Anyone able to expand on the timestamp/honeypot techniques mentioned?

ilikepi · on March 25, 2011

I suspect one technique would be to add extra fields to the HTML form that are hidden when the page is viewed in an actual browser. Any submissions with values specified for these fields would likely come from a bot, since a normal user would not have been able to enter anything.

showerst · on March 25, 2011

I'm guessing the timestamp, in its simplest form would just submit the time when the page was loaded as a hidden variable in the form, and compare it to the time the form was submitted.

If it's less than something reasonable for a person (say, 20 seconds or something), then it was clearly auto-filled.

With a little help from javascript, you could even expand this to the individual fields.

As someone mentioned in the comments above, it would be pretty trivial for spammers to adapt to this if they thought it was common, with a few random pauses. Perhaps they already have...

dpapathanasiou · on March 25, 2011

Here's a good article: http://nedbatchelder.com/text/stopbots.html

bithub · on March 25, 2011

Bots tend to fill in every input field they encounter. So you could add an empty hidden input field to your form and check if the field has been populated. Another way is to look how long it took to open the page which contains the form and the form got submitted by injecting a timestamp. Bots are way faster than humans.

Natsu · on March 25, 2011

The Project Honeypot website can help you with setting up a honeypot as well as blocking spammers other users have already detected: http://www.projecthoneypot.org/

jerfelix · on March 26, 2011

I could be mistaken, but I think Project Honeypot is trying to address a different problem - harvested email addresses.

I believe the Honeypot concept that has been discussed on here is referring to creation of a honeypot field on a web form, tempting the bot to fill it in. Many bots will blindly try to submit something into each field, just to make sure that they get all the required fields on their form submission.

By adding a honeypot field, and adding text that instructs humans to leave it blank, a very high percentage of bot submissions will be detected, with few false positives.

Furthermore, you can hide the field from humans, with CSS tricks, as others mentioned. Make it 1 pixel. Make it hidden. etc.

Natsu · on March 26, 2011

They catch comment spammers, too. It's kind of buried in the FAQ, though: http://www.projecthoneypot.org/faq.php

"How does a honey pot catch comment spammers?

In addition to including specially tagged spam trap addresses, some honey pots also include special HTML forms. Comment spammers are identified by watching what information is posted to these forms."

Here's a list of comment spammers they've caught:

http://www.projecthoneypot.org/list_of_ips.php?t=p

You're absolutely right that fake fields like that are a good way to catch bots, though, and that making your site unique is a great way to avoid being targeted by mass attacks that go after, say, all MediaWiki sites. Of course that doesn't help when you're big enough to be worth attacking specifically, but it makes things a little harder for the spammers.