formsspam-preventionhoneypot

Better Honeypot Implementation (Form Anti-Spam)


How do we get rid of these spambots on our site?

Every site falls victim to spambots at some point. How you handle it can effect your customers, and most solutions can discourage some people from filling out your forms.

That's where the honeypot technique comes in. It allows you to ignore spambots without forcing your users to fill out a captcha or jump through other hoops to fill out your form.

This post is purely to help others implement a honeypot trap on their website forms.


Update:

Since implementing the below honeypot on all of my client's websites, we have successfully blocked 99.5% (thousands of submissions) of all our spam. That is without using the techniques mentioned in the "advanced" section, which will be implemented soon.


Solution

  • Concept

    By adding a invisible field to your forms that only spambots can see, you can trick them into revealing that they are spambots and not actual end-users.

    HTML

    <input type="checkbox" name="contact_me_by_fax_only" value="1" style="display:none !important" tabindex="-1" autocomplete="off">
    

    Here we have a simple checkbox that:

    Server-Side

    On the server side we want to check to see if the value exists and has a value other than 0, and if so handle it appropriately. This includes logging the attempt and all the submitted fields.

    In PHP it might look something like this:

    $honeypot = FALSE;
    if (!empty($_REQUEST['contact_me_by_fax_only']) && (bool) $_REQUEST['contact_me_by_fax_only'] == TRUE) {
        $honeypot = TRUE;
        log_spambot($_REQUEST);
        # treat as spambot
    } else {
        # process as normal
    }
    

    Fallback

    This is where the log comes in. In the event that somehow one of your users ends up being marked as spam, your log will help you recover any lost information. It will also allow you to study any bots running on you site, should they be modified in the future to circumvent your honeypot.

    Reporting

    Many services allow you to report known spambot IPs via an API or by uploading a list. (Such as CloudFlare) Please help make the internet a safer place by reporting all the spambots and spam IPs you find.

    Advanced

    If you really need to crack down on a more advanced spambot, there are some additional things you can do: