Fighting Webform Spam - Drupal 9 - AntiBot

Updated: 27 September, 2021 seen 150

Recently I migrated my personal blog (the one you are currently reading) from Drupal 7 - to Drupal 9.

The migration process actually still is in process, as I faced a few issues with the site, like lost coordinates with gmap module, some lost pictures here and there, etc.

For the contact form, I decided to re-create it using the webform module as I don't like the new default contact form (or I'm just too used to the webform). 

How To Add CAPTCHA Protection to Drupal 8 Webform

Soon I started to get a massive amount of webform spam, which I blocked using IP-block, but it started to really annoy, and I decided to fight back with some Drupal modules, so I found the AntiBot module, which seems could prevent some 90% of spam submissions as it works really simple but yet excellent - it asks for the JavaScript to be enabled

Antibot is an extremely lightweight module designed to eliminate robotic form submissions on your website in an innovative-fashion. The module works completely behind the scenes and doesn't require any interaction from the end-users (no annoying CAPTCHAs!). The only requirement to the end-user is that they must have JavaScript enabled. If they do not, the protected forms will be hidden and a message will appear, telling the user that the form requires JavaScript be enabled in order to use it.

How does it work?

  • Admins choose which forms to enable protection for by specifying the form IDs.
  • The protected form's action path is switched to /antibot.
  • When the page is loaded, if the user does not have JavaScript enabled, the form is hidden and a message is presented to them.
  • After the page is loaded, Antibot, using JavaScript, waits for a mouse to move, an enter or tab key to be pressed, or a mobile swipe gesture before the action of the form is switched back to the path that it was originally set to be. This indicates that the person behind the controls is a human and not a robot.
  • Since the action of the form is purposely incorrect until the JavaScript changes it, bot submissions will be redirected and the form submissions completely disregarded.
  • Since there is no dynamic code generated for each form, pages with Antibot can be cached safely.
  • Antibot also generates a unique key value for each form (based on the ID) which is required in order for the form to pass validation. The JavaScript will automatically insert this value in to the form once it is unlocked. This prevents bots from remotely posting forms on your site because that key will be missing.

After downloading and installing this module it took me some 5 minutes to configure it and test by disabling javascript in Google Chrome Browser and finding the right form_id from the contact page

Disabling Javascript to test the AntiBot module
Disabling Javascript to test the AntiBot module

After refreshing the browser I saw the warning message

Disabling Javascript to test the AntiBot module
Disabling Javascript to test the AntiBot module

Now I hope it will prevent the future spam!