<< Last Night A Doctor Saved My N... | Home | Five Years Of Good Loving >>

Honeypot Captcha

I was thinking about alternative ways to block comment spam the other day and it occurred to me that there’s potentially a simpler solution than the Invisible Captcha approach I wrote about.

The Invisible Captcha control plays upon the fact that most comment spam bots don’t evaluate javascript. However there’s another particular behavioral trait that bots have that can be exploited due to the bots inability to support another browser facility.

honeypot image from http://www.cs.vu.nl/~herbertb/misc/shelia/ You see, comment spam bots love form fields. When they encounter a form field, they go into a berserker frenzy (+2 to strength, +2 hp per level, etc...) trying to fill out each and every field. It’s like watching someone toss meat to piranhas.

At the same time, spam bots tend to ignore CSS. For example, if you use CSS to hide a form field (especially via CSS in a separate file), they have a really hard time knowing that the field is not supposed to be visible.

To exploit this, you can create a honeypot form field that should be left blank and then use CSS to hide it from human users, but not bots. When the form is submitted, you check to make sure the value of that form field is blank. For example, I’ll use the form field named body as the honeypot. Assume that the actual body is in another form field named the-real-body or something like that:

<div id="honeypotsome-div">
If you see this, leave this form field blank 
and invest in CSS support.
<input type="text" name="body" value="" />
</div>

Now in your code, you can just check to make sure that the honeypot field is blank...

if(!String.IsNullOrEmpty(Request.Form["body"]))
  IgnoreComment();

I think the best thing to do in this case is to act like you’ve accepted the comment, but really just ignore it.

I did a Google search and discovered I’m not the first to come up with this idea. It turns out that Ned Batchelder wrote about honeypots as a comment spam fighting vehicle a while ago. Fortunately I found that post after I wrote the following code.

For you ASP.NET junkies, I wrote a Validator control that encapsulates this honeypot behavior. Just add it to your page like this...

<sbk:HoneypotCaptcha ID="body" ErrorMessage="Doh! You are a bot!"
  runat="server"  />

This control renders a text box and when you call Page.Validate, validation fails if the textbox is not empty.

This control has no display by default by setting the style attribute to display:none. You can override this behavior by setting the UseInlineStyleToHide property to false, which makes you responsible for hiding the control in some other way (for example, by using CSS defined elsewhere). This also provides a handy way to test the validator.

To get your hands on this validator code and see a demo, download the latest Subkismet source from CodePlex. You’ll have to get the code from source control because this is not yet part of any release.

Technorati tags: , ,
[ad] Free Bug Tracking & Project Management Software Axosoft’s OnTime 2007 allows software development teams to collaborate on software projects by tracking everything from defects to enhancements to helpdesk incidents in one easy-to-use database driven by an intuitive Windows, Web or VS.NET Integrated UI. Get a Free Single-User License ($200 Value!)

What others have said

Requesting Gravatar... Peter Mescalchin Sep 11, 2007 1:26 AM
# re: Honeypot Captcha
Such a simple idea. Definitely going to give that a bash on one of my pesky web contact forms - see what millage I can get.
Requesting Gravatar... Ola Lindberg Sep 11, 2007 1:32 AM
# re: Honeypot Captcha
It's a good idea! However doesn't it make it hard to use for users that use a screen reader as well?
Requesting Gravatar... Mads Kristensen Sep 11, 2007 2:11 AM
# re: Honeypot Captcha
From an accessibility point of view it is a bad idea. People using screen readers will see that input field.
Requesting Gravatar... Peter Mescalchin Sep 11, 2007 2:20 AM
# re: Honeypot Captcha
True, but you can label the field with a full description of its use.

And according to some research done by Simon Wilson many moons ago (this may not be the case now) - JAWS, Windows Eyes and IBM home page reader ignore content inside a display:none parent anyway - not really the desired response from the screenreader, but works to an advantage in this case.

http://simonwillison.net/2003/Sep/13/screenReaders/

So maybe its not so bad afterall accessibility wise?
Requesting Gravatar... Peter Rogers Sep 11, 2007 2:37 AM
# re: Honeypot Captcha
It's been like this on http://dis.4chan.org/prog/ (and other boards) for quite some time now. Easy to see by visiting the page in links or other text-based browser. Seems to work rather well.
Requesting Gravatar... Philippe LACHAISE Sep 11, 2007 3:23 AM
# re: Honeypot Captcha
I would suggest NOT to use id="honeypot" (they might learn to spot that), rater something like id="userComment" or some other pest appetizer ;-)
Requesting Gravatar... Tomasz Melcer Sep 11, 2007 3:57 AM
# re: Honeypot Captcha
Same idea is presented on http://www.rustylime.com/show_article.php?id=338, with some comments too.
Requesting Gravatar... DotNetKicks.com Sep 11, 2007 4:32 AM
# Honeypot Captcha - new Subskimet Captcha control
You've been kicked (a good thing) - Trackback from DotNetKicks.com
Requesting Gravatar... Tim Sep 11, 2007 5:05 AM
# re: Honeypot Captcha
Pretty interesting. I did some similar testing a while back against Googlebot, and surprisingly it will build everything up in and execute the CSS.

We were doing some SEO testing to see how smart Googlebot was. Turns it, it was pretty smart and you couldn't hide tags in CSS (like making the text white to blend in with background).

BTW, we weren't trying to fool Google, but rather put some debug information in a page and make sure the bot didn't think we were trying to do something against Google's ToS.

I wonder how long it will be (if it's not aready) until these spam bots fully render CSS.
Requesting Gravatar... JGM Sep 11, 2007 6:58 AM
# re: Honeypot Captcha
Excellent article, I've been using javascript and PHP Sessions to prevent form spamming for a while now, but hadn't considered this angle. Great information, and I'll be putting it to use immediately as one more item my arsenal in the on-going war against spam.
Requesting Gravatar... Jason Haley Sep 11, 2007 6:59 AM
# Interesting Finds: September 11, 2007
Requesting Gravatar... Troels Sep 11, 2007 7:06 AM
# re: Honeypot Captcha
Clever.
Requesting Gravatar... Wyatt Barnett Sep 11, 2007 7:07 AM
# re: Honeypot Captcha
@Mads: Yeah, people with a screen reader will see the input, but they should also see the label telling them not to fill it in. Spambots won't read labels, except maybe field ids/names, so if you name it something ingenious, like email2, they will fill 'er in.
Requesting Gravatar... Steven Harman Sep 11, 2007 7:24 AM
# re: Honeypot Captcha
A possible enhancement... you could make use of asp.net 2.0+'s Web Resource's and have the control actually pull an embedded CSS file down automagically. As you said, this would make it even harder for bots as they don't tend to apply CSS, let alone external CSS files, to the form fields.

Of course, we'd want to make this configurable so a consumer of the control could use InlineStyles, ExternalStyle, or NoStyles.
Requesting Gravatar... Ryan Smith Sep 11, 2007 7:33 AM
# re: Honeypot Captcha
That's an interesting method. I found the simple JavaScript CAPTCHA handles all bots on one of my contact forms, but this seems like a better, cleaner solution than forcing the JavaScript issue.

Probably much better from an accessibility point of view.
Requesting Gravatar... Haacked Sep 11, 2007 7:57 AM
# re: Honeypot Captcha
@Mads, people with a screenreader won't see the input. They might hear it, but as far as I know, many screen readers read the rendered text from a browser. So if the browser doesn't display it, not sure why the screen reader would read it.

But just in case, the label clearly tells the user not to type anything into the field. In that situation, it effectively becomes a simple visual/aural CAPTCHA.

In the Subkismet control, I make sure to render that label.
Requesting Gravatar... Scott Sep 11, 2007 8:52 AM
# re: Honeypot Captcha
Would using a Flash component for the actual user input achieve the same effect?
Requesting Gravatar... Carl Sep 11, 2007 9:33 AM
# re: Honeypot Captcha
I like this idea. On a site of mine that attracts spam submits, upon detecting spam I delay responding for 30 seconds before returning a "successful" submit and ignore the input. I'm not sure if the bots actually wait for a response, but I throw in a delay for good measure.


Requesting Gravatar... The Janitor Sep 11, 2007 9:45 AM
# re: Honeypot Captcha
Easy and effective - mow that's neat and fancy! :)
Requesting Gravatar... Derek Sep 11, 2007 10:27 AM
# re: Honeypot Captcha
I've always liked clever CAPTCHA schemes, but I have a feeling some bots might try leaving the field blank. It only takes one to put a few hundred comments on your blog.

I recently switched to using reCAPTCHA, which ensures that the work of my commenters does not go to waste.

http://recaptcha.net/
Requesting Gravatar... Haacked Sep 11, 2007 11:22 AM
# re: Honeypot Captcha
@Derek - You could name the text field "url" and use another field for the actual URL. Just choose a field name the bot is most likely to fill out.

If you're running Yahoo, then the bot writers will take the time to figure it out. If you're running a small blog, then the number of variations to this approach are so many, bot writers have no incentive to try and solve it for every case.

