Honeypot Captcha

• Sep 11, 2007
• 77 Comments
• Print

I was thinking about alternative ways to block comment spam the other day and it occurred to me that there’s potentially a simpler solution than the Invisible Captcha approach I wrote about.

The Invisible Captcha control plays upon the fact that most comment spam bots don’t evaluate javascript. However there’s another particular behavioral trait that bots have that can be exploited due to the bots inability to support another browser facility.

You see, comment spam bots love form fields. When they encounter a form field, they go into a berserker frenzy (+2 to strength, +2 hp per level, etc...) trying to fill out each and every field. It’s like watching someone toss meat to piranhas.

At the same time, spam bots tend to ignore CSS. For example, if you use CSS to hide a form field (especially via CSS in a separate file), they have a really hard time knowing that the field is not supposed to be visible.

To exploit this, you can create a honeypot form field that should be left blank and then use CSS to hide it from human users, but not bots. When the form is submitted, you check to make sure the value of that form field is blank. For example, I’ll use the form field named body as the honeypot. Assume that the actual body is in another form field named the-real-body or something like that:

<div id="honeypotsome-div">
If you see this, leave this form field blank 
and invest in CSS support.
<input type="text" name="body" value="" />
</div>

Now in your code, you can just check to make sure that the honeypot field is blank...

if(!String.IsNullOrEmpty(Request.Form["body"]))
  IgnoreComment();

I think the best thing to do in this case is to act like you’ve accepted the comment, but really just ignore it.

I did a Google search and discovered I’m not the first to come up with this idea. It turns out that Ned Batchelder wrote about honeypots as a comment spam fighting vehicle a while ago. Fortunately I found that post after I wrote the following code.

For you ASP.NET junkies, I wrote a Validator control that encapsulates this honeypot behavior. Just add it to your page like this...

<sbk:HoneypotCaptcha ID="body" ErrorMessage="Doh! You are a bot!"
  runat="server"  />

This control renders a text box and when you call Page.Validate, validation fails if the textbox is not empty.

This control has no display by default by setting the style attribute to display:none. You can override this behavior by setting the UseInlineStyleToHide property to false, which makes you responsible for hiding the control in some other way (for example, by using CSS defined elsewhere). This also provides a handy way to test the validator.

To get your hands on this validator code and see a demo, download the latest Subkismet source from CodePlex. You’ll have to get the code from source control because this is not yet part of any release.

What others have said

Peter Mescalchin Sep 11, 2007 1:26 AM

# re: Honeypot Captcha

Such a simple idea. Definitely going to give that a bash on one of my pesky web contact forms - see what millage I can get.

Ola Lindberg Sep 11, 2007 1:32 AM

# re: Honeypot Captcha

It's a good idea! However doesn't it make it hard to use for users that use a screen reader as well?

Mads Kristensen Sep 11, 2007 2:11 AM

# re: Honeypot Captcha

From an accessibility point of view it is a bad idea. People using screen readers will see that input field.

Peter Mescalchin Sep 11, 2007 2:20 AM

# re: Honeypot Captcha

True, but you can label the field with a full description of its use.

And according to some research done by Simon Wilson many moons ago (this may not be the case now) - JAWS, Windows Eyes and IBM home page reader ignore content inside a display:none parent anyway - not really the desired response from the screenreader, but works to an advantage in this case.

http://simonwillison.net/2003/Sep/13/screenReaders/

So maybe its not so bad afterall accessibility wise?

Peter Rogers Sep 11, 2007 2:37 AM

# re: Honeypot Captcha

It's been like this on http://dis.4chan.org/prog/ (and other boards) for quite some time now. Easy to see by visiting the page in links or other text-based browser. Seems to work rather well.

Philippe LACHAISE Sep 11, 2007 3:23 AM

# re: Honeypot Captcha

I would suggest NOT to use id="honeypot" (they might learn to spot that), rater something like id="userComment" or some other pest appetizer ;-)

Tomasz Melcer Sep 11, 2007 3:57 AM

# re: Honeypot Captcha

Same idea is presented on http://www.rustylime.com/show_article.php?id=338, with some comments too.

