How to Use Honeypots to Fight Spam

We recently released an awesome plugin named OSpam-a-not. This extension protects your forms from a flood of spam. At the moment it’s only available for Joomla, but also we have plans to release a WordPress version.
The good news is that you can apply part of the OSpam-a-not code in any situation because it uses a “Honeypot” technique.
In this tutorial, I’m going to explain what a Honeypot technique is and how you can use it.
Step #1. The HTML code
Here’s a sample HTML contact form with 3 fields:
- Name
- Message
To follow this tutorial, save this code in a file called contact.html.
Disclaimer: Please note that this only a very basic contact form and this code shouldn’t be used for a real website.
<form name="contact" method="post" action="contact.php">
<div>
<input type="text" name="name" value="" placeholder="Name" />
</div>
<div>
<input type="email" name="email" value="" placeholder="Email" />
</div>
<div>
<textarea name="message" placeholder="Message"></textarea>
</div>
<div>
<input type="submit" name="submit" value="Submit"/>
</div>
</form>
Step #2. The hidden field
So far this form looks like a regular contact page. Let’s add an input field inside the form with a dummy name:
<input type="text" name="name_here_goes" value="" />
We want the previous input field to be invisible for users, so we’ll also add CSS to hide the display:
<style type="text/css">
input[name="name_here_goes"]{
display: none;
}
</style>
This invisible field will work as a bait for spam bots.
Step #3. The PHP code
Now let’s create a PHP file named contact.php with the following code:
<?php
// Section 1.
if( $_POST['name_here_goes'] == '' ){
// Section 2.
if ( !empty($_POST['name']) && !empty($_POST['email']) && !empty($_POST['message']) ) {
$to = 'to@nomail.com';
$subject = 'Contact Form';
$message = $_POST['name'] . ': ' . $_POST['message'];
$headers = 'From: ' . $_POST['email'] . ' ' . "\r\n" .
'Reply-To: ' . $_POST['email'] . '' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
// Section 3.
if ( mail($to, $subject, $message, $headers) ) {
echo 'Email sent. Congrats!';
}
}else{
echo 'Please fill all the info.';
}
}else{
// Section 4.
echo 'Spam detected!';
}
Let’s split the code in 4 sections to explain the purpose of each one:
- Section 1. This checks to see if the invisible field is empty.
- Section 2. This validates that all the fields are filled in.
- Section 3. This sends the email.
- Section 4. If the invisible field is not empty, the form is being submitted by a bot and the email is not sent.
By adding our invisible field name_here_goes we trick the bots because they automatically fill in all the fields. The key to the Honeypot technique is that the email only can be sent when this field remains empty.
Step #4. Test the result
Upload both files into your server. You won’t receive spam emails from this contact form!
The contact form I am using has JS and a lot of validation. The amount of spam I am getting is crazy. Is there a way of checking to ensure I coded it correctly? I am just hoping I put the if and else in my code correctly? Thanks for your time. I was a member of ostraining for a long time!
Hi and welcome back, Jennifer!
It looks fine to me 🙂
Hi!
Today’s bots are smart enough to detect if the field is hidden from the view or if it is a dummy field. Remember the fact that bot designers are humans and have probably read all of these articles (Even more complex ones).
Today’s bots are smart enough to detect if the field is hidden from the view or if it is a dummy field. Remember the fact that bot designers are humans and have probably read all of these articles (Even more complex ones).
Solutions:
1- Do not hide the fields from the form, re-position it to somewhere out of the view by CSS
2- Have more than one Honeypot and check them all on the back-end.
3- DO NOT return any error or traces of the form bring failed.
4- Try using JS to submit the form (Do not use type=”submit” button at all!)