Threat security
Keeping the nasties out:
- Akismet module: cuts them off
- Captcha module: on anonymous comments and on registration. use the maths question not the graphic text (which also means one less module: you don't need textimage module then). May be redundant with Akismet??? but I left it on anyway: less psots to be moderated.
- input formats: very important! set up a second format, for trusted roles only, however you define "trusted". Screw the default one down even tighter: nofollow, delete "a" tag, turn off URL filter.
- Add a field to the user profile called "spambot confuser" of type URL. Set it private no display. Users have to add a URL on registration, any valid one will do.
- You can implement spam module, I haven't bothered. I had badbehaviour module for a while but it seems to block too much valid access for my liking.
- Use tracker and the administer>>log>>top visitors display. Check each URL of the biggest consumers and if they don't check out, use the "ban" link.
- if you are hosted, make sure MyPHPAdmin is secured, and any other utilities such as file management
I have been fighting comment spam to the tune of 3 to 5 thousand per day for 9 months now. I was successful in blocking it using spam.module but that did not do anything about the load and bandwidth usage from all of those spam post.
I set up mod_security and was able to block spam post before they got to Drupal and was able lower the server and bandwidth load considerable. So much so that there was an obvious increase in server response time. Then I started using it to block run away robots and again was able to reduce the server load.
For those with server load problems I would suggest using mod_security and if you have problems with DOS, run away robots, people downloading your entire site using wget or just want more control, you might also consider these modules or systems some of which work fine with mod_security:
mod_evasive
mod_spambot
or
scrutinizer-1.03
You can google for the download sites and more info.
Made in New Zealand 
