Honeypots, Trenches and Spambot Protection
Sunday, November 22nd, 2009
It always seems that the spammers hammer loudest when my personal pressure threshold is getting pummeled by a project deadline or in an examination study period. And its time consuming to be out there beating at those sluggish bastards with a wide HTML / PHP / CSS broom. Its simply not enough to have strong form validation scripts or to check MX values for valid email accounts or even to have blacklists in place.
The answer, as many others have suggested over the last few years, is to adopt the low-tech approach of honeypots and invisible form fields. Traditionally the honeypot strategy is where you put something yummy and juicy in front of a target to lure them to the bait for capture. An example of honeypot strategy are the fake crime and sex websites created by law enforcement to track and convict offenders. But our honeypot in the case of a form isn’t so bold… its more a strategy to find out who is human and what is a bot. Needless to say, bots are the target of our honeypot strategy.
The approach I’d recommend can be thought of as a simple ditch followed by a hurdle and its even simpler to implement. Below is an image which shows the visual layout for the user of this strategy.
