Anti-Spam by CleanTalk
Cloud-based anti-spam protection service that protects Drupal sites from spam bot registrations, spam comments, and spam form submissions without requiring CAPTCHA.
cleantalk
Install
composer require 'drupal/cleantalk:^9.6'
Overview
Anti-Spam by CleanTalk is a comprehensive cloud-based spam protection solution for Drupal websites. Unlike traditional CAPTCHA-based solutions, CleanTalk uses invisible protection methods that don't interfere with user experience while effectively blocking spam bots and manual spam submissions.
The module integrates with the CleanTalk SaaS platform, sending form submissions and registration requests to the cloud for real-time analysis using multiple detection methods including JavaScript validation, mouse movement tracking, keyboard interaction detection, and IP reputation checking. The service then returns an allow/deny decision within milliseconds.
Key protection features include SpamFireWall (SFW) for IP-level blocking before PHP execution, Anti-Crawler protection against malicious bots, Anti-Flood rate limiting to prevent abuse, and support for checking external embedded forms from services like ActiveCampaign, ConvertKit, and Pardot.
The module provides a comprehensive admin interface for configuring protection settings, checking users for spam, and managing the firewall. It supports automoderation for comments, role-based exclusions, URL pattern exclusions, and extensive debugging capabilities.
Features
- Cloud-based spam detection without CAPTCHA - invisible to legitimate users
- Protection for user registrations, comments, contact forms, webforms, forum topics, and node creation
- SpamFireWall (SFW) - IP-level blocking at early HTTP middleware stage before Drupal fully loads
- Anti-Crawler protection that blocks malicious bots based on User-Agent patterns
- Anti-Flood rate limiting to prevent abuse (configurable page views per minute)
- Automoderation mode that automatically unpublishes suspicious comments for manual review
- Batch user spam checking with bulk deletion capabilities
- External form protection for ActiveCampaign, ConvertKit, Pardot, and Convertbox embedded forms
- Search form spam protection with optional noindex meta tag for search result pages
- JavaScript-based bot detection including mouse tracking, scroll detection, and keyboard interaction
- Alternative database-backed session storage for sites where cookies are problematic
- Role-based exclusions to skip spam checking for trusted user roles
- URL pattern exclusions with optional regex support
- Varnish and page caching compatibility
- Comprehensive debug data collection and export functionality
Use Cases
Protecting user registrations from spam bots
Enable 'Check registrations' to automatically validate all new user registrations against CleanTalk's spam database. Spam registrations are blocked before the account is created, preventing the accumulation of spam accounts. For existing spam accounts, use the 'Check spam users' admin page to batch scan all users and bulk delete identified spammers.
Stopping comment spam without CAPTCHA
Enable 'Check comments' to protect all comment forms. Unlike CAPTCHA, CleanTalk uses invisible detection methods that don't frustrate legitimate users. For blogs with high spam volume, enable 'Automoderation' to hold suspicious comments for review rather than blocking them outright, reducing false positives.
Protecting contact and webforms
Enable protection for Contact module forms and Webform submissions. All form data is analyzed for spam patterns including sender email reputation, content analysis, and behavioral signals. Spam submissions are blocked with a customizable error message.
IP-level blocking with SpamFireWall
Enable SpamFireWall for maximum protection. Known spam IPs are blocked at the HTTP middleware level before Drupal fully loads, saving server resources. The firewall database is automatically updated via cron. Enable Anti-Flood to rate limit aggressive bots that might attempt to overwhelm your server.
Cleaning up existing spam accounts
Navigate to Administration > Configuration > Content authoring > Antispam by CleanTalk > Check spam users. Click 'Start check' to scan all registered users against CleanTalk's database of known spammers. Review the results and use 'Delete selected users' or 'Delete all users' to remove spam accounts. Enable 'Exclude users with articles' to protect legitimate contributors.
Protecting sites with strict cookie policies
For sites that need to minimize cookie usage (e.g., GDPR compliance), enable 'Use alternative storage' in Cookie Settings. This stores tracking data in the database using session IDs instead of browser cookies while maintaining full spam protection.
