6.x-1.7 Not filtering after update

Just to update the uncertainty in the description - have just run a trial run, and confirmed that this version of mollom does not work, at least at my site - no proof yet of a bug, could still be a config at my site.

I have no errors on Mollom admin page, and the setting for "forum topic" says text analysis and captcha, but still people are able to post spam on forums without Mollom reporting anything in the logs.

Confirmed that Mollom does have a php error:
[16-Jan-2009 14:46:02] called mollom.verifyKey at server http://88.151.243.81 with no session ID
which is probably the root cause of the problem.

Given that the database format changed, I can't go back to previous versions of Mollom, so I'm stuck. Any quick resolution appreciated...!

Here's what I got using phpMyadmin:
mollom_acidfree_node_form i:0;
mollom_blog_node_form i:0;
mollom_book_node_form i:0;
mollom_comment_form i:2;
mollom_fallback s:1:"0";
mollom_faq_node_form i:0;
mollom_forum_node_form i:2;
mollom_image_node_form i:0;
mollom_page_node_form i:0;
mollom_public_key s:32:"9890312d963f6e8a7490317fac6d55c3";
mollom_servers a:2:{i:0;s:20:"http://88.151.243.81";i:1;s:21:"htt...
mollom_story_node_form i:0;
mollom_user_pass i:1;
mollom_user_register i:1;

I can help with debugging - but I've never looked at this module, what should I look for?
Starting with the PHP error message above, I added some debug output lines in nodeapi and expand_element.

I did try this for a authenticated / power user, since I can't turn on anonymous postings because of the flood of spam.
When I post an node, nodeapi never gets a isset($GLOBALS['mollom_response']) - it is always empty when I print it out using mollom_debug.

And mollom_expand_element never gets called - I have a mollom_debug line at the top, and it never shows up in my PHP error_log.

I suspect this is something in Drupal core and mollom.module, not a backend issue.

I just noticed that Mollom is filtering comments. It is not filtering nodes - specifically tested "Forum" postings.
I don't see the "submitted handler" message when nodes are being submitted.
if (!empty($edit) || !empty($form_state['submitted'])) {
_mollom_debug("mollom_expand_element: submitted handler");
never happens for a node (tested Forum node).

BTW, looks like with this version _mollom_debug messages are always written to PHP error_log by default - shouldn't the default be to not to write to the error_log? It could get huge and not too many people monitor that file!

I added some printfs, here's what I see:
[19-Jan-2009 14:53:12] mollom_expand_element: in it XXX
[19-Jan-2009 14:53:12] mollom_expand_element: XXX gen empty state (if (empty($mollom_state)) code)
[19-Jan-2009 14:53:12] mollom_expand_element: submitted handler
[19-Jan-2009 14:53:12] mollom_validate_analysis for 'comment_form'
[19-Jan-2009 14:53:13] called mollom.checkContent at server http://88.151.243.81 with no session ID
[19-Jan-2009 14:53:13] mollom_validate_analysis retrieved spam status 1 and session ID 'c0f25b42eed08b2e'
[19-Jan-2009 14:53:13] mollom_set_data XXX for did comment-5163
[19-Jan-2009 15:17:47] mollom_expand_element: in it XXX
[19-Jan-2009 15:17:47] mollom_expand_element: XXX gen empty state
(repeated)
[19-Jan-2009 15:35:20] mollom_nodeapi XXX for node-932 op: insert response-isset: N
[19-Jan-2009 15:38:48] mollom_expand_element: in it XXX
[19-Jan-2009 15:38:48] mollom_expand_element: XXX gen empty state
(repeated)

[Preliminary observation: I think this is a problem when mollom_expand_element is not called.

I have found it works fine for anonymous-user comment creation, and for node creation for logged-in users.
But it does not get called for anonymous-user node creation.]

Update: I just re-tested, reenabled anonymous users, and now mollom_expand_element is being called at least for one anonymous user (i.e. me, when I tested it manually). It is not being called for all the spamming anonymous users who are using automatic bots.

Would it be possible for someone to hack up a non hook_elements version of the current Drupal module? My previous comment test seems to be holding - anonymous spambots are able to get/post a node without hook_elements in mollom ever being called. When I tired to reproduce this manually, it works fine and hook_elements does get called.
I don't know where to go from here - but if I had the previous version of this module working with the current database, I could easily test it and that would confirm that the problem is Drupal's hook_elements mechanism or eliminate it as the source of this problem.

Well, looks like we are not going to get a fix for this anytime soon?

If that is true, it seems bad to leave this deficient release out there for everyone to download! 6.x-1.6 worked just fine, 1.7 had too many changes which should not be made to a supposedly stable release. As it stands now, people will upgrade, and find they are now owners of a broken module. If this truly is going to take a while to fix, then shouldn't someone withdraw the 1.7 from the recommended release and put back 1.6 there? Or if that is no longer possible, maybe mark it in red so people are warned before downloading.

Oh well....