DotNetKicks.com Sep 11, 2007 4:32 AM

# Honeypot Captcha - new Subskimet Captcha control

You've been kicked (a good thing) - Trackback from DotNetKicks.com

Tim Sep 11, 2007 5:05 AM

# re: Honeypot Captcha

Pretty interesting. I did some similar testing a while back against Googlebot, and surprisingly it will build everything up in and execute the CSS.

We were doing some SEO testing to see how smart Googlebot was. Turns it, it was pretty smart and you couldn't hide tags in CSS (like making the text white to blend in with background).

BTW, we weren't trying to fool Google, but rather put some debug information in a page and make sure the bot didn't think we were trying to do something against Google's ToS.

I wonder how long it will be (if it's not aready) until these spam bots fully render CSS.

JGM Sep 11, 2007 6:58 AM

# re: Honeypot Captcha

Excellent article, I've been using javascript and PHP Sessions to prevent form spamming for a while now, but hadn't considered this angle. Great information, and I'll be putting it to use immediately as one more item my arsenal in the on-going war against spam.

Jason Haley Sep 11, 2007 6:59 AM

# Interesting Finds: September 11, 2007

Troels Sep 11, 2007 7:06 AM

# re: Honeypot Captcha

Clever.

Wyatt Barnett Sep 11, 2007 7:07 AM

# re: Honeypot Captcha

@Mads: Yeah, people with a screen reader will see the input, but they should also see the label telling them not to fill it in. Spambots won't read labels, except maybe field ids/names, so if you name it something ingenious, like email2, they will fill 'er in.

Steven Harman Sep 11, 2007 7:24 AM

# re: Honeypot Captcha

A possible enhancement... you could make use of asp.net 2.0+'s Web Resource's and have the control actually pull an embedded CSS file down automagically. As you said, this would make it even harder for bots as they don't tend to apply CSS, let alone external CSS files, to the form fields.

Of course, we'd want to make this configurable so a consumer of the control could use InlineStyles, ExternalStyle, or NoStyles.

Ryan Smith Sep 11, 2007 7:33 AM

# re: Honeypot Captcha

That's an interesting method. I found the simple JavaScript CAPTCHA handles all bots on one of my contact forms, but this seems like a better, cleaner solution than forcing the JavaScript issue.

Probably much better from an accessibility point of view.

Haacked Sep 11, 2007 7:57 AM

# re: Honeypot Captcha

@Mads, people with a screenreader won't see the input. They might hear it, but as far as I know, many screen readers read the rendered text from a browser. So if the browser doesn't display it, not sure why the screen reader would read it.

But just in case, the label clearly tells the user not to type anything into the field. In that situation, it effectively becomes a simple visual/aural CAPTCHA.

In the Subkismet control, I make sure to render that label.

Scott Sep 11, 2007 8:52 AM

# re: Honeypot Captcha

Would using a Flash component for the actual user input achieve the same effect?

Carl Sep 11, 2007 9:33 AM

# re: Honeypot Captcha

I like this idea. On a site of mine that attracts spam submits, upon detecting spam I delay responding for 30 seconds before returning a "successful" submit and ignore the input. I'm not sure if the bots actually wait for a response, but I throw in a delay for good measure.

The Janitor Sep 11, 2007 9:45 AM

# re: Honeypot Captcha

Easy and effective - mow that's neat and fancy! :)

Derek Sep 11, 2007 10:27 AM

# re: Honeypot Captcha

I've always liked clever CAPTCHA schemes, but I have a feeling some bots might try leaving the field blank. It only takes one to put a few hundred comments on your blog.

I recently switched to using reCAPTCHA, which ensures that the work of my commenters does not go to waste.

http://recaptcha.net/

Haacked Sep 11, 2007 11:22 AM

# re: Honeypot Captcha

@Derek - You could name the text field "url" and use another field for the actual URL. Just choose a field name the bot is most likely to fill out.

If you're running Yahoo, then the bot writers will take the time to figure it out. If you're running a small blog, then the number of variations to this approach are so many, bot writers have no incentive to try and solve it for every case.

Even so, I would use this in tandem with Invisible Captcha. So far, I never get automated comment spam on my blog. I only get pingtrack/trackback spam.

Raisor Sep 11, 2007 12:49 PM

# re: Honeypot Captcha

Hi Phil,

... last time I've responded to a post of yours I've received a "your comment is spam" or something like that message ... anyway ;) ... I like the idea behind this post and as I understand from other comments, there are already many approaches to the subject ... just reflecting on it, if I'd ever had to write some "bot" I'd certainly look for the name or id with the name "Honeypot" ...


Best regards,
Raisor

Abdu Sep 11, 2007 1:40 PM

# re: Honeypot Captcha

Carl: a 30 minute delay is too long. Some people would get impatient , stop the request and resubmit... eventually leaving the webpage with disgust.

Plus I am sure spambots and not going to wait. These tend to be fire and forget type of attacks. They are too busy to wait for a response. They're quickly off to their next victim.

Aaron Robson Sep 11, 2007 2:02 PM

# re: Honeypot Captcha

I've been using this method myself for a while after a friend pointed me in that direction - apparently phpbb uses something like it. I found its done very nicely in getting rid of spam, although some do get through - almost as if they're specifically targeting the site ?
http://intrepidnoodle.com/articles/9.aspx

Haacked Sep 11, 2007 2:41 PM

# re: Honeypot Captcha

I would never use the id "honeypot" in a real scenario. I only used it for demo purposes. But I've changed it so that the main point is not lost.

engtech Sep 11, 2007 2:54 PM

# re: Honeypot Captcha

The id of the captcha should be random dictionary words so that the spambot can't ID it.

It should never be author, email, or url because genuine commenters with Comment Pre-fill forms will be hit with it.

(I hit Alt-C and fill in my name/email/url on all WordPress blogs, for example -- and would mark me as a spammer instead of the wonderful commenter that I am :) )

Haacked Sep 11, 2007 5:31 PM

# re: Honeypot Captcha

@engtech Wow, the comment pre-fill forms filled in hidden fields? That's some validation this technique works. ;)

As long as everyone chose something different, it wouldn't matter so much. But good point about not choosing "url", "email", etc... I'll update this post once again when I get home. *sigh*

Johann Sep 12, 2007 5:09 AM

# re: Honeypot Captcha

Good idea. I tried duplicating form fields before but that didn't work.

Thomas Freudenberg Sep 17, 2007 1:37 PM

# Honeypot Captcha for Community Server

A few days ago Phil Haack wrote about Honeypot Captcha : At the same time, spam bots tend to ignore CSS

BiGYaN Sep 18, 2007 8:17 PM

# re: Honeypot Captcha

Interesting idea no doubt. But I think I've heard similar ideas in some other forums. The best part about it is its simplicity. One of the simplest to implement and effective too.

I wonder how long will it take for the bots to have a full CSS renderer? .... conceptually it isn't that difficult. But I guess that day is far off due to its effectiveness. A majority of sites would have to implement this strategy, for the bots to have a full fledged renderer. Till then this will prove to be an effective strategy for sure.

Keyvan Nayyeri Oct 07, 2007 12:28 PM

# Spam Busting in Community Server 2007 - Part 2

In the first post I gave an introduction and outlined eights spam rules to fight against spammers in

Chris Oct 09, 2007 12:55 PM

# re: Honeypot Captcha

One of the problems that I ran into using this method is Google's "Autofill" button on the tool bar. I named my hidden field "EmailSomething" and the Google Toolbard "Autofill" fills it in, even though it cannot be seen. I realize this may not be showstopper, but just something you may want to be aware of when using it on Contact forms.

Blaise Kal Oct 09, 2007 1:29 PM

# re: Honeypot Captcha

The problem with these solutions is that spammers can adjust their code easily for one specific website. Captchaz work better then (but aren't very accessible). Fortunately, a site's got to be quite large before spammers do such an effort.

