skip to content rich footer

stevenclark.com.au

subscibe to the StevenClark.com.au rss feed

Honeypots, Trenches and Spambot Protection

It always seems that the spammers hammer loudest when my personal pressure threshold is getting pummeled by a project deadline or in an examination study period. And its time consuming to be out there beating at those sluggish bastards with a wide HTML / PHP / CSS broom. Its simply not enough to have strong form validation scripts or to check MX values for valid email accounts or even to have blacklists in place.

The answer, as many others have suggested over the last few years, is to adopt the low-tech approach of honeypots and invisible form fields. Traditionally the honeypot strategy is where you put something yummy and juicy in front of a target to lure them to the bait for capture. An example of honeypot strategy are the fake crime and sex websites created by law enforcement to track and convict offenders. But our honeypot in the case of a form isn’t so bold… its more a strategy to find out who is human and what is a bot. Needless to say, bots are the target of our honeypot strategy.

The approach I’d recommend can be thought of as a simple ditch followed by a hurdle and its even simpler to implement. Below is an image which shows the visual layout for the user of this strategy.

StevenClark.com.au contact form

And the following (X)HTML should be compared to the users view to assess the subtle difference.

<form class="contactform" method="post" action="../wp-content/themes/candidav2/process/emailcontact.php" id="con_form">

<fieldset>

<label for="name">Name *</label><input type="text" size="35" maxlength="35" name="name" id="name" /><br />

<label for="email">Email *</label><input type="text" size="35" maxlength="35" name="email" id="email" /><br />

<label class="age" for="age">Do not fill this out (spambot defence)</label><input type="text" size="3" maxlength="35" name="age" id="age" /><br />

<label for="subject">Subject *</label><input type="text" size="35" maxlength="35" name="subject" id="subject" /><br />

<label for="test">What is 1 + 4 *</label><input type="text" size="35" maxlength="35" name="test" id="test" /><br />

<label for="comment">Message</label><textarea rows="8" cols="30" name="comment" id="comment"></textarea><br />

<input class="button" type="submit" value="Send Message" name="submit"/>

</fieldset>

</form>

Comparison of the two should lead you to notice two things:

  1. A field for Age which does not appear visually
  2. A sum of 1 + 4 which is to test the user’s non-botness

The Age field (or whatever you wish to insert) is simply deprived of it’s visualisation through CSS – you might use display: none; or margin-left: -3000px; or other simple trickery to prevent human beings from seeing it. This field is the ditch; if anybody fills in the invisible field then you know they’re not human and you can kick their sorry ass aside – obviously a simple PHP check to ensure the field is empty is enough.

Next, the test field asks a simple question such as what is the sum of 1 + 4? Or you might see the more common question on other websites of what is fire – hot or cold? It might sound lame but at the present time bots have a hard time dealing with random quizzes of logic – and they are so easily replaced with a new question if there’s a sudden breakthrough. The test, in this case, is simply to reject all submissions that do not contain a correct answer for that field.

The issue of form security on your website is beyond a trivial issue so its irresponsible to place forms online (any forms) until you understand the nature of form hijacking and other security issues that must be dealt with responsibly. I have in the past balked at the suggestion that simple email (mailto:) links are an option, but unless you’re really competent in creating secure web forms then the mailto, with all its attached flaws, is your better option. Just realise that one of the mailto flaws is that the user may not be able to use it to contact you (although that probably isn’t a large swathe of your readers).

But, to date, the most effective bang for my buck in getting sleep has been the technique described in this article – the ditch and the hurdle. It won’t lock out humans inputting spam but it pulls the power back home when it comes to bot-attacks. I hope it makes your life easier, too.

Comments are closed.

Social Networking

Keep an eye out for me on Twitter

About the Author

Steven Clark Steven Clark - the stand up guy on this site

My name is Steven Clark (aka nortypig) and my passions are business, web development, photography and writing. My current CV [PDF 775KB] is available for download. Currently I'm completing my 2 final units of a post-graduate university degree of MBA (Journalism and Media Studies) at the University of Tasmania.

Photography

My fine art photography is available online at Steven Clark Studio. You may also enjoy my photo blog Walk a Mile in my Shoes.

Recently Reviewed Books

Site Supporters

Hosted by Brett Drinkwater at Tashosting who is always there at the other end of my every inconvenient question and technical crisis. Brett's local community support for us over the last five years is greatly appreciated.

skip to top of page

Currently Reading

Light Science and Magic by Hunter, Biver and Fuqua - cover

The time has come for me to get more involved in upping my technical photography skills if I hope to embark on a Master of Fine Art and Design (Photography) next year. To that end my first book is the highly recommended Light Science & Magic: An Introduction to Photographic Lighting (Third Edition) by Fil Hunter, Steven Biver and Paul Fuqua. What really differentiates this book is the comprehensive set of exercises and the detailed explanation of the underlying science of light in the real world that encompasses the reader's journey.