Honeypot Captcha

code, tech, blogging 0 comments suggest edit

I was thinking about alternative ways to block comment spam the other day and it occurred to me that there’s potentially a simpler solution than the Invisible Captcha approach I wrote about.

The Invisible Captcha control plays upon the fact that most comment spam bots don’t evaluate javascript. However there’s another particular behavioral trait that bots have that can be exploited due to the bots inability to support another browser facility.

honeypot image from
http://www.cs.vu.nl/\~herbertb/misc/shelia/ You see, comment spam bots love form fields. When they encounter a form field, they go into a berserker frenzy (+2 to strength, +2 hp per level, etc…) trying to fill out each and every field. It’s like watching someone toss meat to piranhas.

At the same time, spam bots tend to ignore CSS. For example, if you use CSS to hide a form field (especially via CSS in a separate file), they have a really hard time knowing that the field is not supposed to be visible.

To exploit this, you can create a honeypot form field that should be left blankand then use CSS to hide it from human users, but not bots. When the form is submitted, you check to make sure the value of that form field is blank. For example, I’ll use the form field named body as the honeypot. Assume that the actual body is in another form field named the-real-body or something like that:

<div id="honeypotsome-div">
If you see this, leave this form field blank 
and invest in CSS support.
<input type="text" name="body" value="" />
</div>

Now in your code, you can just check to make sure that the honeypot field is blank…

if(!String.IsNullOrEmpty(Request.Form["body"]))
  IgnoreComment();

I think the best thing to do in this case is to act like you’ve accepted the comment, but really just ignore it.

I did a Google search and discovered I’m not the first to come up with this idea. It turns out that Ned Batchelder wrote about honeypots as a comment spam fighting vehicle a while ago. Fortunately I found that post after I wrote the following code.

For you ASP.NET junkies, I wrote a Validator control that encapsulates this honeypot behavior. Just add it to your page like this…

<sbk:HoneypotCaptcha ID="body" ErrorMessage="Doh! You are a bot!"
  runat="server"  />

This control renders a text box and when you call Page.Validate, validation fails if the textbox is not empty.

This control has no display by default by setting the style attribute to display:none. You can override this behavior by setting the UseInlineStyleToHide property to false, which makes you responsible for hiding the control in some other way (for example, by using CSS defined elsewhere). This also provides a handy way to test the validator.

To get your hands on this validator code and see a demo, download the latest Subkismet source from CodePlex. You’ll have to get the code from source control because this is not yet part of any release.

Found a typo or error? Suggest an edit! If accepted, your contribution is listed automatically here.

Comments

avatar

121 responses

  1. Avatar for Peter Mescalchin
    Peter Mescalchin September 10th, 2007

    Such a simple idea. Definitely going to give that a bash on one of my pesky web contact forms - see what millage I can get.

  2. Avatar for Ola Lindberg
    Ola Lindberg September 10th, 2007

    It's a good idea! However doesn't it make it hard to use for users that use a screen reader as well?

  3. Avatar for Mads Kristensen
    Mads Kristensen September 10th, 2007

    From an accessibility point of view it is a bad idea. People using screen readers will see that input field.

  4. Avatar for Peter Mescalchin
    Peter Mescalchin September 10th, 2007

    True, but you can label the field with a full description of its use.
    And according to some research done by Simon Wilson many moons ago (this may not be the case now) - JAWS, Windows Eyes and IBM home page reader ignore content inside a display:none parent anyway - not really the desired response from the screenreader, but works to an advantage in this case.
    http://simonwillison.net/20...
    So maybe its not so bad afterall accessibility wise?

  5. Avatar for Peter Rogers
    Peter Rogers September 10th, 2007

    It's been like this on http://dis.4chan.org/prog/ (and other boards) for quite some time now. Easy to see by visiting the page in links or other text-based browser. Seems to work rather well.

  6. Avatar for Philippe LACHAISE
    Philippe LACHAISE September 10th, 2007

    I would suggest NOT to use id="honeypot" (they might learn to spot that), rater something like id="userComment" or some other pest appetizer ;-)

  7. Avatar for Tomasz Melcer
    Tomasz Melcer September 10th, 2007

    Same idea is presented on http://www.rustylime.com/sh..., with some comments too.

  8. Avatar for DotNetKicks.com
    DotNetKicks.com September 10th, 2007

    You've been kicked (a good thing) - Trackback from DotNetKicks.com

  9. Avatar for Tim
    Tim September 10th, 2007

    Pretty interesting. I did some similar testing a while back against Googlebot, and surprisingly it will build everything up in and execute the CSS.
    We were doing some SEO testing to see how smart Googlebot was. Turns it, it was pretty smart and you couldn't hide tags in CSS (like making the text white to blend in with background).
    BTW, we weren't trying to fool Google, but rather put some debug information in a page and make sure the bot didn't think we were trying to do something against Google's ToS.
    I wonder how long it will be (if it's not aready) until these spam bots fully render CSS.

  10. Avatar for JGM
    JGM September 10th, 2007

    Excellent article, I've been using javascript and PHP Sessions to prevent form spamming for a while now, but hadn't considered this angle. Great information, and I'll be putting it to use immediately as one more item my arsenal in the on-going war against spam.

  11. Avatar for Troels
    Troels September 10th, 2007

    Clever.

  12. Avatar for Wyatt Barnett
    Wyatt Barnett September 10th, 2007

    @Mads: Yeah, people with a screen reader will see the input, but they should also see the label telling them not to fill it in. Spambots won't read labels, except maybe field ids/names, so if you name it something ingenious, like email2, they will fill 'er in.

  13. Avatar for Steven Harman
    Steven Harman September 10th, 2007

    A possible enhancement... you could make use of asp.net 2.0+'s Web Resource's and have the control actually pull an embedded CSS file down automagically. As you said, this would make it even harder for bots as they don't tend to apply CSS, let alone external CSS files, to the form fields.
    Of course, we'd want to make this configurable so a consumer of the control could use InlineStyles, ExternalStyle, or NoStyles.

  14. Avatar for Ryan Smith
    Ryan Smith September 10th, 2007

    That's an interesting method. I found the simple JavaScript CAPTCHA handles all bots on one of my contact forms, but this seems like a better, cleaner solution than forcing the JavaScript issue.
    Probably much better from an accessibility point of view.

  15. Avatar for Haacked
    Haacked September 10th, 2007

    @Mads, people with a screenreader won't see the input. They might hear it, but as far as I know, many screen readers read the rendered text from a browser. So if the browser doesn't display it, not sure why the screen reader would read it.
    But just in case, the label clearly tells the user not to type anything into the field. In that situation, it effectively becomes a simple visual/aural CAPTCHA.
    In the Subkismet control, I make sure to render that label.

  16. Avatar for Scott
    Scott September 10th, 2007

    Would using a Flash component for the actual user input achieve the same effect?

  17. Avatar for Carl
    Carl September 10th, 2007

    I like this idea. On a site of mine that attracts spam submits, upon detecting spam I delay responding for 30 seconds before returning a "successful" submit and ignore the input. I'm not sure if the bots actually wait for a response, but I throw in a delay for good measure.

  18. Avatar for The Janitor
    The Janitor September 10th, 2007

    Easy and effective - mow that's neat and fancy! :)

  19. Avatar for Derek
    Derek September 10th, 2007

    I've always liked clever CAPTCHA schemes, but I have a feeling some bots might try leaving the field blank. It only takes one to put a few hundred comments on your blog.
    I recently switched to using reCAPTCHA, which ensures that the work of my commenters does not go to waste.
    http://recaptcha.net/

  20. Avatar for Haacked
    Haacked September 11th, 2007

    @Derek - You could name the text field "url" and use another field for the actual URL. Just choose a field name the bot is most likely to fill out.
    If you're running Yahoo, then the bot writers will take the time to figure it out. If you're running a small blog, then the number of variations to this approach are so many, bot writers have no incentive to try and solve it for every case.
    Even so, I would use this in tandem with Invisible Captcha. So far, I never get automated comment spam on my blog. I only get pingtrack/trackback spam.

