Better Honeypot Implementation (Form Anti-Spam)

by

Concept

By adding a invisible field to your forms that only spambots can see, you can trick them into revealing that they are spambots and not actual end-users.

HTML

<input type="checkbox" name="contact_me_by_fax_only" value="1" style="display:none !important" tabindex="-1" autocomplete="off">

Here we have a simple checkbox that:

  • Is hidden with CSS.
  • Has an obscure but obviously fake name.
  • Has a default value equivalent 0.
  • Can’t be filled by auto-complete
  • Can’t be navigated to via the Tab key. (See tabindex)

Server-Side

On the server side we want to check to see if the value exists and has a value other than 0, and if so handle it appropriately. This includes logging the attempt and all the submitted fields.

In PHP it might look something like this:

$honeypot = FALSE;
if (!empty($_REQUEST['contact_me_by_fax_only']) && (bool) $_REQUEST['contact_me_by_fax_only'] == TRUE) {
    $honeypot = TRUE;
    log_spambot($_REQUEST);
    # treat as spambot
} else {
    # process as normal
}

Fallback

This is where the log comes in. In the event that somehow one of your users ends up being marked as spam, your log will help you recover any lost information. It will also allow you to study any bots running on you site, should they be modified in the future to circumvent your honeypot.

Reporting

Many services allow you to report known spambot IPs via an API or by uploading a list. (Such as CloudFlare) Please help make the internet a safer place by reporting all the spambots and spam IPs you find.

Advanced

If you really need to crack down on a more advanced spambot, there are some additional things you can do:

  • Hide honeypot field purely with JS instead of plain CSS
  • Use realistic form input names that you don’t actually use. (such as “phone” or “website”)
  • Include form validation in honeypot algorithm. (most end-user will only get 1 or 2 fields wrong; spambots will typically get most of the fields wrong)
  • Use a service like CloudFlare that automatically blocks known spam IPs
  • Have form timeouts, and prevent instant posting. (forms submitted in under 3 seconds of the page loading are typically spam)
  • Prevent any IP from posting more than once a second.
  • For more ideas look here: How to create a “Nuclear” honeypot to catch form spammers

More Related Contents:

  1. The definitive guide to form-based website authentication [closed]
  2. When should I use GET or POST method? What’s the difference between them?
  3. CSS selector for a checked radio button’s label
  4. Using the HTML5 “required” attribute for a group of checkboxes?
  5. Adding causes java.lang.IllegalStateException: Cannot create a session after the response has been committed
  6. VBA: Using WithEvents on UserForms
  7. How to use EL with in id attribute of a JSF component
  8. How to prevent robots from automatically filling up a form?
  9. How is mime type of an uploaded file determined by browser?
  10. What’s the difference between “Request Payload” vs “Form Data” as seen in Chrome dev tools Network tab
  11. How to write “Html.BeginForm” in Razor
  12. Postman Chrome: What is the difference between form-data, x-www-form-urlencoded and raw
  13. changing the language of error message in required field in html5 contact form
  14. Symfony2 Setting a default choice field selection
  15. HTML form with multiple hidden control elements of the same name
  16. Angular 2: Can’t bind to ‘ngModel’ since it isn’t a known property of ‘input’
  17. Can you require two form fields to match with HTML5?
  18. Uploading file using Google Apps Script using HtmlService
  19. HTML5: Slider with two inputs possible?
  20. HTML slider with two inputs possible?
  21. How to open a new window on form submit
  22. What causes the “control.registerOnChange is not a function” error
  23. What is the right way to POST multipart/form-data using curl?
  24. Can you require two form fields to match with HTML?
  25. within not entirely working, only the last is processed
  26. Pass custom options to a symfony2 form
  27. Delphi Change main form while application is running
  28. Avoid modal dismiss on enter keypress
  29. Add span inside form’s placeholder
  30. How to keep changed form content when leaving and going back to HTTPS page? (works with HTTP)

Leave a Comment