Even so, I would use this in tandem with Invisible Captcha. So far, I never get automated comment spam on my blog. I only get pingtrack/trackback spam.
Requesting Gravatar... Raisor Sep 11, 2007 12:49 PM
# re: Honeypot Captcha
Hi Phil,

... last time I've responded to a post of yours I've received a "your comment is spam" or something like that message ... anyway ;) ... I like the idea behind this post and as I understand from other comments, there are already many approaches to the subject ... just reflecting on it, if I'd ever had to write some "bot" I'd certainly look for the name or id with the name "Honeypot" ...


Best regards,
Raisor
Requesting Gravatar... Abdu Sep 11, 2007 1:40 PM
# re: Honeypot Captcha
Carl: a 30 minute delay is too long. Some people would get impatient , stop the request and resubmit... eventually leaving the webpage with disgust.

Plus I am sure spambots and not going to wait. These tend to be fire and forget type of attacks. They are too busy to wait for a response. They're quickly off to their next victim.
Requesting Gravatar... Aaron Robson Sep 11, 2007 2:02 PM
# re: Honeypot Captcha
I've been using this method myself for a while after a friend pointed me in that direction - apparently phpbb uses something like it. I found its done very nicely in getting rid of spam, although some do get through - almost as if they're specifically targeting the site ?
http://intrepidnoodle.com/articles/9.aspx
Requesting Gravatar... Haacked Sep 11, 2007 2:41 PM
# re: Honeypot Captcha
I would never use the id "honeypot" in a real scenario. I only used it for demo purposes. But I've changed it so that the main point is not lost.
Requesting Gravatar... engtech Sep 11, 2007 2:54 PM
# re: Honeypot Captcha
The id of the captcha should be random dictionary words so that the spambot can't ID it.

It should never be author, email, or url because genuine commenters with Comment Pre-fill forms will be hit with it.

(I hit Alt-C and fill in my name/email/url on all WordPress blogs, for example -- and would mark me as a spammer instead of the wonderful commenter that I am :) )
Requesting Gravatar... Haacked Sep 11, 2007 5:31 PM
# re: Honeypot Captcha
@engtech Wow, the comment pre-fill forms filled in hidden fields? That's some validation this technique works. ;)

As long as everyone chose something different, it wouldn't matter so much. But good point about not choosing "url", "email", etc... I'll update this post once again when I get home. *sigh*
Requesting Gravatar... Johann Sep 12, 2007 5:09 AM
# re: Honeypot Captcha
Good idea. I tried duplicating form fields before but that didn't work.
Requesting Gravatar... Thomas Freudenberg Sep 17, 2007 1:37 PM
# Honeypot Captcha for Community Server
A few days ago Phil Haack wrote about Honeypot Captcha : At the same time, spam bots tend to ignore CSS
Requesting Gravatar... BiGYaN Sep 18, 2007 8:17 PM
# re: Honeypot Captcha
Interesting idea no doubt. But I think I've heard similar ideas in some other forums. The best part about it is its simplicity. One of the simplest to implement and effective too.

I wonder how long will it take for the bots to have a full CSS renderer? .... conceptually it isn't that difficult. But I guess that day is far off due to its effectiveness. A majority of sites would have to implement this strategy, for the bots to have a full fledged renderer. Till then this will prove to be an effective strategy for sure.
Requesting Gravatar... Keyvan Nayyeri Oct 07, 2007 12:28 PM
# Spam Busting in Community Server 2007 - Part 2
In the first post I gave an introduction and outlined eights spam rules to fight against spammers in
Requesting Gravatar... Chris Oct 09, 2007 12:55 PM
# re: Honeypot Captcha
One of the problems that I ran into using this method is Google's "Autofill" button on the tool bar. I named my hidden field "EmailSomething" and the Google Toolbard "Autofill" fills it in, even though it cannot be seen. I realize this may not be showstopper, but just something you may want to be aware of when using it on Contact forms.
Requesting Gravatar... Blaise Kal Oct 09, 2007 1:29 PM
# re: Honeypot Captcha
The problem with these solutions is that spammers can adjust their code easily for one specific website. Captchaz work better then (but aren't very accessible). Fortunately, a site's got to be quite large before spammers do such an effort.
Requesting Gravatar... Jylan Wynne Oct 10, 2007 8:00 PM
# re: Honeypot Captcha
I suppose this method is best for people who don't want to inconvenience their users by making fill out a captcha (or another similiar method), which can be very annoying for some people.
Requesting Gravatar... Ian Quigley Oct 12, 2007 2:58 AM
# re: Honeypot Captcha
Cool idea.
Requesting Gravatar... Pheadrus Oct 12, 2007 3:33 AM
# re: Honeypot Captcha
i think this is a good idea. maybe some php or asp coding to change the hidden forms name at every page load. course then you could just compare snapshots of the page a before an after to find the changing form. or have all form names change within their context.
Requesting Gravatar... silchan Oct 12, 2007 9:13 PM
# re: Honeypot Captcha
Instead of using Id's to label your for elements, why not use classes? Then you could have, say, 2 comment elements, 2 title elements, 2 url elements, et cetera. Once you have them, hide one of each and don't accept anything that fills in the display:non elements. Then it wouldn't be able to distinguish between the real and fake ones.