Jylan Wynne Oct 10, 2007 8:00 PM

# re: Honeypot Captcha

I suppose this method is best for people who don't want to inconvenience their users by making fill out a captcha (or another similiar method), which can be very annoying for some people.

Ian Quigley Oct 12, 2007 2:58 AM

# re: Honeypot Captcha

Cool idea.

Pheadrus Oct 12, 2007 3:33 AM

# re: Honeypot Captcha

i think this is a good idea. maybe some php or asp coding to change the hidden forms name at every page load. course then you could just compare snapshots of the page a before an after to find the changing form. or have all form names change within their context.

silchan Oct 12, 2007 9:13 PM

# re: Honeypot Captcha

Instead of using Id's to label your for elements, why not use classes? Then you could have, say, 2 comment elements, 2 title elements, 2 url elements, et cetera. Once you have them, hide one of each and don't accept anything that fills in the display:non elements. Then it wouldn't be able to distinguish between the real and fake ones.

Since css allows for multiple classes per elements, you could have, say: <div class="sweet url"> and <div class = "sour url">. Then you could distinguish between the right and wrong one in your code.

Mathieu 'p01' Henri Oct 26, 2007 6:07 AM

# re: Honeypot Captcha

A while ago I was spam comments on a site. I added a honeypot plus a hashed timestamp in an input hidden. If the form is submitted less than 3 seconds after the generation of the page, chances are pretty high that it is a bot. I also check for the number of URLs in the comment and if a domain's URL is already in my blacklist.

The amount of spam dropped drastically.

JMG Oct 26, 2007 7:23 AM

# re: Honeypot Captcha

Il call the blank field to be hidden with some css, the 'stupid captcha for stupid spam bots'. There are others simple ideas:

* name can't be an URL (you ain't an URL, are you?);
* email must be an email (not a URL or anything else);
* comment can't contain bbcode links [url];
* comment can't have more links than words.

These are very easy to develop solutions, they're invisible to end-users (I don't want to bother them), they don't require javascript enabled browsers and... all spam bots just fell for it. They're just plain stupid bots.

Andy Oct 26, 2007 8:19 AM

# re: Honeypot Captcha

I've used something similar on my YaBB forum for a while now and it works brilliantly, I went from around 5 bot accounts being registered every day to zero.

The signup page of my forum has a couple of radio button and prompts users to click "yes" to signify their acceptance of the TOS. Renaming these buttons and adding similar with the question "Are you a spambot?" gets them every time :-)

Michael Hendrickx Oct 27, 2007 1:02 AM

# re: Honeypot Captcha

nice idea indeed!!

Don Park Oct 28, 2007 7:48 AM

# re: Honeypot Captcha

a good one, phil. honeypots, like so many other techniques, r under utilized imho. these techniques like spices and meant to be mixed and used to make fine cuisines.

Usman Masood Nov 29, 2007 3:56 AM

# re: Honeypot Captcha

such simple and classic technique. i like the idea, thanks haacked.

Bob Jan 17, 2008 6:17 PM

# re: Honeypot Captcha

I thing that the quality of this material is high. To enable/help dutch experts killing SPAM, I will use your material for translation in to Dutch at the Dutch Wiki learning http://www.leerwiki.nl. Hope this is ok?

Rob Jan 20, 2008 4:42 PM

# re: Honeypot Captcha

Yes, good idea, but the data in the form field has only 2 states, filled in and not. The solution is simple and elegent but I'm not sure 2 states is enough to deter a well crafted bot...for long.

Hypotheek Apr 20, 2008 3:50 AM

# re: Honeypot Captcha

" I thing that the quality of this material is high. To enable/help dutch experts killing SPAM, I will use your material for translation in to Dutch at the Dutch Wiki learning http://www.leerwiki.nl. Hope this is ok? "

I will help you too Bob! No problem, this would solve alot of spam.. I hope!

okcdarksage Apr 22, 2008 8:18 PM

# re: Honeypot Captcha

I like the ideas that I'm seeing here, but I think we need to reiterate that there is no silver bullet solution.

