: Prevent spam using Honey Pots I am really curious about how to prevent comment spam in a forum using a honey pot trap for spam bots. What if CSS and javascript is turned off in a browser?

@Sarah324

Something that I don't often see suggested is a time-based captcha solution. Spam works best by getting it out there as quickly as possible. I replaced the Google hosted ReCaptcha with a 20-second submission delay for my contact forms using PHP sessions, and it cut down spam considerably. I came up with the delay time using Analytics data on user behavior.

Vote Up Vote Down

@Yeniel560

I'm sure form bots will ignore any <input type="hidden"> fields. Best solution is to use text input as normal, with a common data type. Anything that you are not currently using is fine such as Website, Address, Zipcode, Username etc.

Add a message saying "if you can see this field please leave it blank". Wrap the message and input in a div element with CSS set to display:none.

Unfortunately while most spam bots are very simple and dumb, plenty are smarter and can detect any popular trick. Depending on the nature of the form it may be better to use CAPTCHA or Akismet.

Vote Up Vote Down

@Kristi941

What if CSS and javascript is turned off in a browser?


A proper honeypot won't rely on either of these to work. Ideally you will use a hidden form field for this which doesn't require any real hiding..


Do you see any other disadvantages in the honey pot trap?


If you do it properly there shouldn't be any issues that users will be aware of. There will be a tiny amount of overhead required for it to work but that should be so small it shouldn't even be a concern.


Do you know any other anti-spam alternative, that does not disturb the users experience.


From a previous answer: You could do several things (and should be doing more then one) including:


Use a CAPATCHA like reCAPTCHA
Use a field that requires the user to answer a question like what is 5 + 3. Any human can answer it but a bot won't know what to do since it is auto-populating fields based on field names. So that field will be either incorrect or missing in which case the submission will be rejected.
Use a token and put it into a session and also add it to the form. If the token is not submitted with the form or doesn't match then it is automated and can be ignored.
Look for repeated submissions from the same IP address. If your form shouldn't get too many requests but suddenly is it probably is being hit by a bot and you should consider temporarily blocking the IP address.
Use Askimet. It is great at identifying spam.


Recommened reading: How do spambots work?

Vote Up Vote Down