How to Use Honeypots to Fight Spam

honeypot

We recently released an awesome plugin named OSpam-a-not. This extension protects your forms from a flood of spam. At the moment it’s only available for Joomla, but also we have plans to release a WordPress version.

The good news is that you can apply part of the OSpam-a-not code in any situation because it uses a “Honeypot” technique.

In this tutorial, I’m going to explain what a Honeypot technique is and how you can use it.

Step #1. The HTML code

Here’s a sample HTML contact form with 3 fields:

  • Name
  • Email
  • Message

To follow this tutorial, save this code in a file called contact.html.

Disclaimer: Please note that this only a very basic contact form and this code shouldn’t be used for a real website.

{codecitation}
<form name=”contact” method=”post” action=”contact.php”>
<div>
<input type=”text” name=”name” value=”” placeholder=”Name” />
</div>
<div>
<input type=”email” name=”email” value=”” placeholder=”Email” />
</div>
<div>
<textarea name=”message” placeholder=”Message”></textarea>
</div>
<div>
<input type=”submit” name=”submit” value=”Submit”/>
</div>
</form>
{/codecitation}

Step #2. The hidden field

So far this form looks like a regular contact page. Let’s add an input field inside the form with a dummy name:

{codecitation}
<input type=”text” name=”name_here_goes” value=”” />
{/codecitation}

We want the previous input field to be invisible for users, so we’ll also add CSS to hide the display:

{codecitation}
<style type=”text/css”>
input[name=”name_here_goes”]{
display: none;
}
</style>
{/codecitation}

This invisible field will work as a bait for spam bots.

Step #3. The PHP code

Now let’s create a PHP file named contact.php with the following code:

{codecitation php}
<?php
// Section 1.
if( $_POST[‘name_here_goes’] == ” ){

// Section 2.
if ( !empty($_POST[‘name’]) && !empty($_POST[’email’]) && !empty($_POST[‘message’]) ) {

$to         = ‘to@nomail.com’;
$subject     = ‘Contact Form’;
$message     = $_POST[‘name’] . ‘: ‘ . $_POST[‘message’];
$headers     = ‘From: ‘ . $_POST[’email’] . ‘ ‘ . “\r\n” .
‘Reply-To: ‘ . $_POST[’email’] . ” . “\r\n” .
‘X-Mailer: PHP/’ . phpversion();

// Section 3.
if ( mail($to, $subject, $message, $headers) ) {
echo ‘Email sent. Congrats!’;
}
}else{
echo ‘Please fill all the info.’;
}

}else{

// Section 4.
echo ‘Spam detected!’;

}
{/codecitation}

Let’s split the code in 4 sections to explain the purpose of each one:

  • Section 1. This checks to see if the invisible field is empty.
  • Section 2. This validates that all the fields are filled in.
  • Section 3. This sends the email.
  • Section 4. If the invisible field is not empty, the form is being submitted by a bot and the email is not sent.

By adding our invisible field name_here_goes we trick the bots because they automatically fill in all the fields. The key to the Honeypot technique is that the email only can be sent when this field remains empty.

Step #4. Test the result

Upload both files into your server. You won’t receive spam emails from this contact form!

Instructor

  • Valentin discovered Joomla in 2010, and since then he has considered it as the best CMS. Valentin has been coding extensions and templates for Joomla for many years and truly enjoys helping people build their own websites with Open Source tools. He lives in San Julián, Jalisco, México.

0 0 votes
Blog Rating
Subscribe
Notify of
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
jritchie

The contact form I am using has JS and a lot of validation. The amount of spam I am getting is crazy. Is there a way of checking to ensure I coded it correctly? I am just hoping I put the if and else in my code correctly? Thanks for your time. I was a member of ostraining for a long time!

Nick

Hi and welcome back, Jennifer!
It looks fine to me 🙂

jenner

Hi!

Today’s bots are smart enough to detect if the field is hidden from the view or if it is a dummy field. Remember the fact that bot designers are humans and have probably read all of these articles (Even more complex ones).

behnam bozorg

Today’s bots are smart enough to detect if the field is hidden from the view or if it is a dummy field. Remember the fact that bot designers are humans and have probably read all of these articles (Even more complex ones).
Solutions:
1- Do not hide the fields from the form, re-position it to somewhere out of the view by CSS

2- Have more than one Honeypot and check them all on the back-end.

3- DO NOT return any error or traces of the form bring failed.

4- Try using JS to submit the form (Do not use type=”submit” button at all!)

4
0
Would love your thoughts, please comment.x
()
x