Honeypots, Trenches and Spambot Protection
It always seems that the spammers hammer loudest when my personal pressure threshold is getting pummeled by a project deadline or in an examination study period. And its time consuming to be out there beating at those sluggish bastards with a wide HTML / PHP / CSS broom. Its simply not enough to have strong form validation scripts or to check MX values for valid email accounts or even to have blacklists in place.
The answer, as many others have suggested over the last few years, is to adopt the low-tech approach of honeypots and invisible form fields. Traditionally the honeypot strategy is where you put something yummy and juicy in front of a target to lure them to the bait for capture. An example of honeypot strategy are the fake crime and sex websites created by law enforcement to track and convict offenders. But our honeypot in the case of a form isn’t so bold… its more a strategy to find out who is human and what is a bot. Needless to say, bots are the target of our honeypot strategy.
The approach I’d recommend can be thought of as a simple ditch followed by a hurdle and its even simpler to implement. Below is an image which shows the visual layout for the user of this strategy.
And the following (X)HTML should be compared to the users view to assess the subtle difference.
<form class="contactform" method="post" action="../wp-content/themes/candidav2/process/emailcontact.php" id="con_form">
<fieldset>
<label for="name">Name *</label><input type="text" size="35" maxlength="35" name="name" id="name" /><br />
<label for="email">Email *</label><input type="text" size="35" maxlength="35" name="email" id="email" /><br />
<label class="age" for="age">Do not fill this out (spambot defence)</label><input type="text" size="3" maxlength="35" name="age" id="age" /><br />
<label for="subject">Subject *</label><input type="text" size="35" maxlength="35" name="subject" id="subject" /><br />
<label for="test">What is 1 + 4 *</label><input type="text" size="35" maxlength="35" name="test" id="test" /><br />
<label for="comment">Message</label><textarea rows="8" cols="30" name="comment" id="comment"></textarea><br />
<input class="button" type="submit" value="Send Message" name="submit"/>
</fieldset>
</form>
Comparison of the two should lead you to notice two things:
- A field for Age which does not appear visually
- A sum of 1 + 4 which is to test the user’s non-botness
The Age field (or whatever you wish to insert) is simply deprived of it’s visualisation through CSS – you might use display: none; or margin-left: -3000px; or other simple trickery to prevent human beings from seeing it. This field is the ditch; if anybody fills in the invisible field then you know they’re not human and you can kick their sorry ass aside – obviously a simple PHP check to ensure the field is empty is enough.
Next, the test field asks a simple question such as what is the sum of 1 + 4? Or you might see the more common question on other websites of what is fire – hot or cold? It might sound lame but at the present time bots have a hard time dealing with random quizzes of logic – and they are so easily replaced with a new question if there’s a sudden breakthrough. The test, in this case, is simply to reject all submissions that do not contain a correct answer for that field.
The issue of form security on your website is beyond a trivial issue so its irresponsible to place forms online (any forms) until you understand the nature of form hijacking and other security issues that must be dealt with responsibly. I have in the past balked at the suggestion that simple email (mailto:) links are an option, but unless you’re really competent in creating secure web forms then the mailto, with all its attached flaws, is your better option. Just realise that one of the mailto flaws is that the user may not be able to use it to contact you (although that probably isn’t a large swathe of your readers).
But, to date, the most effective bang for my buck in getting sleep has been the technique described in this article – the ditch and the hurdle. It won’t lock out humans inputting spam but it pulls the power back home when it comes to bot-attacks. I hope it makes your life easier, too.