  21. Avatar for Raisor
    Raisor September 11th, 2007

    Hi Phil,
    ... last time I've responded to a post of yours I've received a "your comment is spam" or something like that message ... anyway ;) ... I like the idea behind this post and as I understand from other comments, there are already many approaches to the subject ... just reflecting on it, if I'd ever had to write some "bot" I'd certainly look for the name or id with the name "Honeypot" ...

    Best regards,
    Raisor

  22. Avatar for Abdu
    Abdu September 11th, 2007

    Carl: a 30 minute delay is too long. Some people would get impatient , stop the request and resubmit... eventually leaving the webpage with disgust.
    Plus I am sure spambots and not going to wait. These tend to be fire and forget type of attacks. They are too busy to wait for a response. They're quickly off to their next victim.

  23. Avatar for Aaron Robson
    Aaron Robson September 11th, 2007

    I've been using this method myself for a while after a friend pointed me in that direction - apparently phpbb uses something like it. I found its done very nicely in getting rid of spam, although some do get through - almost as if they're specifically targeting the site ?
    http://intrepidnoodle.com/a...

  24. Avatar for Haacked
    Haacked September 11th, 2007

    I would never use the id "honeypot" in a real scenario. I only used it for demo purposes. But I've changed it so that the main point is not lost.

  25. Avatar for engtech
    engtech September 11th, 2007

    The id of the captcha should be random dictionary words so that the spambot can't ID it.
    It should never be author, email, or url because genuine commenters with Comment Pre-fill forms will be hit with it.
    (I hit Alt-C and fill in my name/email/url on all WordPress blogs, for example -- and would mark me as a spammer instead of the wonderful commenter that I am :) )

  26. Avatar for Haacked
    Haacked September 11th, 2007

    @engtech Wow, the comment pre-fill forms filled in hidden fields? That's some validation this technique works. ;)
    As long as everyone chose something different, it wouldn't matter so much. But good point about not choosing "url", "email", etc... I'll update this post once again when I get home. *sigh*

  27. Avatar for Johann
    Johann September 11th, 2007

    Good idea. I tried duplicating form fields before but that didn't work.

  28. Avatar for Thomas Freudenberg
    Thomas Freudenberg September 17th, 2007

    A few days ago Phil Haack wrote about Honeypot Captcha : At the same time, spam bots tend to ignore CSS

  29. Avatar for BiGYaN
    BiGYaN September 18th, 2007

    Interesting idea no doubt. But I think I've heard similar ideas in some other forums. The best part about it is its simplicity. One of the simplest to implement and effective too.
    I wonder how long will it take for the bots to have a full CSS renderer? .... conceptually it isn't that difficult. But I guess that day is far off due to its effectiveness. A majority of sites would have to implement this strategy, for the bots to have a full fledged renderer. Till then this will prove to be an effective strategy for sure.

  30. Avatar for Keyvan Nayyeri
    Keyvan Nayyeri October 7th, 2007

    In the first post I gave an introduction and outlined eights spam rules to fight against spammers in

  31. Avatar for Chris
    Chris October 9th, 2007

    One of the problems that I ran into using this method is Google's "Autofill" button on the tool bar. I named my hidden field "EmailSomething" and the Google Toolbard "Autofill" fills it in, even though it cannot be seen. I realize this may not be showstopper, but just something you may want to be aware of when using it on Contact forms.

  32. Avatar for Blaise Kal
    Blaise Kal October 9th, 2007

    The problem with these solutions is that spammers can adjust their code easily for one specific website. Captchaz work better then (but aren't very accessible). Fortunately, a site's got to be quite large before spammers do such an effort.

  33. Avatar for Jylan Wynne
    Jylan Wynne October 10th, 2007

    I suppose this method is best for people who don't want to inconvenience their users by making fill out a captcha (or another similiar method), which can be very annoying for some people.

  34. Avatar for Ian Quigley
    Ian Quigley October 11th, 2007

    Cool idea.

  35. Avatar for Pheadrus
    Pheadrus October 11th, 2007

    i think this is a good idea. maybe some php or asp coding to change the hidden forms name at every page load. course then you could just compare snapshots of the page a before an after to find the changing form. or have all form names change within their context.

  36. Avatar for silchan
    silchan October 12th, 2007

    Instead of using Id's to label your for elements, why not use classes? Then you could have, say, 2 comment elements, 2 title elements, 2 url elements, et cetera. Once you have them, hide one of each and don't accept anything that fills in the display:non elements. Then it wouldn't be able to distinguish between the real and fake ones.
    Since css allows for multiple classes per elements, you could have, say: <div class="sweet url"> and <div class = "sour url">. Then you could distinguish between the right and wrong one in your code.

  37. Avatar for Mathieu 'p01' Henri
    Mathieu 'p01' Henri October 25th, 2007

    A while ago I was spam comments on a site. I added a honeypot plus a hashed timestamp in an input hidden. If the form is submitted less than 3 seconds after the generation of the page, chances are pretty high that it is a bot. I also check for the number of URLs in the comment and if a domain's URL is already in my blacklist.
    The amount of spam dropped drastically.

  38. Avatar for JMG
    JMG October 25th, 2007

    Il call the blank field to be hidden with some css, the 'stupid captcha for stupid spam bots'. There are others simple ideas:
    * name can't be an URL (you ain't an URL, are you?);
    * email must be an email (not a URL or anything else);
    * comment can't contain bbcode links [url];
    * comment can't have more links than words.
    These are very easy to develop solutions, they're invisible to end-users (I don't want to bother them), they don't require javascript enabled browsers and... all spam bots just fell for it. They're just plain stupid bots.

  39. Avatar for Andy
    Andy October 25th, 2007

    I've used something similar on my YaBB forum for a while now and it works brilliantly, I went from around 5 bot accounts being registered every day to zero.
    The signup page of my forum has a couple of radio button and prompts users to click "yes" to signify their acceptance of the TOS. Renaming these buttons and adding similar with the question "Are you a spambot?" gets them every time :-)

  40. Avatar for Michael Hendrickx
    Michael Hendrickx October 26th, 2007

    nice idea indeed!!

  41. Avatar for Don Park
    Don Park October 27th, 2007

    a good one, phil. honeypots, like so many other techniques, r under utilized imho. these techniques like spices and meant to be mixed and used to make fine cuisines.

  42. Avatar for Usman Masood
    Usman Masood November 28th, 2007

    such simple and classic technique. i like the idea, thanks haacked.

  43. Avatar for Bob
    Bob January 17th, 2008

    I thing that the quality of this material is high. To enable/help dutch experts killing SPAM, I will use your material for translation in to Dutch at the Dutch Wiki learning http://www.leerwiki.nl. Hope this is ok?

  44. Avatar for Rob
    Rob January 20th, 2008

    Yes, good idea, but the data in the form field has only 2 states, filled in and not. The solution is simple and elegent but I'm not sure 2 states is enough to deter a well crafted bot...for long.

  45. Avatar for Hypotheek
    Hypotheek April 19th, 2008

    " I thing that the quality of this material is high. To enable/help dutch experts killing SPAM, I will use your material for translation in to Dutch at the Dutch Wiki learning http://www.leerwiki.nl. Hope this is ok? "
    I will help you too Bob! No problem, this would solve alot of spam.. I hope!

  46. Avatar for okcdarksage
    okcdarksage April 22nd, 2008

    I like the ideas that I'm seeing here, but I think we need to reiterate that there is no silver bullet solution.
    On the note of the CSS-based technique and screen readers, let's not forget that media rules can be specified for aural on your style or link elements, or, using the @ rules in CSS.
    Let's hope the work continues on defeating this useless waste of space and time.

  47. Avatar for Amir
    Amir May 10th, 2008

    HI, i got the plateform to say about the account king. He can deliver daily 500k-1000k any account like yahoo, gmail, hotmail etc. Anyone wants to get introduce then please contact with account king on khoknaa@yahoo.com instant messanger. Thanks

  48. Avatar for vakantie
    vakantie June 21st, 2008

    I think this would work, but dont under estimate the creative solutions hackers can come up with. I would already think of a plan B in the case they crack this suggestion.

  49. Avatar for Vertaling Engels
    Vertaling Engels July 1st, 2008

    @ vakantie
    It's an eternal war. Just see it as a game. Hackers will always be able to crack new kinds of protection, and then they will come up with something new, and then they will hack it again. It's just fun for both parties if they don't take themselves too seriously. Keeps us busy and our intellect sharp :)

  50. Avatar for Geld Lenen
    Geld Lenen July 8th, 2008


    The honeypot form field that should be left blank and then use CSS to hide it from human users, but not bots....
    How can you make this difference?

  51. Avatar for Mark
    Mark July 9th, 2008

    Maybe you shouldn't reveal the idea.:)
    Now it will be easier to find ways to trick it

  52. Avatar for darknes
    darknes July 18th, 2008

    hello, it`s so easy!!!!

  53. Avatar for Richard
    Richard August 28th, 2008

    This simple technique really works because the bots are so badly written most of the time. Unfortunately you can't go much beyond this without seriously hurting accessibility, which is a shame because a nice javascript hashcash would really put a dent in the spammers whilst not requiring users to figure out increasingly obscure captchas.

  54. Avatar for Lening
    Lening September 18th, 2008

    Simple yet effective! It's a good thing bots don't tend to apply CSS :)

  55. Avatar for Mark S
    Mark S November 1st, 2008

    Actually this is one of the few articles I could find that shows the principles of an efficient solution against automatic forms submission.
    And you can go a step further by randomizing the various elements that are in the css and/or generate the css/stylesheet on the fly. So for each page load a different css and vary the number of invisible elements with the form. If you check the HTML and CSS specs, they also have certain rules you could take advantage of. For instance, if the same css tag or css field inside the tag is repeated the last one overrides the first. You can also have tags in comments. All of which lead to more and more complex bot structure to identify something and submit a form.
    Anyways, I totally agree and I found it pathetic to say the least, to bloat forms with crossed-out images and mysterious active scripts and other ajax and anti-ocr methods to identify if it's a bot or a human who submits a form.
    So you can secure 100% your forms without adding anything extra that is visible to the visitors.

  56. Avatar for vastgoed
    vastgoed November 22nd, 2008

    Very, very good idea. I like the simple solutions. You can make in this case a sort of a black hole for the spam-bot. I've heard about it in another forum; when founded again, I will post is here, greetz, V

  57. Avatar for hypotheek
    hypotheek November 27th, 2008

    It's a simple and easy but effective way. Thanks!

  58. Avatar for Darren
    Darren December 1st, 2008

    My form is in an html page. This page calls on a seperate php page to process the form, and also uses a javascript to force mandatory fields. My question is, where do i put the following code:
    if(!String.IsNullOrEmpty(Request.Form["body"]))IgnoreComment();
    i have tried adding it into my php script, but its not working! please help!!

  59. Avatar for lenen nl
    lenen nl December 13th, 2008

    Well that's a very clever idea. I wonder if somebody will invent the-spam-bot-that-spams-spambots one day :-)

  60. Avatar for matt
    matt January 21st, 2009

    I inserted the hidden form and php snippet with my class name but I get a php error on submission. Parse error: syntax error, unexpected '[' in /var/www/includes/guestbook_input.php on line 4
    The '[' that it's referring to is from your if(!String.IsNullOrEmpty(Request.Form["body"]))IgnoreComment();
    What did I do wrong?

  61. Avatar for Bram
    Bram January 31st, 2009

    @ Johann, try "Visual captchas" at that website! regards, Bram

  62. Avatar for Hypotheek
    Hypotheek February 8th, 2009

    I was here a long time ago. I was wondering if this idea is already used somewhere ? I realy think it is great and i would like to use it on my Hypotheekwebsite.
    Hope to see it in use soon.

  63. Avatar for Barnevern
    Barnevern March 5th, 2009

    This method is still working very well on most "low volume" sites, like personal blogs and pages.
    On sites with more visitors and/or higher pagerank I would combine it with something else (like java, cookie, hashed hidden form fields, etc).
    Most blogs and cms today come with some form of protection, like Akismet, Bad Behavior, Spam Karma, etc. Adding the honeypot trick would just make it more secure.
    By the way: why aren’t screen readers updated to take this trick into account? Hidden fields in css should not be processed.

  64. Avatar for Medisch recht
    Medisch recht March 11th, 2009

    I would like to start my own weblog in the near future. I have been experimenting with Captcha's.
    @Matt, I have the same error that you have [...Parse error: syntax error, unexpected '[' in /var/www/includes/guestbook_input.php on line 4]
    I have not been able to fix it. Did you find a solution?

  65. Avatar for norwich web designer
    norwich web designer April 3rd, 2009

    Great concept, it's good to see the problem of unreadable captchas being tackled!

  66. Avatar for dalmatia
    dalmatia December 17th, 2009

    I think this would work, but dont under estimate the creative solutions hackers can come up with. I would already think of a plan B in the case they crack this suggestion. Implementing right now.
    thanx

  67. Avatar for geld lenen
    geld lenen March 16th, 2010

    I'll definitely think about this...great idea!

  68. Avatar for horloges
    horloges March 25th, 2010

    Great idea. I'm definitely going to implement this into my websites. Thanks for the great solution!

  69. Avatar for chris
    chris June 2nd, 2010

    The solution is good, but not 100% spam free. I'd say that about 10-20% of spam still gets through.

  70. Avatar for Paul
    Paul July 4th, 2010

    Why not generate the honeypot using the users session id
    That way it changes the field name for every user, you can validate on the session Id submitted and also validate that it is blank
    combine this with a check between when the page was generated and when it was submitted (server side) and you can stop the bot

  71. Avatar for Kris
    Kris July 16th, 2010

    I noticed a few people having trouble checking if the form field was set, Couldn't you just do a simple post check?
    if (!isset($_POST['fieldname'])) { IgnoreComment(); }

  72. Avatar for peregrine
    peregrine August 2nd, 2010

    We've used this technique for one year on three forms on our site, after reading about it here in 2009. Works great for us! Thanks for a great tip.

  73. Avatar for Cria&#195;&#167;&#195;&#163;o
    Cria&#195;&#167;&#195;&#163;o August 4th, 2010

    i think rel="nofollow" in comments will stop 99% of spam

  74. Avatar for dreambox 500
    dreambox 500 August 28th, 2010

    "I think this would work, but dont under estimate the creative solutions hackers can come up with. I would already think of a plan B in the case they crack this suggestion. Just try to think out of the box. "
    Yes,agree!

  75. Avatar for toscane
    toscane August 30th, 2010

    very simple and good idea.

  76. Avatar for Online lenen
    Online lenen September 7th, 2010

    Great idea from this blogger. I'm definitely going to implement this into my many websites. Thanks for the great solution!

  77. Avatar for Criar Sites
    Criar Sites September 15th, 2010

    That's an interesting method. I found the simple JavaScript CAPTCHA handles all bots on one of my contact forms, but this seems like a better, cleaner solution than forcing the JavaScript issue.

  78. Avatar for MIke
    MIke September 29th, 2010

    Very awesome.

  79. Avatar for geld lenen
    geld lenen October 5th, 2010

    This is better than the javascript method that i was using, thanks for this great simple thinking solution!

  80. Avatar for val
    val October 10th, 2010

    Why not just use a hidden input field

  81. Avatar for Weekendje weg
    Weekendje weg November 4th, 2010

    Indeed, that seems to work well.

  82. Avatar for Kezian
    Kezian November 21st, 2010

    Great post and very useful informationThat's an interesting method. we found the JavaScript handles all botts on one of all contact forms, but this is a far superior system, cleaner solution than forcing the JavaScript issue Thanks see it work at OLos Angeles Dentist Website http://www.drkezian.com

  83. Avatar for Barbecue
    Barbecue November 27th, 2010

    Great information, this is a great system. We tried this earlier with JS, but that did not work very good. Thanks for sharing.

  84. Avatar for tuz
    tuz December 3rd, 2010

    Would using a Flash component for the actual user input achieve the same effect...

  85. Avatar for Nuvenus Chovendus
    Nuvenus Chovendus December 12th, 2010

    The id of the captcha should be random dictionary words so that the spambot can't ID it.

  86. Avatar for Matt M
    Matt M February 7th, 2011

    Do note - the code in the example is ASP code. If you try to enter it in your PHP script, of course you will get a parse error. Here is PHP code you can use:
    if (!isset($_POST['fieldname'])) { IgnoreComment(); }
    So if your site is in PHP (as most sites are) then use this code.

  87. Avatar for Jo&#227;o Paulo Motta Fonseca
    Jo&#227;o Paulo Motta Fonseca March 1st, 2011

    I found the simple JavaScript CAPTAIN handles all bots on one of my contact forms, but this seems like a better, cleaner solution than forcing the JavaScript issue. Thanks for Ur information!

  88. Avatar for Daniel Nielsen
    Daniel Nielsen March 5th, 2011

    I've have been working with web for some years now, and almost ashamed, not to have thought of this solution. I see the problem with accessibility, but still clever thought.
    Combined with some of the comment, I think I'm going to make som changes to my captcha control :-) Thanks to all.

  89. Avatar for Michael Clark
    Michael Clark March 12th, 2011

    Hello.
    This is a fairly elegant solution to a problem that plagues blogs and boards all over the web. I found this article right after implementing the very same solution on my new web development blog. I hope this cuts down on the 'poker' and 'adult' spambot comments that have been showing up in my database.
    Good article, by the way. Comments spanning almost 4 years and people are still commenting :) Good stuff.

  90. Avatar for Thanks for the post
    Thanks for the post January 9th, 2013

    Ironic all the comment spam on this excellent post about spam. :)

  91. Avatar for haacked
    haacked January 9th, 2013

    Heh. Well honeypot captcha doesn't stop actual people from posting spam comments.

  92. Avatar for Get Local
    Get Local January 10th, 2013

    This will help me big time thanks

  93. Avatar for Zymara
    Zymara February 7th, 2013

    I know this is really old, but I had to reply as I had a fun answer.  My site was getting hit 100s of times a day by the same spammer, so I took any incoming requests coming from that IP address and bounced them back to that same IP address.  So basically I spammed the spammer with his own spam.  :^)

  94. Avatar for kjnkjn
    kjnkjn March 23rd, 2013

    kunj

  95. Avatar for Rah Hsn
    Rah Hsn May 8th, 2013

    Ok how about style "font-size:0px; border:none;"? will it not do it?

  96. Avatar for freedetainees.org
    freedetainees.org June 26th, 2013

    Ok great.. so then (I'm using Bulldog theme) and they use you so my contact form (that's included) has no captcha field.. this is normal then, correct? :) If so I LIKE IT!

  97. Avatar for DaYOYO
    DaYOYO July 17th, 2013

    Frankly, this is a Bad Idea.

    Some browsers (or browser plugins) will autofill the hidden field. I've had that happen on a couple of sites; I couldn't login and I couldn't contact them.

    These guys had the same problem:
    http://www.mindscapehq.com/...

  98. Avatar for haacked
    haacked July 17th, 2013

    Interesting! I hadn't considered that. But doesn't that sound like a bug in the autofill? I mean, what could they possibly be putting there? Maybe rename the field to something that wouldn't have an existing value.

  99. Avatar for DaYOYO
    DaYOYO July 18th, 2013

    It is definitely a bug in the autofill, but if we have to work around bugs in browsers why ignore this one?

  100. Avatar for haacked
    haacked July 18th, 2013

    Ugh. Well there might be other workarounds. :) Do you happen to know _what_ they put into a random field for which they have no information? Is it just random garbage?

  101. Avatar for DaYOYO
    DaYOYO July 19th, 2013

    If I recall, it was a firefox plugin and it put my postcode in there!

  102. Avatar for Pete Bagnall
    Pete Bagnall March 7th, 2014

    For screen readers you can use the media specific CSS rules to explicitly tell screen readers not to show the field too. So that needn't be an issue, although I'm not sure how good support for that is, with it being a CSS3 feature. http://www.w3.org/TR/css3-r...

  103. Avatar for Alexei
    Alexei June 16th, 2014

    That code isn't PHP. It's only an example. You should write something similar in PHP.

  104. Avatar for Amused Norn
    Amused Norn June 18th, 2014

    How do screen-readers distinguish between form fields that are for names and form fields that are for email addresses? They read the labels on the inputs. The same mechanism works for sorting out between "I am a spammer" checkboxes and "ain't a spammer" checkboxes.

  105. Avatar for Holt Johnson
    Holt Johnson July 14th, 2014

    Is there any way a bot could be programed to check for display:none?

  106. Avatar for david
    david September 11th, 2014

    The idea is that you don't need to; having the filled-in the form implies that the user is a bot since no human user should see and hence fill-in the honeypot form field. The server can decide if the user is a bot based on whether they filled in the hidden form.

  107. Avatar for Patrick Joannisse
    Patrick Joannisse October 23rd, 2014

    The only thing I'd change is to add a proper label with clear instructions saying this is an anti-spam field and don't put anything there. It's compliant to WCAG and by extension to 508 and the Canadian web standards.

  108. Avatar for Patrick Joannisse
    Patrick Joannisse October 23rd, 2014

    Not really. Just use a proper label instead of a div with text inside. It's fully compliant. As long as the instructions are clear.

  109. Avatar for disqus_qjD2PoaenI
    disqus_qjD2PoaenI February 13th, 2015

    I'm wondering how come Spam bots can submit a form that has a server side validation?

  110. Avatar for manny
    manny March 8th, 2015

    Ruby has a small advantage with type inference. It can assume that a number

    is of class Fixnum (if it fits into one) safe in the knowledge that it will

    be automatically changed into a Bignum later, if it becomes necessary.

  111. Avatar for test
    test May 4th, 2015

    test

  112. Avatar for Romain Petit
    Romain Petit September 6th, 2015

    Still better than the new generations of captcha of today. Salute

  113. Avatar for resetplz
    resetplz September 23rd, 2015

    How funny. Years ago I was looking for a simpler CAPTCHA and devised a honeypot-ish method using "hidden" characters:

    - Imagine a form field with a red background; in it are the letters CAPTCHA
    - Now randomly change the color of the characters making sure at least one is red.
    - The user sees--and types--"CA TC A" because red letters over red aren't visible.
    - But the stupid bot sees CAPTCHA.
    - Presto.

  114. Avatar for haacked
    haacked September 23rd, 2015

    I like it! How well did it work?

  115. Avatar for David Susen
    David Susen December 14th, 2015

    Thank you very much. The Ruskies were making a mess of things :)

  116. Avatar for dsfd
    dsfd February 11th, 2016

    Круто!

  117. Avatar for Rikki Bragg
    Rikki Bragg July 5th, 2016

    Excellent discussion ! I was fascinated by the info , Does anyone know if my business could possibly find a sample a form document to edit ?

  118. Avatar for SparK
    SparK December 9th, 2016

    I know it's 2 years later but "aria-hidden" is an awesome attribute

  119. Avatar for SparK
    SparK December 9th, 2016

    9 years later... thanks firebug, dragonfly and other dev tools we have console.debug() now. haha

  120. Avatar for SparK
    SparK December 9th, 2016

    Maybe overkill, but store random names for fields and random location of honeypot in session, so every get request would have unique honeypot name and location in form... definitely overkill...

  121. Avatar for Willy Makend
    Willy Makend March 23rd, 2018

    Great, Thanks you very much :-)