We do not live in an ideal world. There are folks out there who write automated software, called spambots, that surf the Internet to cause mischief. It is not unheard of, for example, for an online form to receive 300 submissions in the space of a few minutes from one of these malicious bits of automated software.
The Drupal community provides a selection of contributed modules to help us deal with potential spammers. The Mollom project (http://drupal.org/project/mollom) is perhaps the most comprehensive of these utility modules. The Mollom project is actively maintained by, among others, the creator of Drupal, Dries Buytaert. At a more basic level of protection, we have the options of the CAPTCHA (http://drupal.org/project/captcha) and reCAPTCHA (http://drupal.org/project/recaptcha) projects.
We're going to set up a basic CAPTCHA using the distorted text image as a challenge.
Let's set about protecting our form from potential spammers:
- The first step is to enable both the CAPTCHA and Image CAPTCHA modules.
- Once we have saved the configuration, we are presented with a link to configure CAPTCHA (the configuration for Image CAPTCHA is left for later experimentation).
- Let's navigate to the configuration page and change the Default challenge type to Image (from module image_captcha).
All that remains to be done is to add our Webform to the list of forms that require the CAPTCHA challenge. We must take care to properly identify our form to the CAPTCHA module for the challenge to be presented.
In the table below the default we just need to enter the text webform_client_form_ followed by the node ID of our Webform. For example, if our form is the first node of content on our site then the FORM_ID to enter into the text field will be webform_client_form_1.
In the CHALLENGE TYPE list, we select the [default challenge type] option and then scroll down the page and click on the Save configuration button.
As administrators of our website we are excluded from challenges because we are trusted users.
Let us log out of our site and visit our Webform to see CAPTCHA in action. The challenge will be placed just above the Next Page > button on the first page of our multistep form.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is, in essence, a means to prevent a form being submitted until a specific question, or challenge, has been correctly answered. We may visit the CAPTCHA home on the Web to find out more about this valuable project and how it works (http://www.captcha.net/).
In a nutshell, the plan is to ask, on screen, a question which a human being will be able to answer correctly that a screen-scraping spambot will not be able to answer.
The CAPTCHA module offers us two alternatives in terms of the type of challenge it presents. There is the option of a mathematical question (for example, 4 + 11 = ??) or the more familiar image with distorted text for us to repeat, as we have implemented previously.
Until the correct answer is supplied, the submission is refused. Each incorrect answer results in a new challenge, making it that much harder for automated software to break through.
While this setup is effective, it is by no means the definitive answer to prevent spam. Should we find that this, on its own, does not sufficiently hinder the spambots, we may research some of the other information available on the project home page to arrive at a more robust solution.