改善蜜罐的实施(表格反滥发讯息)

Concept

By adding a invisible field to your forms that only spambots can see, you can trick them into revealing that they are spambots and not actual end-users.

HTML

<input type="checkbox" name="contact_me_by_fax_only" value="1" style="display:none !important" tabindex="-1" autocomplete="off">

Here we have a simple checkbox that:

• Is hidden with CSS.
• Has an obscure but obviously fake name.
• Has a default value equivalent 0.
• Can't be filled by auto-complete
• Can't be navigated to via the Tab key. (See tabindex)

Server-Side

On the server side we want to check to see if the value exists and has a value other than 0, and if so handle it appropriately. This includes logging the attempt and all the submitted fields.

In PHP it might look something like this:

$honeypot = FALSE;
if (!empty($_REQUEST['contact_me_by_fax_only']) && (bool) $_REQUEST['contact_me_by_fax_only'] == TRUE) {
$honeypot = TRUE;
log_spambot($_REQUEST);
# treat as spambot
} else {
# process as normal
}

Fallback

This is where the log comes in. In the event that somehow one of your users ends up being marked as spam, your log will help you recover any lost information. It will also allow you to study any bots running on you site, should they be modified in the future to circumvent your honeypot.

Reporting

Many services allow you to report known spambot IPs via an API or by uploading a list. (Such as CloudFlare) Please help make the internet a safer place by reporting all the spambots and spam IPs you find.

Advanced

If you really need to crack down on a more advanced spambot, there are some additional things you can do:

• Hide honeypot field purely with JS instead of plain CSS
• Use realistic form input names that you don't actually use. (such as "phone" or "website")
• Include form validation in honeypot algorithm. (most end-user will only get 1 or 2 fields wrong; spambots will typically get most of the fields wrong)
• Use a service like CloudFlare that automatically blocks known spam IPs
• Have form timeouts, and prevent instant posting. (forms submitted in under 3 seconds of the page loading are typically spam)
• Prevent any IP from posting more than once a second.
• For more ideas look here: How to create a "Nuclear" honeypot to catch form spammers

One suggestion to really force the no-autocompletion :
change autocomplete="off" by autocomplete="nope" OR autocomplete="false"

Since the given value is not a valid one (values for autocomplete are only on or off), the browser will stop trying to fill the field.

For more details, How to Turn Off Form Autocompletion.

Hope this helps.

SYA :)

We found that a slight (though simple) variation on the suggestions here made a huge difference in the effectiveness of our contact form honeypot. In short, change the hidden field to a text input, and make the bot think it's a password. Something like this:

<input type="text" name="a_password" style="display:none !important" tabindex="-1" autocomplete="off">

You'll note that this mock-password input keeps to the same basic guidelines as the checkbox example. And yes, a text input (as opposed to an actual password input) seems to work just fine.

This apparently minor change resulted in a drastic drop in spam for us.

If you are using Ruby on Rails, you can try invisible_captcha gem. A solution based on this honeypot technique.

It works pretty well! At least for small/medium sites... I'm using it in production, for years, in several Rails apps with very good results (we hardly receive spam since its implementation in "contact" forms, sign-up, etc).

It also provides some extras (already listed in https://stackoverflow.com/a/36227377/3033649):

• time-sensitive submissions
• IP based spinner validation

Basic usage

In your form:

<%= form_for(@user) %>
<%= invisible_captcha %>
...
<% end %>

In your controller:

class UsersController < ApplicationController
invisible_captcha only: [:create]
...
end

And you're done! Hope it helps!