Since css allows for multiple classes per elements, you could have, say: <div class="sweet url"> and <div class = "sour url">. Then you could distinguish between the right and wrong one in your code.
Requesting Gravatar... Mathieu 'p01' Henri Oct 26, 2007 6:07 AM
# re: Honeypot Captcha
A while ago I was spam comments on a site. I added a honeypot plus a hashed timestamp in an input hidden. If the form is submitted less than 3 seconds after the generation of the page, chances are pretty high that it is a bot. I also check for the number of URLs in the comment and if a domain's URL is already in my blacklist.

The amount of spam dropped drastically.
Requesting Gravatar... JMG Oct 26, 2007 7:23 AM
# re: Honeypot Captcha
Il call the blank field to be hidden with some css, the 'stupid captcha for stupid spam bots'. There are others simple ideas:

* name can't be an URL (you ain't an URL, are you?);
* email must be an email (not a URL or anything else);
* comment can't contain bbcode links [url];
* comment can't have more links than words.

These are very easy to develop solutions, they're invisible to end-users (I don't want to bother them), they don't require javascript enabled browsers and... all spam bots just fell for it. They're just plain stupid bots.
Requesting Gravatar... Andy Oct 26, 2007 8:19 AM
# re: Honeypot Captcha
I've used something similar on my YaBB forum for a while now and it works brilliantly, I went from around 5 bot accounts being registered every day to zero.

The signup page of my forum has a couple of radio button and prompts users to click "yes" to signify their acceptance of the TOS. Renaming these buttons and adding similar with the question "Are you a spambot?" gets them every time :-)
Requesting Gravatar... Michael Hendrickx Oct 27, 2007 1:02 AM
# re: Honeypot Captcha
nice idea indeed!!
Requesting Gravatar... Don Park Oct 28, 2007 7:48 AM
# re: Honeypot Captcha
a good one, phil. honeypots, like so many other techniques, r under utilized imho. these techniques like spices and meant to be mixed and used to make fine cuisines.
Requesting Gravatar... Usman Masood Nov 29, 2007 3:56 AM
# re: Honeypot Captcha
such simple and classic technique. i like the idea, thanks haacked.
Requesting Gravatar... Bob Jan 17, 2008 6:17 PM
# re: Honeypot Captcha
I thing that the quality of this material is high. To enable/help dutch experts killing SPAM, I will use your material for translation in to Dutch at the Dutch Wiki learning http://www.leerwiki.nl. Hope this is ok?
Requesting Gravatar... Rob Jan 20, 2008 4:42 PM
# re: Honeypot Captcha
Yes, good idea, but the data in the form field has only 2 states, filled in and not. The solution is simple and elegent but I'm not sure 2 states is enough to deter a well crafted bot...for long.
Requesting Gravatar... Hypotheek Apr 20, 2008 3:50 AM
# re: Honeypot Captcha
" I thing that the quality of this material is high. To enable/help dutch experts killing SPAM, I will use your material for translation in to Dutch at the Dutch Wiki learning http://www.leerwiki.nl. Hope this is ok? "

I will help you too Bob! No problem, this would solve alot of spam.. I hope!
Requesting Gravatar... okcdarksage Apr 22, 2008 8:18 PM
# re: Honeypot Captcha
I like the ideas that I'm seeing here, but I think we need to reiterate that there is no silver bullet solution.

On the note of the CSS-based technique and screen readers, let's not forget that media rules can be specified for aural on your style or link elements, or, using the @ rules in CSS.

Let's hope the work continues on defeating this useless waste of space and time.
Requesting Gravatar... Amir May 11, 2008 9:09 AM
# re: Honeypot Captcha
HI, i got the plateform to say about the account king. He can deliver daily 500k-1000k any account like yahoo, gmail, hotmail etc. Anyone wants to get introduce then please contact with account king on khoknaa@yahoo.com instant messanger. Thanks

What do you have to say?

(will show your gravatar)
Please add 1 and 7 and type the answer here: