Quick and Simple PHP Honey Pot Spam Prevention

This technique has been floating around the web for the past few weeks so it’s definitely worth sharing here. Using standard HTML, CSS and a little PHP, you can filter out a lot of robots and spammers that crawl the web for unsuspecting forms. Credit to Aaron James Young for reminding me about this technique (he posted a similar snippet on Forrst).

A honey pot trap involves creating a form with an extra field that is hidden to human visitors but readable by robots. The robot fills out the invisible field and submits the form, leaving you to simply ignore their spammy submission or blacklist their IP. It’s a very simple concept that can be implemented in a few minutes and it just works – add them to your contact and submission forms to help reduce spam. I’ve used them extensively in my last few projects, I’ve found it to be well worth the small time investment.

Contact Form Example

Here is an example of a simple contact form that uses the honey pot spam prevention method:

View Example Download Source

The HTML:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

<form method="post" action="">
<fieldset>
<legend>Contact Me</legend>
<p>
<label>Name:</label>
<input name="name" type="text" id="name" />
</p>
<p>
<label>E-mail:</label>
<input name="email" type="text" id="email" />
</p>
<p>
<label>Message:</label>
<textarea name="message" id="message"></textarea>
</p>

<p class="robotic" id="pot">
<label>If you're human leave this blank:</label>
<input name="robotest" type="text" id="robotest" class="robotest" />
</p>
<p>
<input type="submit" value="Send Message" class="submit" />
</p>
</fieldset>
</form>

The PHP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?php
if($_POST){
$to = 'your-email-here@gmail.com';
$subject = 'Contact Form Submission';
$from_name = $_POST['name'];
$from_email = $_POST['email'];
$message = $_POST['message'];
$robotest = $_POST['robotest'];
if($robotest)
$error = "You are a gutless robot.";
else{
if($from_name && $from_email && $message){
$header = "From: $from_name <$from_email>";
if(mail($to, $subject, $message, $header))
$success = "You are human and your message was sent!";
else
$error = "You are human but there was a problem sending the e-mail.";
}else
$error = "All fields are required.";
}
if($error)
echo '<div class="msg error">'.$error.'</div>';
elseif($success)
echo '<div class="msg success">'.$success.'</div>';
}
?>

The CSS:

1	.robotic { display: none; }

In the above example link, I added some optional CSS to make it look a little nicer. Also, you’ll notice the actual e-mail form doesn’t work, as the to e-mail address is a fake one. The contact form part is just to illustrate the honey pot, the important thing to notice is that the last text field is hidden using CSS (the entire paragraph) and that if text is entered in the field, the entire form fails.

Conclusion

This concept is certainly not my own and in fact, there is even an entire project dedicated to catching spammers using dummy forms and blacklisting their IP addresses (rightfully called Project Honey Pot). Again thanks to Aaron for reminding me about this technique, I’ve been meaning to do a write up on it for a while now. This post is also thanks to Forrst, I’m quite pleasantly surprised at the amount of interesting information I’m finding there.

Enjoyed the post?

Then you should follow me on Twitter or subscribe to the RSS feed.

tomsbabyjenna

I really like this idea, I hate all the spam I see on the internet and anyway to get rid of it would be so nice.
Pingback: The Internet Rhetorician : Using a “Honey Pot” to Catch Spam Bots
http://montanaflynn.me Montan Flynn

Simple and sweet! Thanks a bunch.
David Crisler

The only problem is that Google Chrome’s auto-complete feature fills in hidden form fields and totally ruins this technique!

http://devgrow.com/ Monjurul Dolon

Google Chrome shouldn’t be completing a field called “robotest” but if you’d like, you can name it something even more obscure. Most browser auto-complete functions usually just fill out the username and password fields.

David Crisler

I called it all kinds of names, including total jibberish, but Chrome fills it in anyway.

Kevin C.

Add the attribute autocomplete=”off” to the form field

http://messtudios muhupwer

Hi,

The email form isnt actually working – I get it, but a blank body with nothing written – have tried to fix but no luck..

Are you sure your php email code is right?

thanks

http://devgrow.com/ Monjurul Dolon

It should work fine – I’m just using the standard PHP mail() function, which you can read up on here: http://www.php.net/mail

http://www.perezfox.com Prescott Perez-Fox

I recently implemented this tutorial on my site, http://www.perezfox.com, and it works great! Considering I’m a total rookie with PHP, I was relieved to finally be able to understand this one.

However, I have two questions/things to fix:

1. When the form is sent, I am redirected to a 404 page. Can I change the redirect to either a “Thank You” page, or perhaps just go no where and stay at the current page. I tried to add a hidden redirect field to the form, but that didn’t work:

// this didn’t work

2. Can I expand the error criteria from “blank” to include the default field values? As you can see on my site, I don’t have labels for the input fields, but instead use a default value to indicate what the fields are. (Bad for SEO, perhaps, but I think it makes the form more streamline and mentally forces people to erase the default and fill in their own info)

Thanks for any input!
http://vpg1.com Veeps

Thanks! I prefer this over Captcha, since I suck at getting them right the first couple o’ tries.
http://www.psisalon.waw.pl PsiSalon

Hi all

I’ve discovered a site dedicated to grooming.

Dog grooming refers to both the hygienic care and cleaning of a dog, as well as a process by which a dog’s physical appearance is enhanced for showing or other types of competition. A dog groomer (or simply “groomer”) is a person who earns their living grooming dogs.

Grooming is an important part of dog care. Depending on the breed, age, and health of the dog, grooming may be a daily activity. Many breeds require significantly less grooming than this, but regular grooming helps to ensure the dog is healthy and comfortable. It is important to note that while many dogs shed, others (such as the Poodle), do not shed (see Moult) as profusely, and require grooming by a professional every 6–8 weeks maximum.

Dogs can be bathed by being sprayed with a hand-held shower head, or doused with water from a bucket. Often, one bath will not make a dog truly clean. A second bath is excellent to ensure the entire body has been cleaned. Dogs should be bathed with warm, not hot water, in order to make it a more enjoyable experience. Dogs with a heavy or matted coat should never be bathed without first being completely brushed out or clipped of any mats.

Psi salon

It’s written in Polish but still have profoundly nice gallery of dogs and cats.
They use numberless products such as ones of Ring 5, 1 All System, Bio-Groom to look after your pupil.

Cya all over
http://ondietday.com/ Meizitang Botanical Slim

thanks for you sharing, nice website!
http://www.safetrolley.com safetrolley

wow, this is probably the best anti-spam code i have seen recently. Totally different from the traditional methods!

thanks man! keep it up!
Tim Dawson

I’ve implemented this (or something very close) for use on a web site form. For the most part it works OK, but some Mac/Safari combinations fill in the honeypot and therefore legitimate enquiries are treated as spam.

http://abstrus.de gebeer

@ Tim Dawson

are you saying that some Mac/Safari combinations fill the input field or do you mean the field is not hidden in these browsers and humans filled them?
And what text do these browsers fill in?

Cesar

Great article, and what a great solution to this annoying problem, I’ve used captcha in the past, but I’m definitely switching to this solution from now on.

Thanks!

DevGrow - Design, Develop, Grow.