Real-time anti-spam protection for Drupal 10 and 11, powered by the Spamtroll API.
The module screens new user registrations and new comments through the Spamtroll service and applies a configurable action (allow / hold for moderation / block) based on the returned spam score.
- Drupal 10 or 11
- PHP 8.1 or newer
- A Spamtroll API key — sign up at https://spamtroll.io
composer require spamtroll/drupal
drush en spamtrollThen visit Configuration → System → Spamtroll
(/admin/config/system/spamtroll) to paste your API key.
| Setting | Default | Description |
|---|---|---|
| API key | empty | Your Spamtroll API key. The module is inactive until this is set. |
| API base URL | https://api.spamtroll.io/api/v1 |
Override only for self-hosted deployments. |
| HTTP timeout | 5 s |
Requests slower than this are aborted (and the content is allowed through — see below). |
| Spam threshold | 0.7 |
Normalized scores at or above this value trigger the "spam" action. |
| Suspicious threshold | 0.4 |
Normalized scores at or above this value trigger the "suspicious" action. |
| Scan new user registrations | yes | Disable to opt out of registration screening. |
| Scan new comments | yes | Disable to opt out of comment screening. |
| Action — spam | block |
Either reject the submission or save it as unpublished. |
| Action — suspicious | unpublish |
Either save as unpublished or allow but log only. |
| Log retention | 30 days |
spamtroll_log rows older than this are pruned by cron. Set to 0 to keep them forever. |
The settings form also exposes a Test connection button that calls
GET /scan/status and reports back whether the API answered.
Scan results are recorded in the spamtroll_log table and exposed under
Reports → Spamtroll activity log (/admin/reports/spamtroll).
If the Spamtroll API is unreachable for any reason — network timeout,
DNS failure, HTTP 5xx, malformed response, missing API key — the module
always lets the content through. Only an explicit "blocked" verdict
from a successful API response can stop a registration or hide a
comment. Every fallback is recorded in Drupal's logger channel
spamtroll so operators can investigate without users being penalized.
composer install
composer phpcs
composer phpstan
composer testThe unit suite under tests/src/Unit/ does not need a running Drupal
site. Kernel and Functional tests under tests/src/Kernel/ and
tests/src/Functional/ follow the standard Drupal layout and require a
full installation to execute.
MIT — see LICENSE.