but you know that in practice everybody is going to click on the "I agree" checkbox without reading it.

Troll is a way to improve the administrators ability to block users.