6

I have implemented honeypot fields on the majority of my client's contact forms in order to prevent spamming. However, I'm noticing that IE's form auto-fill option fills in the honeypot field, and thus triggers my anti-spam logic. How can I prevent this?

I've tried giving the form field a different name - it is currently called emailConfirmation, but I've tried conf_em and liame, and it's still auto-filling. I've also tried moving the honeypot field to the very bottom of the form - nowhere near the existing email input.

ale
  • 6,369
  • 7
  • 55
  • 65
Eric Belair
  • 10,574
  • 13
  • 75
  • 116
  • is the field invisible? If yes, I don't see why IE would be auto-filling it. If no, then what's "honeypot" about it? – Niklas B. Feb 29 '12 at 15:00
  • Yes, the field within a SPAN that is hidden (css: `display: none`), that's what a honeypot field is - a hidden field that bots don't know is hidden, so they fill it in. But IE *IS* auto-filling it. – Eric Belair Feb 29 '12 at 15:08
  • Yeah, I simply could not believe that IE is so stupid. What sense does it make to fill in a hidden field? :/ – Niklas B. Feb 29 '12 at 15:16
  • I apologize it's a text input field that is "hidden" with CSS. It is NOT a `type="hidden"` input. – Eric Belair Feb 29 '12 at 15:18
  • That's what I meant. An `` with `display: none` or `visibility: hidden`. There is absolutely no sense in filling it. – Niklas B. Feb 29 '12 at 15:20
  • 1
    I think the following page has some good advice on how to avoid this: [disable autocomplete](http://stackoverflow.com/questions/582244/is-there-a-w3c-valid-way-to-disable-autocomplete-in-a-html-form) – David Faber Feb 29 '12 at 15:26
  • The other thought that comes to mind is that you could have a given value for that honeypot field and check against that value. Or does a bot only put in a value when there is no value in the field? – David Faber Feb 29 '12 at 15:32

3 Answers3

6

As suggested in the answer David Faber linked to, try adding the autocomplete="off" attribute to the input tag.

This is not a standard HTML4 / XHTML attribute, but all major browsers understand it. And it is standardized in HTML5.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153
  • Will this still stop bots from automatically entering data into the field? – Eric Belair Feb 29 '12 at 16:43
  • It should _not_ stop bots from automatically entering data into the field, which I assume is the point. (To be specific, it will stop well-behaved programs, such as browsers, which understand and respect the `autocomplete` attribute, from automatically filling in the field. But I assume the bots you want to trap are specifically those that do _not_ behave nicely and respect such instructions.) – Ilmari Karonen Feb 29 '12 at 17:18
1

Give your honeypot field a semi-random name eg. suffix the actual name with a random number. This way it should never be the same name twice and shouldn't be populated by IE.

You might also want to take a look at cfformprotect. Its got some great features and has helped me with protecting form submissions quite a few projects.

Stephen Moretti
  • 2,442
  • 1
  • 18
  • 29
  • Thanks, I also am trying to move away from using ColdFusion where ever possible in these forms, since these are simply marketing websites, and right now, the only need for CF is adding data to the client's database, which will soon not be necessary. – Eric Belair Feb 29 '12 at 16:42
0

here is my suggestion for your invisible honeypot filed: Put autocomplete="off" html tag at the form level. Putting it at the invisible field level you are identifying your hidden filed and slightly intelligent bot could use this in order to recognize it. autocomplete tag suportability: http://help.dottoro.com/lhdwgiwh.php You should technical probe with your target IE versions (do you need IE 5 and 6 support?). For your invisible field name use as common name as possible. E.g. country, so bot algorithm will pick it up and filled it with data.

Regards, Karlo.

Karlo Smid
  • 525
  • 1
  • 5
  • 13