Defeating spambots on contact forms; or eliminating captchas with honey

By | December 17, 2013

Just about anyone who has a contact form on a website has received spam through it. In fact, many people get more spam through their contact page than actual people.. how disappointing.

There have been some improvements, namely the captcha. While the captcha does work most of the time- it is burdensome to users, and almost always results in a decrease of use by legitimate users.

Not all is lost, there is a way to get the best of both worlds: and it is called a honeypot.

We will apply a hashing function to our form fields, add additional form fields, and then decode them in our mailing function. I’ve decided to use md5 as it is quite fast, and we don’t need cryptographic security.

Here is the base honeypot class we will be building off of:

We append date('z') (day) to the name in order to have our hashes change every single day. At worst a dumb targeted attack will work for one day before the hashes / fields are changed.

So, lets use this:

So, by doing this we end up with:

That isn’t too bad. Seems unlikely a bot will be able to mean that actually is a name field.

So, about decoding? We just call the field by encoding name again…

This will grab our name field back out. Very good. But even with a setup like this the bot only has to add random data in.. we have no real honeypot.

So what do we have now? Well, we create a handful of randomly named fields, we have a function called spew() that will echo these to your page, and a function verify() that checks that these fields haven’t been touched by a bot.

Lets see it in action:

So that will end up creating something that looks somewhat like this:

Ok, that looks confusing as hell. What matters is that it is confusing enough.

Here is what we would use to process that:

We now have a essentially invisible captcha, only users fill out the form pieces they can see- and they are oblivious to the tricks behind the scene.

This solution is far from perfect- and in X years it will likely be overtaken. For now though, it works and it is invisible. Perfect!

Use it as a starting point in developing your own honeypot.

Download the source code here