On the note of the CSS-based technique and screen readers, let's not forget that media rules can be specified for aural on your style or link elements, or, using the @ rules in CSS.

Let's hope the work continues on defeating this useless waste of space and time.

Amir May 11, 2008 9:09 AM

# re: Honeypot Captcha

HI, i got the plateform to say about the account king. He can deliver daily 500k-1000k any account like yahoo, gmail, hotmail etc. Anyone wants to get introduce then please contact with account king on khoknaa@yahoo.com instant messanger. Thanks

vakantie Jun 22, 2008 9:39 AM

# re: Honeypot Captcha

I think this would work, but dont under estimate the creative solutions hackers can come up with. I would already think of a plan B in the case they crack this suggestion.

Vertaling Engels Jul 02, 2008 8:45 AM

# re: Honeypot Captcha

@ vakantie

It's an eternal war. Just see it as a game. Hackers will always be able to crack new kinds of protection, and then they will come up with something new, and then they will hack it again. It's just fun for both parties if they don't take themselves too seriously. Keeps us busy and our intellect sharp :)

Geld Lenen Jul 09, 2008 5:53 AM

# re: Honeypot Captcha

The honeypot form field that should be left blank and then use CSS to hide it from human users, but not bots....

How can you make this difference?

Mark Jul 10, 2008 10:18 AM

# re: Honeypot Captcha

Maybe you shouldn't reveal the idea.:)
Now it will be easier to find ways to trick it

darknes Jul 18, 2008 12:04 PM

# re: Honeypot Captcha

hello, it`s so easy!!!!

Richard Aug 29, 2008 7:14 AM

# re: Honeypot Captcha

This simple technique really works because the bots are so badly written most of the time. Unfortunately you can't go much beyond this without seriously hurting accessibility, which is a shame because a nice javascript hashcash would really put a dent in the spammers whilst not requiring users to figure out increasingly obscure captchas.

Lening Sep 19, 2008 3:14 AM

# re: Honeypot Captcha

Simple yet effective! It's a good thing bots don't tend to apply CSS :)

Mark S Nov 02, 2008 9:26 AM

# re: Honeypot Captcha

Actually this is one of the few articles I could find that shows the principles of an efficient solution against automatic forms submission.

And you can go a step further by randomizing the various elements that are in the css and/or generate the css/stylesheet on the fly. So for each page load a different css and vary the number of invisible elements with the form. If you check the HTML and CSS specs, they also have certain rules you could take advantage of. For instance, if the same css tag or css field inside the tag is repeated the last one overrides the first. You can also have tags in comments. All of which lead to more and more complex bot structure to identify something and submit a form.

Anyways, I totally agree and I found it pathetic to say the least, to bloat forms with crossed-out images and mysterious active scripts and other ajax and anti-ocr methods to identify if it's a bot or a human who submits a form.

So you can secure 100% your forms without adding anything extra that is visible to the visitors.

vastgoed Nov 23, 2008 5:11 AM

# re: Honeypot Captcha

Very, very good idea. I like the simple solutions. You can make in this case a sort of a black hole for the spam-bot. I've heard about it in another forum; when founded again, I will post is here, greetz, V

hypotheek Nov 28, 2008 7:39 AM

# re: Honeypot Captcha

It's a simple and easy but effective way. Thanks!

Darren Dec 02, 2008 6:52 AM

# re: Honeypot Captcha

My form is in an html page. This page calls on a seperate php page to process the form, and also uses a javascript to force mandatory fields. My question is, where do i put the following code:
if(!String.IsNullOrEmpty(Request.Form["body"]))IgnoreComment();
i have tried adding it into my php script, but its not working! please help!!

lenen nl Dec 13, 2008 5:55 PM

# re: Honeypot Captcha

Well that's a very clever idea. I wonder if somebody will invent the-spam-bot-that-spams-spambots one day :-)

matt Jan 21, 2009 11:24 PM

# re: Honeypot Captcha

I inserted the hidden form and php snippet with my class name but I get a php error on submission. Parse error: syntax error, unexpected '[' in /var/www/includes/guestbook_input.php on line 4
The '[' that it's referring to is from your if(!String.IsNullOrEmpty(Request.Form["body"]))IgnoreComment();
What did I do wrong?