Well, I am ready to vote for this module as the worst maintained-module in Drupal! Major code was changed in a production release, and no one is around to fix the problem... either a Drupal problem (hook_elements not working as designed - #359905-17: 6.x-1.7 Not filtering after update), or some other mollom bug.

Here's a workaround that should work:

Disable module.
Drop all mollom* tables from the SQL database using phyMydmin, or a
DROP TABLE (list all names here) ; command in SQL. Uninstall-ing the module might do this too.
Delete the mollom module folder.

Then re-install the better working version, anything before 1.7, here's link to 1.6:
http://ftp.drupal.org/files/projects/mollom-6.x-1.6.tar.gz
Enable module, re-enter all required values, and it should work correctly since it is not using that new-fangled "hook_elements" call.

Here's current state of debugging this issue:

I allow anonymous posters to create topics, and have set Preview required, and Mollom to scan forum topics, and when I manually do a test, both of these features get invoked
But when spammers do a POST, they bypass both mechanisms - they don't seem to need a preview and
then save, and secondly, no mollom gets invoked.

This is quite painful to debug, here's where I'm at, in case anyone has any hints.
I used the trace module, to trace hook elements and nodeapi, and database update and inserts.

First add, I did this manually, which works fine - mollom does get invoked, and two POSTs are required:

#892a731b T=0.000000 [REQUEST] 2009-02-23 16:35:30.722485 POST /node/add/forum/11/ HTTP/1.1
#892a731b T+0.633373 [QUERY ] d=0.079597s variable_set: UPDATE variable SET value = 'b:1;' WHERE name = 'dev_query'
#892a731b T+0.714043 [HOOK ] hook_elements: system, user, mollom
#892a731b T+0.991585 [HOOK ] hook_nodeapi: book, comment, menu, path, search, statistics, taxonomy, trigger, acidfree_image, faq, mollom, print, print_mail, print_pdf, forum, pathauto, ed_readmore, xmlsitemap_node, acidfree
#892a731b T+2.685201 [QUERY ] d=0.000381s cache_set: UPDATE cache_mollom SET data = 'a:6:{s:11:\"#session_id\";s:16:\"...\";s:8:\"#form_id\";s:15:\"forum_node_form\";s:17:\"#require_analysis\";b:1;s:16:\"#require_captcha\";b:0;s:15:\"#passed_captcha\";b:0;s:16:\"#user_session_id\";s:32:\"...\";}', created = 1235421333, expire = 1800, headers = '', serialized = 1 WHERE cid = '...'
#892a731b T+2.685582 [QUERY ] d=0.023873s cache_set: INSERT INTO cache_mollom (cid, data, created, expire, headers, serialized) VALUES (...)

... now the second POST shows the drupal_write_record;
#8b708468 T=0.000000 [REQUEST] 2009-02-23 16:36:07.044344 POST /node/add/forum/11/ HTTP/1.1
#8b708468 T+0.081902 [QUERY ] d=0.004409s variable_set: UPDATE variable SET value = 'b:1;' WHERE name = 'dev_query'
#8b708468 T+0.087439 [HOOK ] hook_elements: system, user, mollom
#8b708468 T+0.103133 [HOOK ] hook_nodeapi: book, comment, menu, path, search, statistics, taxonomy, trigger, acidfree_image, faq, mollom, print, print_mail, print_pdf, forum, pathauto, ed_readmore, xmlsitemap_node, acidfree
#8b708468 T+0.647160 [QUERY ] d=0.000992s cache_set: UPDATE cache_mollom SET data = 'a:6:{s:11:\"#session_id\";s:16:\"...\";s:8:\"#form_id\";s:15:\"forum_node_form\";s:17:\"#require_analysis\";b:1;s:16:\"#require_captcha\";b:0;s:15:\"#passed_captcha\";b:0;s:16:\"#user_session_id\";s:32:\"...\";}', created = 1235421367, expire = 1800, headers = '', serialized = 1 WHERE cid = '...'
#8b708468 T+0.649021 [HOOK ] hook_nodeapi: book, comment, menu, path, search, statistics, taxonomy, trigger, acidfree_image, faq, mollom, print, print_mail, print_pdf, forum, pathauto, ed_readmore, xmlsitemap_node, acidfree
#8b708468 T+0.651509 [HOOK ] hook_nodeapi: book, comment, menu, path, search, statistics, taxonomy, trigger, acidfree_image, faq, mollom, print, print_mail, print_pdf, forum, pathauto, ed_readmore, xmlsitemap_node, acidfree
#8b708468 T+0.671562 [QUERY ] d=0.052473s drupal_write_record: INSERT INTO node_revisions (nid, uid, title, body, teaser, log, timestamp, format) VALUES (0, 0, 'Testing only', 'Just a test', 'Just a test', '', 1235421367, 1)
------------------------

Second add - watching a automated spammer - they get to drupal_write_record on the first POST itself!
The mollom update cache line from previous test never shows up here - nothing from mollom shows up here, though the HOOK line shows mollom in it.

