It’s not entirely lack of time or Drupal being bad, at this point. The tools for fighting human spammers (non-bot, actual people who setup email addresses, verify them, and then create content) are really just not very effective. We have almost every Drupal anti-spam measure enabled, plus third party anti-spam tools. I’ve spent hours on anti-spam efforts just this month. It’s just a really hard problem.
And, for every spam you see, we’ve probably killed three or four more within an hour or two of it arriving. It’s just a deluge. For whatever reason, some high volume spammers have decided that Virtualmin.com is a high value target; relatively high PR ranking, I guess. The abuse reporting mechanism, unfortunately, is very poorly implemented…it doesn’t provide tools to acknowledge reported posts, so now we’ve got a huge list of posts to look at (having to ignore the ones that weren’t supposed to be flagged because they aren’t actually spam, just annoying to someone for whatever reason), and kinda parse out which ones are new and which are not needing attention. I kinda pieced it together out of some half-assed existing modules, and it doesn’t really hold up to use at our scale (we’re finding lots of things in Drupal don’t do well at our scale, even though our scale isn’t actually all that big).
I keep working on it, and there is another anti-spam module that doesn’t actually work right now that I’ve been working on fixing (I mean the module has been unmaintained for a couple of years, and does not work with current Drupal versions, but I’m working on updating it). It would provide us some additional tools to blacklist specific words and phrases, as well as implement our own local bayesian database. The paid third party service we use produces more false positives than accurate blocks, so it’s kind of proving to be less than worthless, which is a real pain in the ass.
We honestly have put a lot of effort into spam prevention. It isn’t good enough, but I don’t know what else to do. I’m sitting here typing this at 1AM on Christmas Eve, after working all day, and with plans to work half of Christmas, too. We just don’t have any more hours to put into play. We’re four guys, one of whom has a full-time job in addition to Virtualmin (and the rest of us also have some other stuff going on to keep the bills paid), supporting about a million, or two, users, spread across project made of hundreds of thousands of lines of code. Sometimes the choice is between making the website better or making Virtualmin better or directly supporting a paying customer. I try to find a good balance.