Stopping Spam with a Honeypot

[eluser]Michael Wales[/eluser]
I just read a quick article from Phil Haack about utilizing a Honeypot Captcha. Basically, its as simple as including a form field, which you hide via CSS, that you expect to be empty (and check against that during Validation).

Bots love form fields and will rarely leave one blank (unless there is quite a bit of influence from a real user as to how the bot should react to a particular form). When the bot fills in this form field, you instantly know it wasn't a real user, and you can simply ignore the request.

I like this idea and I believe I will implement it on my next project, if nothing else to see how it works. The beauty of it all is that it requires very little work on the part of the programmer!

[eluser]xwero[/eluser]
I've seen this idea once before but i wonder how much time it will take the bot writers to come up with a solution to check if the field is hidden and the message part for screenreaders will help to find a solution.

As an alternative for an image captcha i rather use written out calculations. i did it in c# maybe i should make a class for php.

[eluser]thurting[/eluser]
Interesting. I will def. give this a shot. Probably will set up some log to record the failed post attempts to gain insight into the spam being sent to my site.

[eluser]marcoss[/eluser]
[quote author="walesmd" date="1191978938"]I just read a quick article from Phil Haack about utilizing a Honeypot Captcha. Basically, its as simple as including a form field, which you hide via CSS, that you expect to be empty (and check against that during Validation).

Bots love form fields and will rarely leave one blank (unless there is quite a bit of influence from a real user as to how the bot should react to a particular form). When the bot fills in this form field, you instantly know it wasn't a real user, and you can simply ignore the request.

I like this idea and I believe I will implement it on my next project, if nothing else to see how it works. The beauty of it all is that it requires very little work on the part of the programmer![/quote]

For a weblog or a simple contact form in a personal website this may work.. for a while.

In the real world, if you are building an application that may attract spammer, it takes just one second for the spammer to hack the spam script to work over that.

Unfortunately, the best solution we have today is captcha, and yet it is breakable.

[eluser]ImageSmith[/eluser]
Agreed Marcoss.
I have used a system based on sessions in my pre CI days.
Basically when a form is declared by a call to the page, it sets a simple flag in the session. When the form processing routine receives the post data from the form it looks for the session flag. If not present, the submission will be ignored and the form presented as if not submitted.
This has stopped my older sites from processing form spam attacks.
I'm guessing that this check would need to be performed in the Validation class.
Might have to have a look at doing this if no one has already addressed the issue.