#99226b79 T=0.000000 [REQUEST] 2009-02-23 16:39:46.160993 POST /node/add/forum/11/ HTTP/1.0
#99226b79 T+0.015110 [QUERY ] d=0.000448s variable_set: UPDATE variable SET value = 'b:1;' WHERE name = 'dev_query'
#99226b79 T+0.016622 [HOOK ] hook_elements: system, user, mollom
#99226b79 T+0.034763 [HOOK ] hook_nodeapi: book, comment, menu, path, search, statistics, taxonomy, trigger, acidfree_image, faq, mollom, print, print_mail, print_pdf, forum, pathauto, ed_readmore, xmlsitemap_node, acidfree
#99226b79 T+0.044998 [HOOK ] hook_nodeapi: book, comment, menu, path, search, statistics, taxonomy, trigger, acidfree_image, faq, mollom, print, print_mail, print_pdf, forum, pathauto, ed_readmore, xmlsitemap_node, acidfree
#99226b79 T+0.076909 [QUERY ] d=0.012505s drupal_write_record: INSERT INTO node_revisions (nid, uid, title, body, teaser, log, timestamp, format) VALUES (0, 0, 'FREE PORN | ADULT .....
....
#99226b79 T+0.089414 [QUERY ] d=0.021515s drupal_write_record: INSERT INTO node (vid, type, language, title, uid, status, created, changed, comment, promote, moderate, sticky, tnid, translate) VALUES (953, 'forum', '', 'FREE PORN | ADULT | ejaculation film sexadult shop toy', 0, 1, 1235421586, 1235421586, 2, 0, 0, 0, 0, 0)
#99226b79 T+0.110929 [QUERY ] d=0.000477s node_save: UPDATE node_revisions SET nid = 955 WHERE vid = 953

Created [#382472] to track what may be the root cause - drupal node module allowing forum nodes to be created with the first invocation of a HTTP POST even though Preview is required before saving.
Not sure yet if it is related, so keeping this issue open too.

Finally, I think I have data that might be useful - seems like a Drupal core bug to me.

So I started collecting all the POST data, and here are the results:

First working trace - there are two POSTs, first only shows Preview button, second shows Save button. The Second working trace is from the spammer - it shows no "op" - neither Preview or Save, that seems like the key difference which causes Drupal to immediately insert that spam post.

FIRST - my manual test, which works fine - shows Preview then Save:

Sun, 01 Mar 2009 01:10:22 +0000 /node/add/forum/111 [FIRST - PREVIEW]
a:8:{s:5:"title";s:15:"Anon Me Testing";s:8:"taxonomy";a:1:{i:1;s:2:"11";}s:7:"changed";s:0:"";s:14:"teaser_include";s:1:"1";s:4:"body";s:55:"I am testing this to see what shows up in POST data log";s:13:"form_build_id";s:37:"form-3debe7e4d723f11e66f084d16dea6436";s:7:"form_id";s:15:"forum_node_form";s:2:"op";s:7:"Preview";}

Sun, 01 Mar 2009 01:10:42 +0000 /node/add/forum/111 [SECOND - SAVE]
a:9:{s:5:"title";s:15:"Anon Me Testing";s:8:"taxonomy";a:1:{i:1;s:2:"11";}s:7:"changed";s:0:"";s:14:"teaser_include";s:1:"1";s:4:"body";s:110:"I am testing this to see what shows up in POST data log
Second line added before clicking on Save button.
";s:13:"form_build_id";s:37:"form-a2517a789618759ac56b3485c5c0e77e";s:7:"form_id";s:15:"forum_node_form";s:6:"mollom";a:1:{s:10:"session_id";s:16:"4cc667ed28ad4bf0";}s:2:"op";s:4:"Save";}

SECOND - spammer bypassing Preview button and also mollom checks:

Sun, 01 Mar 2009 01:14:02 +0000 /node/add/forum/111/  [SPAMMER POSTING]
a:7:{s:5:"title";s:39:"PharmacyOnlineShop - viagra cheapest uk";s:8:"taxonomy";a:1:{i:1;s:2:"11";}s:7:"changed";s:0:"";s:14:"teaser_include";s:1:"1";s:4:"body";
s:683:"<a...(deleted spam) ... buy now";
s:13:"form_build_id";
s:37:"form-6260e2d9d06de1e4bb16e86b9cf4f15a";
s:7:"form_id";
s:15:"forum_node_form";}

Preliminary results show that the patch seems to be working.

Now if we could also get two more fixes to the 1.7 release:
1) it spams the error log
[21-May-2009 18:14:22] mollom_validate_analysis retrieved spam status 2 and session ID '....'
[21-May-2009 18:14:29] mollom_expand_element: submitted handler
[21-May-2009 18:14:29] mollom_validate_analysis for 'comment_form'
and many other messages - I am hoping developers leave debug statements out of logs when a release is made - is there some way to locally patch this 1.7 version to make debug not go out to disk?

2) Issue #387094: When "do not send feedback", get Error 1000 error 1000 seems like a coding error also.