Submitted by Jeff Geerling on August 17, 2011 - 9:45am
Now that I've released a Drupal 6 backport of what I originally wrote as a Drupal 7 module, I figured I would write a little bit in the way of introducing one of the simpler, and more user-friendly ways of controlling spam in Drupal (as opposed to other also-helpful methods, like Mollom, CAPTCHA, etc.).
I'd like to thank Flocknote for giving me the development time to work on this module, as we needed something like it for the new 'version 3' launch of www.flocknote.com.
The Honeypot Method
Honeypot is aptly named because, just like Pooh bear is drawn towards honey jars, spam bots are drawn towards form fields—especially form fields they think will give them the ability to link back to their own websites. So, the Honeypot method basically inserts a hidden form field to Drupal (or other) forms with a field name like 'homepage' (you can set it to whatever you want). End users don't see the field, so they don't fill it out. But spam bots (usually using prewritten scripts) do see the field (usually), and add something to it. The Honeypot module detects this and blocks the form submission if there's something in the field.
Additionally, the Honeypot module adds in a Timestamp-based deterrent. Usually, forms take at least a few seconds to fill out when a human is entering data into them—especially surveys, user registration forms, etc. Spam bots try to fill out as many forms as they can in as little time as possible, so they will often fill out a form within a couple seconds at most. The Honeypot module requires at least 5 seconds to pass (by default - you can adjust this too!) before a form can be submitted.
The Honeypot + Timestamp form protection method is a very good defense against spam bots, but not against actual humans who fill out forms for spammers (update: there are now some ways you can configure the module to deter 'real' spammers; see honeypot.api.php). If you start having serious spam problems, you might need to add in Mollom or another more intelligent spam prevention service to the mix. The greatest advantage of the Honeypot method is that the user is given no extra obstacles to completing a form. In my opinion, it's the most user-friendly way of preventing spam, even if it's not the most effective in every situation.
Other Niceties
You can also bypass the Honeypot protection for certain user roles—say, for instance, site administrators, who just might be able to fill out a form in less than 5 seconds—and you can set which forms on which Honeypot protection will be enabled. You can also tell Honeypot to protect all forms on the site. Finally, you can use honeypot protection in any of your own forms by simply including a little code snippet included on the module's project page.
The module is currently undergoing development, but is stable, and in use on a few Drupal 7 and Drupal 6 sites. Download Honeypot for Drupal 6 or Drupal 7 »
Does anyone want to make a neat little open-sourced graphic of a honey pot that I could use on the module's home page? I want to do one myself, but just don't have the time to do illustration much ;-)
Comments
Great module! Not use on live
Permalink Submitted by sfk (not verified) on October 25, 2011 - 9:48pm.
Great module! Not use on live website yet, but very like me. I hate captcha, answer to stupid question on any form... Thank you! But why use on this site captcha?
happy end-re
Unfortunately, on this
Permalink Submitted by Jeff Geerling on November 2, 2011 - 11:10pm.
Unfortunately, on this website (and on a few others I run), spam is such a problem that Honeypot isn't enough protection. Honeypot works great up to a point—once spammers start targeting a site (because it gets good Google PageRank, mostly), you have to start using stronger form protection (I'm using Mollom here).
Check out my personal website: www.lifeisaprayer.com.
I just posted an article on
Permalink Submitted by Jeff Geerling on November 5, 2011 - 10:02pm.
I just posted an article on my personal website about Preventing Form Spam, and included Honeypot as an example of a first-level spam prevention technique.
Check out my personal website: www.lifeisaprayer.com.
I will implement this, along
Permalink Submitted by Oliver (not verified) on August 27, 2012 - 6:41am.
I will implement this, along httpbl, as a fallback. I hope that this will take care of the spammers. :) thanks for this module.
Simple question: how do you
Permalink Submitted by Al (not verified) on September 10, 2012 - 12:11pm.
Simple question: how do you show the honeypot field on the page such that it displays to spambots, but not to screenreaders? The only methods I can think of are visual, which would mean the field was read out to people using screenreaders (e.g. people who are blind or partially sighted) as if it was a regular field they should fill in.
Typically, screen readers won
Permalink Submitted by Jeff Geerling on September 10, 2012 - 12:15pm.
Typically, screen readers won't announce elements that have display: none applied via CSS, and that's how the Honeypot module hides the field. Also, adding a description text like "don't fill out this field" can help.
Check out my personal website: www.lifeisaprayer.com.
Add new comment