Every other week or so, someone asks me the following question: How are Mollom CAPTCHAs better than those created by CAPTCHA module?. This is an important question, and understanding it is central to understanding our philosophy with Mollom.

First, when using Mollom in "text analysis" mode, a CAPTCHA is only displayed when Mollom is uncertain about whether a message could be spam. Mollom analyzes the text of comments and combines that analysis with what it knows about the internal reputation of the posters, to determine whether a message is "spammy". Non-spam submissions are accepted without a CAPTCHA, and posts that are certainly spam are rejected automatically. By only presenting a CAPTCHA when necessary, we avoid penalizing normal (non-spamming) users with CAPTCHA challenges. The CAPTCHA module is different in that it does not perform text analysis and therefore must always display a CAPTCHA challenge.

Second, the Mollom module for Drupal has a "CAPTCHA only" mode, which is useful when clients would prefer not to use text analysis, or for when the forms have almost no text to analyze (like Drupal's user registration form). In "CAPTCHA only" mode, the user experience of the Mollom module is very similar to that of the CAPTCHA module -- the user is always prompted to complete a CAPTCHA in order to perform a certain operation. The similarity ends here, however. While the user experience is the same, the actual CAPTCHA generation is not. Mollom CAPTCHAs are "intelligent", in the sense that Mollom tracks the behavior and reputation of IP addresses from all sites using Mollom. A known spammer, operating from a known IP with a poor reputation, won't be able to complete a Mollom CAPTCHA no matter how hard he tries. And, as more users install Mollom, its performance increases as it learns from the additional data. A stand-alone module like CAPTCHA doesn't learn from user behavior, as it simply generates CAPTCHAs without regard to their context and delivery.

This second difference between the Mollom and other CAPTCHA modules is, in fact, huge. When we analyze our server logs, we see that 20% of all correctly completed CAPTCHAs are submitted by known spammers. Spammers don't seem to solve CAPTCHAs algorithmically; instead, they persuade humans to solve CAPTCHAs for them by using botnet infected machines. Two blog posts that detail this process are How to defeat Koobface and Breaking Koobface's CAPTCHA solving process. As spammers evolve and their arsenal of tools become increasingly powerful, CAPTCHA solutions must keep up to remain effective. We believe Mollom's "intelligent CAPTCHA" processing represents a significant benefit from traditional CAPTCHA generation and is one way we'll continue to stay a step ahead in our goal to eliminate posting spam.

Mollom drupal protection modes
Different protection modes in the Drupal module for Mollom.

Comments

xibun (not verified):

Hi Dries,

I would like to filter spam coming in through the feedback module (https://www.drupal.org/project/feedback) - but in order not to change the design of the form on our website I would like to have a "Text analysis only" option.

I understand that a lot of spam will still go through, but it would anyhow reduce spam when I understand things correctly. right now I prefer to let all the spam through as I don't want a captcha in this form.

looking forward to get your insight
Marco

Dries:

Have a look at mollom.api.php that ships with the latest version of the Mollom module. It provides API documentation for how to add support for Mollom to your module.

Thomas (not verified):

Mollom is a fantastic tool in the fight against SPAM, I have been using it for around a year now and it is just so much better than the old CAPTCHA module - the text analysis feature works wonders!

Keep up the good work!

Thomas

kostajh (not verified):

Hello,

I've found that Mollom works remarkably well for blocking anonymous comments. However, my Drupal sites running Mollom have filled up with account registrations from hundreds of spam users in the last two months. These users are rarely able to post spam (because Mollom's textual analysis catches the posts), but their accounts exist, cluttering up the database and making it difficult to distinguish between 'real' user accounts I want to keep, and spam users that need to get removed from the site. This can make it difficult to maintain a community site with multiple user roles and thousands of users, when only a fraction of them are ones you want to keep on the site.

Kosta

Garrett Albright (not verified):

Kosta, do you have Mollom set up to protect your user registration form? Aside from the difficulty of breaking the captcha, this will also help block registrations from known bad user IPs.

matt2000 (not verified):

Ah! Mollom is Skynet! ;-)

Seriously though, what 'intelligence engine' does Mollom use for it's text analysis? Is it entirely proprietary to Mollom, or is it based on third-party tools or databases?

Dries:

The 'intelligence engine' was developed in-house and is proprietary to Mollom.

andrey (not verified):

Is there a chance to see user profile analysis to be built in in Mollom module?

I know you can now attach Mollom to any field with a bit of playing around with code. But it might be hard for average user.

User profile spam is really an issue nowadays.

Ben_ (not verified):

Öhm … sure you do many things better, than other Spam-Protection Tools … buuut … me and some friends of mine use Drupal as a blogging Software (just like you) and the most annoying thing about it is Mollom … it pratically always comes up with a Captcha. And … correct me if I'm wrong … there still is no way to finde false positives, isn't it?

Anyway: You do great work! Rock on!

P.S.: Ah. I see. Mollom behaves the same in your blog.

Taco (not verified):

We still use the normal Captcha on our sites. It works well, fast, free and it is customizable. For example on websites with a lot of elderly people we can create a more clear captcha. Mollom is not always clear to people.

I am thinking about setting up an A/B test to get some answers on the usability and bounce°rates of both modules.

PS: I always need to fill in a captcha on this website no matter what. So why not present it the first time?

Anonymous (not verified):

You can make CAPTCHAs as brilliant as you want, there will either be a way to crack them, or they are so complicated, that people simply do not recognize the letters or symbols at all (I had one yesterday that took me 12 attempts...geez).

For instance, there is a spamming software out there called "xrumer". In its product description it advertises that it can crack all common CAPTCHAs for certain forum software. And if CAPTCHAs are really getting too hard to crack there will always be people paying a few cents to hire some guys from India (sorry, but that is how it is) to crack them manually (I actually know a guy who does "outsourcing" like this).

In my opinion, the CAPTCHA killer application is yet to come. Someone's gonna find something that is so simple to read but also so hard to crack. Maybe it's not about letters, numbers and symbols. I just think it is the wrong direction, to make the images more and more complicated. The only thing you are doing is scaring away readers and blog followers.

My best,
Andrew Dickens