Protecting external marketing forms
Enable 'Check external forms' to protect embedded forms from marketing platforms like ActiveCampaign, ConvertKit, and Pardot. Enable 'Capture buffer' if the forms are dynamically loaded. CleanTalk intercepts form submissions, validates them, and only submits to the external service if approved.
Tips
- Test your configuration using the test email 'stop_email@example.com' for registrations and 'stop_word' in comment body
- Enable SpamFireWall for the best protection - it blocks spam at the HTTP layer before Drupal fully loads
- Use automoderation for comments if you prefer to review suspicious content rather than blocking outright
- Regularly check the 'Check spam users' page to identify and remove spam accounts that may have registered before installing the module
- For high-traffic sites, ensure cron runs frequently to keep the SpamFireWall database updated
- Enable Bot Detector for JavaScript-based bot detection that tracks mouse movements and keyboard interactions
- Use 'Fields Exclusions' if specific form fields are causing false positives
- Export debug data from settings when contacting CleanTalk support for troubleshooting
Technical Details
Admin Pages 4
/admin/config/cleantalk
Main administration section for CleanTalk anti-spam module. Provides access to settings configuration and spam user management.
/admin/config/cleantalk/cleantalk_settings_form
Main configuration form for CleanTalk anti-spam settings. Configure API key, protection options, firewall settings, and exclusions.
/admin/config/cleantalk/cleantalk_check_users_form
Batch check all registered users against CleanTalk's spam database. Identify and delete spam user accounts that may have slipped through or were created before installing the module.
/admin/config/cleantalk/cleantalk_check_comments_form
Interface for batch checking comments for spam (feature marked as coming soon).
Permissions 1
Hooks 5
hook_page_attachments_alter
Attaches CleanTalk JavaScript libraries and settings to pages. Sets up bot detector, cookie handling, and buffer capture JavaScript variables. Adds noindex meta tag for search pages if configured.
hook_form_alter
Adds spam validation handlers to various form types including user registration, comments, contact forms, forum topics, webforms, and node forms. Also adds optional 'Protected by CleanTalk' branding link.
hook_comment_presave
Handles comment automoderation by unpublishing comments flagged as spam when automoderation mode is enabled.
hook_uc_order
Integrates with UberCart module to check orders for spam.
hook_theme
Defines the cleantalk_check_users theme for rendering the spam user checking interface.
Troubleshooting 6
Verify your API key is valid and account is active in the settings page. Enable SpamFireWall for IP-level blocking. Enable Bot Detector for advanced JavaScript-based detection. Check that the specific content type protection is enabled (comments, registrations, etc.). Verify the form isn't excluded by URL or field exclusions.
Add trusted user roles to 'Roles Exclusions' in settings. For specific URLs that shouldn't be checked, add them to 'URL exclusions'. If a specific form field is triggering false positives, add it to 'Fields Exclusions'. Contact CleanTalk support to review and whitelist legitimate patterns.
Ensure Drupal cron is running regularly (recommended: every 5-15 minutes). Check that you have a valid API key. SpamFireWall requires periodic database updates from CleanTalk servers. On the settings page, use the 'Run cron task' buttons if available to manually trigger updates.
Enable both 'Check external forms' and 'Capture buffer' settings. Ensure CleanTalk JavaScript is loading on the page (check browser console). The external form must be from a supported service (ActiveCampaign, ConvertKit, Pardot, Convertbox). Check that the form isn't loading after CleanTalk JavaScript has initialized.
Enable 'Use alternative storage' to store tracking data in the database instead of cookies. This is especially useful with Varnish or other aggressive page caching. The module uses alternative session IDs stored in the database when this option is enabled.
The module automatically sets an admin cookie when administrators log in. If you're still being blocked, clear your cookies and log in again. Ensure the AccountSetSubscriber is running (check that the account.set service is properly configured).
Security Notes 6
- The module requires a valid CleanTalk API key - all spam checking is performed via the CleanTalk cloud service
- SpamFireWall data is updated from CleanTalk servers via cron - ensure cron is running securely
- The module sets cookies for tracking purposes - inform users in your privacy policy
- Alternative session storage uses database tables - ensure proper database security
- Admin authentication cookies use MD5 hashing of the API key - keep your API key secure
- The module includes debug data export functionality - restrict access to the settings page using the 'change cleantalk settings' permission