Friday, October 26th, 2007

Honeypot Captcha

Category: Security

Phil Haack has a new take on using a Honeypot technique for CAPTCHA.

The most similar technique to this one is what WP-HashCash does, using JavaScript to fill out a form before it gets submitted, and assuming that evil bots don’t grok JavaScript. Unfortunately, I have found in the past that some bots seem to run Rhino and do even do JavaScript-y things.

Honeypot takes the opposite approach, and assumes that bots will fill out form field with names that it understands:

To exploit this, you can create a honeypot form field that should be left blank and then use CSS to hide it from human users, but not bots. When the form is submitted, you check to make sure the value of that form field is blank.

The problem is that if a certain reader doesn’t take the CSS into account then users will also start putting in data. Ah, the noble goal of invisible CAPTCHA. Would this work for you?

Posted by Dion Almaer at 7:52 am

3.7 rating from 30 votes


Comments feed TrackBack URI

Ah sadly thats been figured out by quite a few bots. We have been using that technique for a year or so but have had to switch to an image based one on our more popular sites.

Comment by John Wards — October 26, 2007

Yepp, all hacks like this will be worked around after a while. The bots will have a quite potent web browser in them in the end (without the UI of course). Nothing keeps the bot from parsing the CSS. Finding a “display: none” attribute is not that hard.

Hashcash is on the other hand a good solution even if they use a built in script engine because it makes the bot do a small amount of computation and thus slows it down. That’s the intent behind hashcash.

Comment by Laszlo Marai — October 26, 2007

I experimented with making all posts go through my mailserver (which has good anti-spam and anti-phishing software) as an e-mail. My website would then call a function that opens that specific mailbox, finds the e-mail by the expected subject and looks at the spam score.

Depending on that score I let it post the contents of the e-mail message, or I block it.

The spamfilters are updated automatically on a regular basis. So I’m always one step ahead of spammers. Worst case scenario: I have to lower my “delete message when spam score is higher than X” setting a bit.

That in addition to a 3-number Captcha field (slightly scrambled) to fend off the old fashioned spammers.. well, so far.. it works like a charm :-)

Comment by Marcel — October 26, 2007

I was thinking about this the other day. What if you just did a position:absolute; left: -5000px; on the input field or input container? This way the bots wouldn’t even have a display:none; to look at, but the field would be off screen and hidden from all human users. You could even pre-populate the captcha input element with “Do not fill out” so the humans would ignore the field if they had no CSS available. In my experience, the bots would still overwrite it. Of course, it would be trivial to bypass…

Comment by Nate — October 26, 2007

Aye, definitely a neat idea, and a good proof of concept. But until spammers get human-level AI on their hands, image (and audio) captchas is what I’ll be using. Haven’t had spammers get through them in years.

Comment by mdmadph — October 26, 2007

Steven: My site got hit by spambots over a year ago and I managed to track down the software that was used. It is available online for just $450:

Not sure I’d want to give them my credit card details though.

Comment by Andy — October 26, 2007

The field doesn’t have to be “display:none”. It could just be a random set of things, to make it hard, width: 0px; height: 0px; or position: absolute; top:-50000px; or the color/background/border could be changed color to make it look invisible. Any combination of these things would make it nearly impossible to recognize by a computer.

Comment by Glen Lipka — October 26, 2007

Well, you have a finite amount of style attribute you can use to hide the field. When the bot has a DOM model and a JS engine built in, it can determine how a field looks like to a real user. Just retrieve the effective style and check the values.

Comment by Martin — October 26, 2007

Or you could hide it behind another element. The bot wouldn’t be able to tell by inspecting the field itself.

Comment by Matt — October 26, 2007

Or maybe you could style the input with a background image that says “Don’t fill this in”? The one on this site seems to work well too, with a random answer field. The only way that could be defeated is if the attacker visited the site in his actual browser enough to get a list of all the random fields.

Comment by Mike Ritchie — October 26, 2007

This has worked surprisingly well for me for several years now. It is more useful when combined with other things, and when the blank field is given a name like ’email’ and the email field is actually called ‘asdfdd’ (or the name rotated).

Comment by Steve Roussey — October 26, 2007

Glen: As I told above any of these tricks will work as long as they don’t become widespread. Then they’ll tune their bots. There’s nothing hard in overcoming _any_ css tricks. The bot just needs to parse the CSS and maybe do a simple in-memory layout of the page as a bruteforce solution. Then it can examine which elements are visible and which ones are not. You seem to forget that all browsers can render CSS. And the code is freely available in firefox…

Comment by Laszlo Marai — October 26, 2007

While there’s no single silver-bullet solution for preventing spam, I can vouch for honeypots as an effective element in an anti-spam arsenal. When I built the comment system for the Big Medium CMS, I used honeypots, along with several other methods, to defeat spambots. So far so good.

For what it’s worth, I wrote up these strategies in a blog post titled Seven Habits of Highly Effective Spambot Hunters. As I note there, though, many of these strategies have some notable accessibility issues, relying on CSS (as with this honeypot technique) or JavaScript in ways that may leave some visitors out in the cold. And of course most programmatic attempts to block spam will have little or no effect on living, breathing human spammers… But hey, every little bit helps, and by combining techniques, you can still go far to reduce the impact of spambots.

Comment by Josh Clark — October 27, 2007

I wonder if anyone has thought to fake a successful post to those user agents detected as being spammy? They would happily post and post again, never thinking that they were being blocked, and meanwhile it would prevent or delay the human operator from adjusting the spam bot.

Any comments?

Comment by Breton — October 27, 2007

If you could sent out faked packets to make it look like they were coming from the spammers IP address and then route them to the Storm C&C controls; it would in turn attack that address.

Why not get one bad person to attack another? That’ll teach ’em.

Comment by Anon — October 28, 2007

This is an ancient technique now, nothing new. However I find it quite effective. I haven’t had a single bot surpass a simple display:none; yet.

“This makes no sense. Why hide a CAPTCHA?” – Steven

So that the user doesn’t have to fill out a CAPTCHA. Duh. Also, you don’t hide the captcha, you just EXCLUDE a captcha altogether, and put in a hidden field that BOTS can see, but USERS can’t, thus if it’s filled out, you assume it’s a bot/spam. This process basically means NO extra fields or work for the user. And you’d be surprised at how many users despise CAPTCHA’s.

Comment by Gavin — October 28, 2007

Leave a comment

You must be logged in to post a comment.