Three new features for the Mollom module

We've just released a new version of the Mollom module for Drupal 6, which contains a number of important new features. We always try to listen to our users, and many of these new features are a direct result of your feedback. Read on for an overview of the most important changes.

Retain spam instead of discarding it

Not all of our users are comfortable with the idea of Mollom discarding spam without the possibility of manual review (no matter how spammy the message appears to be). We've solved this in a simple way: a new basic configuration option that causes the Mollom module to retain spam comments as unpublished posts in your site's moderation queue. Moderators and site administrators can review the moderation queue periodically to review Mollom's decisions. You can see the new option in the screenshot below.

Mollom discard retain

Better protection for user registration forms

Based on the growing number of support tickets, user registration spam has become a significant problem. To help combat this type of spam, the new module release can optionally protect Drupal's user registration form using text analysis instead of the CAPTCHA-only solution previously available. Text analysis is especially useful when the user registration form is extended with additional fields (like "Bio" or "About me").

Identify spam bots using a hidden honeypot

Further, we've added a basic honeypot to all forms protected by Mollom, through the use of a hidden field. Since many spam bots blindly pour data into all available form fields (including the hidden ones), the presence of data in a hidden field inserted by Mollom is a good indicator of spam activity. I have been testing this feature on my personal blog and observed that over 80% of spam attempts trigger the honeypot. The additional form field is hidden by CSS. Since spam bots generally do not parse nor understand CSS, they simply do not realize the field is hidden, and therefore complete it, revealing themselves as bots in the process.


In addition to these three big new features, the new version, as always, includes a number of usability improvements and bug fixes. If you're using Mollom on a Drupal 6 site, we strongly encourage you to upgrade as soon as possible, to run update.php after upgrading, and then finally, to visit your Mollom settings page to adjust the new options now available to you. You can download the latest module from the Mollom project page on

We want to thank you for using Mollom, and ask that you keep the feature suggestions coming, at either the Mollom issue queue on, or by using our contact page to e-mail our support team. We'll continue to listen!


BryanSD (not verified):

Very cool Dries. Some ability to moderate the comments has been on my wish list for some time. Just curious, does Mollom have the ability to "learn" that a comment is not spam by taking it out of moderation and publishing the comment?

Jason Hibbets (not verified):


One thing that I learned about mollom is that it has a reputation engine built into it's algorithm. I believe that at first, each user starts at a certain level and is presented with SPAM prevention, like CAPTCHA's. Then as that user contributes more comments (that aren't flagged as spam or abuse), they build up a reputation to then, avoid being presented with spam controls.

I've got some ideas around building in community points to user profiles that would expose certain fields that spammers find interesting, like a) public-facing profile b) website 3) biography, etc that would "unlock" as the user participates and builds a credible reputation. Still thinking these ideas through though.


Jon (not verified):

I love the honeypot field concept, but am having trouble implementing it. We run a global website and strive to make the first-pass user registration pretty painless; asking only for username, email and first and last names. We don't want to do text analysis on any of those fields (too many false positives in our community) but would love to have the honeypot still enabled. In Drupal, the Mollom module requires at least one of those fields to be analyzed. Is there a way to enable a honeypot without actually analyzing the other fields?

Jason Hibbets (not verified):

These changes have made a pretty big impact to our site. Reducing some of our spam headaches by more than 50%. Glad to identify these issues with Dries, contribute to Mollom, and help test out some of these patches.

Down with spammers! Thanks Dries and team Mollom.

Gerard McGarry (not verified):

Excellent news! I posted about this a few weeks back and some of the new features are what I wanted to see.

A couple of quick questions though:

  1. Does the honeypot do away with the need for a third party method like the Spamicide module?
  2. Now that you're scanning profile fields - is it only at registration, or can those fields be scanned whenever they're edited? We get tons of spam accounts on where people sign up, then stuff their profile full of spammy links.

One thing which would be a massive bonus would be to have an option to empty all profile fields when blocking an account - I hate to leave these populated, and I'm noticing a rise in spammers interlinking between their various account profiles on the web at the moment.


Here are the answers to both of your questions respectively:

  1. I had not heard about the Spamicide module. I just spent 10 minutes looking at it. Based on what I learned, you won't need it anymore if you are using Mollom 6.x-1.15 or later. The only notable difference for the site administrator is that the Spamicide module gives you some control over how the honeypot field is named but I'm not sure that matters at all.
  2. The new release of the Mollom module only filters user registrations, and does not yet filter user profile updates. Filtering user profile updates is also important, but is a bit more work as it requires deeper integration with Drupal's user system. We hope to add that to future releases of the Mollom module.

I hope that helps!

HenryLTV (not verified):

Thank you Mollom & Dries for continuously improving your products!

Questions regarding the new Hidden HoneyPot feature:
Will this check occur before the post is sent to Mollom's servers for analysis?

If so, does this mean any spambot posts that fail the HoneyPot check will NOT be sent to Mollom?

This would greatly reduce the amount of posts we send to Mollom for analysis as we've been seeing some site outages that occur when we are blitzed by spambots.