If you are fighting spammers constantly signing-up and creating fake and spammy accounts at your Drupal site, one way to fight them (amongst many) is to use Drupal Access Rules with wildcards to block them from creating accounts. These same rules will also prevent them from signing-in if they have already created an account.
Every time I catch a spammer on one of my Drupal sites, I always look at their account information to look for patterns that I can use to block with either built-in Drupal tools or with Mod Security if I have to pull out the big-guns. Over the years, I have found that certain email domains have an inordinately high amount of use by spammers, and equally low percentage of use by real humans with actual souls.
After Identifying these patterns, it’s easy to use Drupal Access Rules to prevent any other signups that match these patterns.
You can find Access Rules at /ADMIN/USER/RULES. To add a rule, click the ADD tab, select the type of rule – in this case, “deny” and “by email”. You can use the wildcard character ‘%’ and the match character “_” to make your rules more powerful.
Example of Drupal Access Rules:
- To block the spammer with the email address of “email@example.com”, just enter the email address firstname.lastname@example.org into the Mask field after selecting “deny” and “email”
- To block any spammer with the word “resnyworka” in it, enter “%resnyworka%” in the Mask field.
- To block anyone using the email domain outlook.com (I’m not suggesting that you do this!), enter %outlook.com
Some of my favorite email address spam blocking rules:
These are a few of the rules that I use based on years of watching spammers try to shit themselves all over my Drupal websites. Remember that in using these rules you may inadvertently block innocent members from signing up, but I have had literally zero real humans ever sign up or try to sign up that would have been blocked by these rules. But, use at your own risk and discretion.
- Block anyone trying to use a @Gawab.com email address: %gawab.com
- Block anyone using a FreeEmailService.info email: %freeemailservice.info
- Block anyone using Mailinator.com: %mailinator.com
- Block all .RU (Russia) email addresses (unless you have a lot of legit Russian members): %.ru
- Block Polish (Poland) email addresses: %.pl
I also use the following rule to block what I call “throw away” Gmail addresses. Anyone can make these disposable Gmail addresses by simply adding a “.” (period) after their real email Gmail address. For example, if my email was Rand@gmail.com (it’s not), then I could create a quick, fake email address that would still come to my inbox named Rand.email@example.com. I could also use two periods and make it Rand.firstname.lastname@example.org. I found that I was getting many spammer signups with double (aka super.spammer) periods in the email address so I created the following rule: %.%.%@gmail.com to block them. If you are brave, you could also block anyone with a single period in their gmail address, buy using this rule: %.%@gmail.com but you might block legitimate people just wanting a little privacy, so use that Access Rule with care, if at all.
Remember that after you create any blocking rule to test it as throughly as you can so that you don’t accidentally block any innocent visitors and potential members.
If you use any other access rules in Drupal or have ideas for new ones that might help block spammers, please leave a comment.