Spam bots are the worst.
They can ruin a good contact form in a heartbeat.
While getting rid of spam bots requires a lot of strategy and technolo...
For further actions, you may consider blocking this person and/or reporting abuse
Honeypots are great! Of course, a bot can now pretty easily check what inputs in the form are hidden and not fill those out, or instead of using the website, use the form API itself (as they often do now).
In that case, we have to rely on other techniques or bot challenges (like Cloudflare with a required Cloudflare token in the API request). Of course, there are new ways to circumvent those methods as well.
Nice article!
Back in the late 90's, early 2000s, I had a form bot hit one of my forms pretty hard. Hundreds of emails flooded my mailbox. What I found was the bots don't know what they are doing, and they end up putting URLs in many of the fields. Knowing that there is no reason for a URL to be valid data in any of the form fields, I look for a URL in the data as one of my rules. If I see a URL in a field, the page is automatically redirected to FBI dot gov :D
Another thing I do is validate that any drop-downs have valid data in them. I expect values coming back to be a valid option value coming in. The bots were putting URLs in those fields too, which didn't make sense.
lol I love the redirect. Great points all around. Thanks for sharing!
damn :), Mr you have my respect š
Thanks for this, glad it's different from the other cliche ones
ādisplay: noneā removes items from the DOM, so how are the bots meant to find this field?
Great question! Many bots simply parse the raw HTML without CSS applied, which means they will "see" the field and complete it.
But this brings up a great point: honeypots can be set up in other ways by setting opacity to zero or moving the field off the screen with absolute positioning. Sophisticated bots will know to look for setting the display to none. That's why I mentioned this isn't a complete plan, but it works well for the effort.
Another reason setting display to none is used is because screen readers won't pick up on the field either, so it makes sure the form is accessible to others.
Let me know if you have more questions!
Be careful with regards to accessibility, for things like tab order and screen-readers. Often the work we do to make the form more accessible to humans also makes it more exploitable by bots!
No doubt. Great point! Software is a game of trade offs
Ah, I did not know that about bots, thanks. So people use bots like this to perform actions on a website not just scrape them?
Yeah. Often, it will be to pitch random services or phishing schemes that have nothing to do with your form's content.
I use a honeypot in which the user is asked to fill out a date field; if it matches the calculated value on the back end, all is good.
I like that! I'm going to keep that in mind for future forms