Block Spammer Sign Ups with Drupal Access Rules

If you are fighting spammers constantly signing-up and creating fake and spammy accounts at your Drupal site, one way to fight them (amongst many) is to use Drupal Access Rules with wildcards to block them from creating accounts. These same rules will also prevent them from signing-in if they have already created an account.

Drupal and spamEvery time I catch a spammer on one of my Drupal sites, I always look at their account information to look for patterns that I can use to block with either built-in Drupal tools or with Mod Security if I have to pull out the big-guns. Over the years, I have found that certain email domains have an inordinately high amount of use by spammers, and equally low percentage of use by real humans with actual souls.

After Identifying these patterns, it’s easy to use Drupal Access Rules to prevent any other signups that match these patterns.

You can find Access Rules at /ADMIN/USER/RULES. To add a rule, click the ADD tab, select the type of rule – in this case, “deny” and “by email”. You can use the wildcard character ‘%’ and the match character “_” to make your rules more powerful.

Example of Drupal Access Rules:

  • To block the spammer with the email address of “”, just enter the email address into the Mask field after selecting “deny” and “email”
  • To block any spammer with the word “resnyworka” in it, enter “%resnyworka%” in the Mask field.
  • To block anyone using the email domain (I’m not suggesting that you do this!), enter

Some of my favorite email address spam blocking rules:

These are a few of the rules that I use based on years of watching spammers try to shit themselves all over my Drupal websites.  Remember that in using these rules you may inadvertently block innocent members from signing up, but I have had literally zero real humans ever sign up or try to sign up that would have been blocked by these rules.   But, use at your own risk and discretion.

  • Block anyone trying to use a email address:
  • Block anyone using a email:
  • Block anyone using
  • Block all .RU (Russia) email addresses (unless you have a lot of legit Russian members):
  • Block Polish (Poland) email addresses:

I also use the following rule to block what I call “throw away” Gmail addresses.  Anyone can make these disposable Gmail addresses by simply adding a “.” (period) after their real email Gmail address.  For example, if my email was (it’s not), then I could create a quick, fake email address that would still come to my inbox named  I could also use two periods and make it  I found that I was getting many spammer signups with double (aka super.spammer) periods in the email address so I created the following rule: to block them.  If you are brave, you could also block anyone with a single period in their gmail address, buy using this rule: but you might block legitimate people just wanting a little privacy, so use that Access Rule with care, if at all.

Remember that after you create any blocking rule to test it as throughly as you can so that you don’t accidentally block any innocent visitors and potential members.

If you use any other access rules in Drupal or have ideas for new ones that might help block spammers, please leave a comment.

One thought on “Block Spammer Sign Ups with Drupal Access Rules

  1. Interesting article ! good job and thanks for your blocking rules : )

    I work on another solution:
    In my case: users who create an account are some of my clients, so my idea is:
    I send an email to my client with the link to register and a keyword to insert in a extra field on the registration page.

    The idea is to check that the extra field is similar to the one given (always the same). I check on the admin: User management -> Access rules page but i can’t add a rule on an “custom” field

    Maybe i’m not on the good section (i’m new to drupal). Any idea how to implement that? Thanks in advance

Leave a Reply

Your email address will not be published.