0

So I've got a basic PHP form honeypot. It looks like ..

$honeypot = $_POST['honeypot'];    
if($honeypot)
     $error = "You are a bot";
else{

and the input honeypot is display:hidden. Technically it works, has been working for over a year, but just recently spam bots have started defeating it. My guess is that the bots are onto the fact that it is a hidden field and I know there are a few other ways I can do this. I could make the field visible but tiny, the same color as the background, position it off the page. But I wanted to get some input as to other peoples experiences on what works best.

Thanks.

Pieter
  • 11
  • 1
  • 2
  • 2
    `$error = "You are a bot";` - well you are even telling the bot that you found out. What do you wonder about? Give back a 200 ok and bot thinks everything is fine. Also do you really named that field *honeypot*? – hakre Nov 09 '12 at 21:24
  • 3
    you can always try to header('Location: http://www.youtube.com/watch?v=UGS8re8cIVI'); and rick roll the bot. Maybe their circuits will xplode. – Ben Ashton Nov 09 '12 at 21:26
  • Tricking and detecting bots is all about variating the methods. – mario Nov 09 '12 at 21:31
  • Related: [Better Honeypot Implementation (Form Anti-Spam)](http://stackoverflow.com/questions/36227376/better-honeypot-implementation-form-anti-spam/36227377) – Nicholas Summers Mar 31 '16 at 20:18

4 Answers4

5

You could achieve the same effect by removing the field completely with JavaScript.

No matter what you do, it can all be defeated by bots. This is especially true if someone spends 5 minutes manually tuning their bot to your form. Also, more and more bots run full webkit browser instances, which will execute JavaScript just like "real" users.

Brad
  • 159,648
  • 54
  • 349
  • 530
1

Instead of using display: hidden, you can try to hide the input by using something like position: absolute; top: 100%, or maybe even just removing the border and blending it into the background. I would also consider changing the name from honeypot, since that is a known term.

Some sophisticated bots will probably still be able to get around it, but that's true in essentially all cases. If it's vital that you not get spam, you can use a captcha (I hate captchas and would not recommend them for users -- they are too intrusive in my opinion), but some bots can even defeat captchas. If you get a lot of submissions, you may have to tolerate a little spam.

Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
0

You could try make the field completely visible with the label marking it for use by robots. Which, unfortunately is somewhat inconvenient for real users. I haven't had cause to try this yet. The error could say something like "Thank you but robot input is not permitted" (notice the nice 'thank you' ;-)

Myster
  • 17,704
  • 13
  • 64
  • 93
-1

A captcha would be best (as much as I hate them).

If this is just a contact form, try using $_POST['password'];. The bot will detect this as a normal, valid field and fill it in. Honeypot is too obvious.

Paul Dessert
  • 6,363
  • 8
  • 47
  • 74
  • I changed the field name to "comments" in an effort to entice the bots to fill it out but to no avail. I really would rather not use a captcha .. I hate them too. – Pieter Nov 09 '12 at 21:26