Bram Feb 01, 2009 10:36 AM

# re: Honeypot Captcha

@ Johann, try "Visual captchas" at that website! regards, Bram

Hypotheek Feb 09, 2009 8:45 AM

# re: Honeypot Captcha

I was here a long time ago. I was wondering if this idea is already used somewhere ? I realy think it is great and i would like to use it on my Hypotheekwebsite.

Hope to see it in use soon.

Barnevern Mar 06, 2009 7:44 AM

# re: Honeypot Captcha

This method is still working very well on most "low volume" sites, like personal blogs and pages.

On sites with more visitors and/or higher pagerank I would combine it with something else (like java, cookie, hashed hidden form fields, etc).

Most blogs and cms today come with some form of protection, like Akismet, Bad Behavior, Spam Karma, etc. Adding the honeypot trick would just make it more secure.

By the way: why aren’t screen readers updated to take this trick into account? Hidden fields in css should not be processed.

Medisch recht Mar 12, 2009 5:52 AM

# re: Honeypot Captcha

I would like to start my own weblog in the near future. I have been experimenting with Captcha's.
@Matt, I have the same error that you have [...Parse error: syntax error, unexpected '[' in /var/www/includes/guestbook_input.php on line 4]
I have not been able to fix it. Did you find a solution?

norwich web designer Apr 04, 2009 3:15 AM

# re: Honeypot Captcha

Great concept, it's good to see the problem of unreadable captchas being tackled!

watch 24 season 8 Dec 15, 2009 9:47 PM

# re: Honeypot Captcha

Nice !! i am implementing it for my website comments section.

hair loss directory Dec 16, 2009 11:18 AM

# re: Honeypot Captcha

Nice implementation of captchas, it sure is a nice one, will be using it on my phpbb. I need to ask my web programmer though but i bookmarked your link.

thanx

dalmatia Dec 17, 2009 8:15 PM

# re: Honeypot Captcha

I think this would work, but dont under estimate the creative solutions hackers can come up with. I would already think of a plan B in the case they crack this suggestion. Implementing right now.
thanx

Los Angeles Dentists Dec 18, 2009 12:13 AM

# re: Honeypot Captcha

nothing is not possible nowadays. do you know of the software xrumer? it can decode captchas. There are services like decapcher.com who provides human captcha breaking. SO its basically useless.

England Trains Travel Dec 18, 2009 10:34 PM

# re: Honeypot Captcha

I think this would work, but dont under estimate the creative solutions hackers can come up with. I would already think of a plan B in the case they crack this suggestion. Just try to think out of the box.

popular travel destinations Jan 29, 2010 3:12 PM

# re: Honeypot Captcha

I'm thinking this would probably be worth implementing into my site. Good idea.

geld lenen Mar 17, 2010 4:00 AM

# re: Honeypot Captcha

I'll definitely think about this...great idea!

horloges Mar 26, 2010 8:56 AM

# re: Honeypot Captcha

Great idea. I'm definitely going to implement this into my websites. Thanks for the great solution!

chris Jun 03, 2010 4:18 AM

# re: Honeypot Captcha

The solution is good, but not 100% spam free. I'd say that about 10-20% of spam still gets through.

Paul Jul 04, 2010 3:21 PM

# re: Honeypot Captcha

Why not generate the honeypot using the users session id

That way it changes the field name for every user, you can validate on the session Id submitted and also validate that it is blank

combine this with a check between when the page was generated and when it was submitted (server side) and you can stop the bot

Kris Jul 16, 2010 11:26 PM

# re: Honeypot Captcha

I noticed a few people having trouble checking if the form field was set, Couldn't you just do a simple post check?
if (!isset($_POST['fieldname'])) { IgnoreComment(); }

What do you have to say?

Title:

Name:

Email: (never displayed) (will show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Please add 1 and 6 and type the answer here: