Honeypot Technique of Blocking Spam

UPDATE: Check out Kim’s newest post on “How to Spam Proof Your Website Forms” for the latest info on blocking spam.

honey-pot-thumbIn an earlier post I discussed the mystery of forms. Preventing spam on your blog or website can be difficult for anyone as bots and spammers are relentless. However, with the right techniques the battle can be won! One of my favorite techniques to use against bots trying to spam a form is the honeypot technique, because it doesn’t hinder the user from completing the form. Anti-spam techniques should not interfere with a user filling out the form, it could decrease lead conversions. An example of this kind of technique is Captcha.

When a spam bot comes to a form, it fills out EVERY input field, and ignores the CSS, which is a behavior we can exploit. One of the input fields can be hidden with CSS, display: none;, and then use JavaScript when the form is submitted. If the input field is empty submit the form, else, do nothing (or popup an alert message). Easy, right? The user is none the wiser, and we prevent spam bots from submitting the form with junk data.

The CSS:
Let’s get a little technical and show two different ways of handling the CSS. The first example is with a CSS3 attribute selector. Please note that IE7 and IE8 support attribute selectors only if a !DOCTYPE is specified, which should be standard practice. Attribute selection is not supported in IE6 or below.

input[type="text"]#website { display: none; }

The old school way of doing things, but supported by IE6.

input#website { display: none; }

Let me explain the difference. There are several types of inputs: submit, button, password, text, and so on. Now with HTML5 there are even more: tel, number, date, etc. Using input with our unique id allows this style to be set on ANY input type that has this id. By adding [type="text"] it is limiting the style to input types of text that contain this unique id. It’s just a matter of personal preference which method you use and how global the style needs to be.

The JavaScript (jQuery):

<script>
$('form').submit(function(){    
        if ($('input#website').val().length != 0) {
            return false;
        } 
});
</script>

The HTML:

<form method="get" action="/">
<input name="firstname" type="text" value="First Name" />
<input name="lastname" type="text" value="Last Name" />
<input id="website" name="website" type="text" value=""  />
<input type="submit" value="Submit" />
</form>

In the example above the website field is hidden with CSS because of id="website". A user enters first and last name and submits the form. If the website field has text in it then the form will do nothing when submitted as you can see by the return false in the JavaScript function. If the field is empty the form will submit as expected.

Things to remember for the novice.
Script and CSS references go in the <head> tag, HTML goes in the <body> tag. Classes can be used throughout the web page and referenced unlimited times, but id’s are unique and used only once. Using a jQuery function requires the jQuery library reference, which can be found here. Always declare a !DOCTYPE if using CSS3 so less modern browsers behave properly. Remember, the web is fun. Enjoy!

Update: The above technique will work on spammers that do not ignore JavaScript. However, spammers that do ignore JavaScript, a server side technique would be a better solution.

Comments

    • Kim PerryKim Perry says

      The honey pot technique is good for stopping bots because they don’t see what humans see when the page is rendered. With a hidden input field, or a field set to display:none with CSS, the bot thinks this field should be filled in. All the JavaScript is doing is checking to see if that hidden field has information in it. If it doesn’t, the form will submit. The bots only care about the input fields; the JavaScript is what keeps the form from submitting when the bot adds text to a field that we set to hidden.

      • says

        “if it doesn’t the form will submit” – but my point is the form will submit either way for the bot since it will not have JS enabled. You need to be checking if the field is filled out using your server side (php or whatever) and stop it there. You follow?

        • Kim PerryKim Perry says

          Yes, that is a good point. With the submit action being set with HTML it won’t catch the bots since they see HTML. However, if the submit action is being set using JavaScript then the form will not submit with JavaScript disabled, essentially catching the spam. Sadly, if an attacker is bound and determined to target your website there isn’t much you can do to prevent it. This is one of many steps to take to prevent spam. Someone could run Selenium and circumvent the JavaScript validation you have on your forms. This isn’t a sure fire way to prevent spam but its a step in the right direction.

          • says

            Well setting the form action with javascript is not mentioned in the article and is not the standard. This is another likely effective spam prevention option, however, as your article is stated most people will implement this on a normal form and I don’t think it will stop any spam.

  1. says

    As Jesse mentions, the validation should also be done server side as the bot may have JavaScript disabled so for example using PHP it would be:
    if ($_POST[“website”] != “”) { //Bot detected }
    else { //Bot not detected }

  2. cC says

    This post doesn’t seem to make any sense. For the form to be disabled according to the above you would have to have js enabled and spammers don’t have javascript enabled so this would accomplish nothing as currently written above. Please remove this article or rewrite it as to not misguide users.

  3. tim says

    Hi
    I have tried to implement your honeypot solution above but the form submits even if the honeypot “website” field is filled. This means the javascript is not working right. Jquery references are in the head section.

    To test I removed the invisible CSS tag so I can fill the “website” input field.

    here is the form:
    http://www.destinationhighways.com/contact_honey.htm

    Could you please point me in the right direction?

    • Kim PerryKim Perry says

      Instead of having the form submit in a separate function from your validation, include it and add this:
      if (theForm.website.value == “”)
      {
      //alert(“skipped”);
      return (false);
      }
      You can alert it to make sure its working then remove the alert. Hope this helps! Thanks!!

  4. MacK says

    I think this technique is obviously obsolete, I guess bots are smart enough now to detect whether a field should be filled or not.

    • says

      Not necessarily. I believe the key is to name the honeypot field something that looks tasty to a spam bot, like zip code or address, as long as those aren’t necessary fields for your form. A spam bot isn’t going to interpret your JavaScript code or even be able to access your php to see which fields are legitimate. You can also add “required” somewhere in the form field tag as an extra little incentive for the nasty little spambot.

  5. Hideki says

    Honeypot with CSS (display:none) worked pretty good for me.
    I use honeypot with extra program to add bots IP address to .htaccess file so next time they try to sneak in they are blocked. I know they change their IP address but they seems to try to sneak in with same IPs several times.
    This blocking package using .htaccess really worked for me and now I see that they are discouraged to sneak in. I have 0 attempt now. It took about 10 days to discourage them.
    99% of their IPs are from China and rest is from Russia. I don’t have any customer from those regions but just in case I trim .htaccess file daily with cron so it will leave only about 30 IPs to block.

    • Kim PerryKim Perry says

      Hideki, thanks for the comment. Takes multiple tricks to prevent spam, glad this worked out for you. Keep on fighting!

      • Hideki says

        Thanks Kim for sharing the great idea. Most bots seems to try several different ways of filling the fields in sequence with same IP address. They are testing to see which one works. We just have to detect their patterns and catch all of them.

Let us know what you think!