Recent Blog Posts

Checking existing users with SFS

By Ronald van Belzen | May 27, 2018

At the moment that you start using Stop Forum Spam some of your subscribers may be known spammers at They may have been dormant for some to time and start spamming when you least expect it. Also some subscribers to your site may have become known as spammers after they registered.

For this reason it may be wise to check your subscribers against the database. This is what the function checkUsers() of the SfsRequest class.

/* /src/SfsRequest */ 

   * Check registered user accounts of being spammers at
  public function checkUsers() {
    if (!$this->config->get('sfs_cron_job')) {
      return FALSE;
    $lastUid = $this->config->get('sfs_cron_last_uid');
    $limit = $this->config->get('sfs_cron_account_limit');
    if ($limit > 0) {
      $query = $this->connection->select('users', 'e');
      $query->fields('e', ['uid']);
      $query->condition('uid', $lastUid, '>');
      $query->range(0, $limit);
      $query->orderBy('uid', 'ASC');
      $uids = $query->execute()->fetchCol();
      foreach ($uids as $uid) {
        $lastUid = $uid;
        $user = User::load($uid);
        $include = ($user->isActive() || $this->config->get('sfs_cron_blocked_accounts'));
        if ($include && !$user->hasPermission('exclude from sfs scans') && $this->userIsSpammer($user)) {
          try {
            $this->log->notice('User acount @uid has been disabled.', ['@uid' => $uid]);
          catch (EntityStorageException $e) {
            $this->log->error('Failed to disable user acount @uid: @error', ['@uid' => $uid, '@error' => $e->getMessage()]);
      $this->config->set('sfs_cron_last_uid', $lastUid);
    return TRUE;

The function does not scan all subscribers in one run, but scans a limited amount of subscribers that the configuration setting 'sfs_cron_account_limit' allows. Inactive users can be excluded from the scan and users with the permission 'exclude from scans' are skipped too. User accounts of known spammers are disabled.

The actual check is done by the function userIsSpammer() for each individual user.

Reporting spammers to SFS

By Ronald van Belzen | May 17, 2018

The next step is reporting spam to This will be an action initiated by a maintainer who has spotted spam, preferably by one click on a button. This action will need to be handled by the software by sending the report to We we look at the latter first and adding buttons to start the report after that.

As an example we concentrate on comments. The function that needs to be called (commentReport()) first checks whether there is a token (or api key) defined. It also checks whether the user is anonymous. You cannot report an anonymous comment, since requires you to fill in name, e-mail address and ip address to report spam and for an anonymous comment post you only have the ip address.

Blocking spammers with SFS

By Ronald van Belzen | May 13, 2018

Let's focus our attention on nodes. Core functionality does not save the IP address of the user together with the node when it is created, so we need to introduce that to our module. The most straightforward approach would be to save the IP address in our own database table. For that I need to introduce a database table (sfs_hostname) by defining a new entity called SfsHostname.

/* /src/Entity/SfsHostname.php */

namespace Drupal\sfs\Entity;

use Drupal\Core\Entity\ContentEntityBase;
use Drupal\Core\Entity\ContentEntityInterface;
use Drupal\Core\Entity\EntityTypeInterface;
use Drupal\Core\Field\BaseFieldDefinition;

 * Defines the sfs hostname entity.
 * @ContentEntityType(
 *   id = "sfs_hostname",
 *   label = @Translation("SFS Hostname"),
 *   base_table = "sfs_hostname",
 *   entity_keys = {
 *     "id" = "id",
 *     "uuid" = "uuid",
 *     "label" = "hostname",
 *   },
 *   handlers = {
 *     "storage_schema" = "Drupal\sfs\SfsHostnameStorageSchema",
 *   },
 *   admin_permission = "administer sfs",
 * )
class SfsHostname extends ContentEntityBase implements ContentEntityInterface {

   * @param \Drupal\Core\Entity\EntityTypeInterface $entity_type
   * @return array|\Drupal\Core\Field\FieldDefinitionInterface[]|mixed
  public static function baseFieldDefinitions(EntityTypeInterface $entity_type) {

    $fields['id'] = BaseFieldDefinition::create('integer')

    $fields['uuid'] = BaseFieldDefinition::create('uuid')

    $fields['hostname'] = BaseFieldDefinition::create('string')
      ->setLabel(t('Host name'));
    $fields['uid'] = BaseFieldDefinition::create('integer')
    ->setLabel(t('User ID')); //index

    $fields['entity_id'] = BaseFieldDefinition::create('integer')
    ->setLabel(t('Entity ID'));

    $fields['entity_type'] = BaseFieldDefinition::create('string')
    ->setLabel(t('Entity type'));

    $fields['created'] = BaseFieldDefinition::create('created')
    ->setLabel(t('Creation date'));

    return $fields;

Just in case in the future we might be interested in saving IP addresses for other entity types than nodes, I included the field "entity_type" to make that possible. I also included indexes to speed up the lookup of IP addresses. These are defined in the storage handler SfsHostnameStorageSchema to wich is reffered in the annotation of SfsHostname.

Writing the client for the Stop Forum Spam API

By Ronald van Belzen | May 10, 2018

Reading the description of the Stop Forum Spam api usage made me decide to use what is called "Multiple queries", which means checking the existence of a username, e-mail address and the IP address of a potential spammer in their database in a single call.

The number of response formats is large enough when it contains json. So I will use json and since I will use https over http when there is a choice, I picked https.

In the response I will concentrate on the "success", "appears" and "frequency" values and ignore the "confidence" score for now. It seems to me that just as many low as high confidence spammer are knocking at my door lately. So, it needs some more investigating before I can use that value in discriminating spammers from IP addresses formerly owned by spammers

The Client itself will be implemented as a service, allowing me to let Drupal do the heavy lifting with dependency injections. I will also add the modules very own cache bin with the name "sfs", because I plan to cache the api calls to For this purpose I added the configuration parameter "sfs_cache_duration" to the module to allow administrators to set the cache time to their needs.

    class: Drupal\sfs\SfsRequest
    arguments: ['@config.factory', '@current_user', '@logger.factory', '@http_client', '@database', '@cache.sfs']
    class: Drupal\Core\Cache\CacheBackendInterface
      - { name: cache.bin }
    factory: cache_factory:get
    arguments: [sfs]

The heart of the service will be the isSpammer() method that will the determination whether a user is a spammer or not.

Making a contributing module for fighting spam

By Ronald van Belzen | May 9, 2018

Making a new module starts with an idea for the module. In this case it was trying to make a module that can replace Mollow to some extend (see previous blog post).

Finding a name for your module can be a challenge, but whatever name you pick, be sure that the machine name of your module is available. Try whether the project exist by visiting{my_module_name}. A page not found (404) response is a good enough indicator to confirm that your module name is still available.

Next step is to read the documentation. The best starting point seems to be Contribute to development. To gather all the information you need to follow half a dozen links, but as far as I can tell all the information is there.

I had a look at the Mods & Plugins that make use of the service provided by Stop Forum Spam, and the concensus seems to be to name the mod after the service it makes use of. So I went for the name Stop Forum Spam Client. Don't go there before I finish this series of articles. I will release a fully functional and tested version soon after that.

name: 'Stop Forum Spam Client'
type: module
description: 'Client that makes use of the api services for blocking spam, spammers and spambots.'
configure: sfs.settings_form
package: 'Spam control'
version: '1.0'
core: '8.x'

As you can see in the above info file the module has no dependencies, while the module may depend on the presence of some modules, but must be able to be installed in their absence. The configuration setting form will imediately show a way to solve this dilemma. And what these modules are will become clear when looking at the configuration install parameters.