Comments on: Honeypot Captcha

By: Gavin

Gavin — Sun, 28 Oct 2007 22:17:56 +0000

This is an ancient technique now, nothing new. However I find it quite effective. I haven’t had a single bot surpass a simple display:none; yet.

“This makes no sense. Why hide a CAPTCHA?” – Steven

So that the user doesn’t have to fill out a CAPTCHA. Duh. Also, you don’t hide the captcha, you just EXCLUDE a captcha altogether, and put in a hidden field that BOTS can see, but USERS can’t, thus if it’s filled out, you assume it’s a bot/spam. This process basically means NO extra fields or work for the user. And you’d be surprised at how many users despise CAPTCHA’s.

By: Anon

Anon — Sun, 28 Oct 2007 07:27:20 +0000

If you could sent out faked packets to make it look like they were coming from the spammers IP address and then route them to the Storm C&C controls; it would in turn attack that address.

Why not get one bad person to attack another? That’ll teach ‘em.

By: Breton

Breton — Sun, 28 Oct 2007 01:59:15 +0000

I wonder if anyone has thought to fake a successful post to those user agents detected as being spammy? They would happily post and post again, never thinking that they were being blocked, and meanwhile it would prevent or delay the human operator from adjusting the spam bot.

Any comments?

By: Josh Clark

Josh Clark — Sat, 27 Oct 2007 10:38:57 +0000

While there's no single silver-bullet solution for preventing spam, I can vouch for honeypots as an effective element in an anti-spam arsenal. When I built the comment system for the Big Medium CMS, I used honeypots, along with several other methods, to defeat spambots. So far so good. For what it's worth, I wrote up these strategies in a blog post titled Seven Habits of Highly Effective Spambot Hunters. As I note there, though, many of these strategies have some notable accessibility issues, relying on CSS (as with this honeypot technique) or JavaScript in ways that may leave some visitors out in the cold. And of course most programmatic attempts to block spam will have little or no effect on living, breathing human spammers... But hey, every little bit helps, and by combining techniques, you can still go far to reduce the impact of spambots.

By: Laszlo Marai

Laszlo Marai — Sat, 27 Oct 2007 00:11:02 +0000

Glen: As I told above any of these tricks will work as long as they don’t become widespread. Then they’ll tune their bots. There’s nothing hard in overcoming _any_ css tricks. The bot just needs to parse the CSS and maybe do a simple in-memory layout of the page as a bruteforce solution. Then it can examine which elements are visible and which ones are not. You seem to forget that all browsers can render CSS. And the code is freely available in firefox…

By: Steve Roussey

Steve Roussey — Fri, 26 Oct 2007 23:36:11 +0000

This has worked surprisingly well for me for several years now. It is more useful when combined with other things, and when the blank field is given a name like ‘email’ and the email field is actually called ‘asdfdd’ (or the name rotated).

By: Mike Ritchie

Mike Ritchie — Fri, 26 Oct 2007 23:28:24 +0000

Or maybe you could style the input with a background image that says “Don’t fill this in”? The one on this site seems to work well too, with a random answer field. The only way that could be defeated is if the attacker visited the site in his actual browser enough to get a list of all the random fields.

By: Matt

Matt — Fri, 26 Oct 2007 19:06:18 +0000

Or you could hide it behind another element. The bot wouldn’t be able to tell by inspecting the field itself.

By: Martin

Martin — Fri, 26 Oct 2007 18:53:02 +0000

Well, you have a finite amount of style attribute you can use to hide the field. When the bot has a DOM model and a JS engine built in, it can determine how a field looks like to a real user. Just retrieve the effective style and check the values.

By: Glen Lipka

Glen Lipka — Fri, 26 Oct 2007 17:50:01 +0000

The field doesn’t have to be “display:none”. It could just be a random set of things, to make it hard, width: 0px; height: 0px; or position: absolute; top:-50000px; or the color/background/border could be changed color to make it look invisible. Any combination of these things would make it nearly impossible to recognize by a computer.

By: Andy

Andy — Fri, 26 Oct 2007 15:27:20 +0000

Steven: My site got hit by spambots over a year ago and I managed to track down the software that was used. It is available online for just $450: http://www.botmaster.net/more1/ Not sure I'd want to give them my credit card details though.

By: mdmadph

mdmadph — Fri, 26 Oct 2007 14:32:30 +0000

Aye, definitely a neat idea, and a good proof of concept. But until spammers get human-level AI on their hands, image (and audio) captchas is what I’ll be using. Haven’t had spammers get through them in years.

By: Nate

Nate — Fri, 26 Oct 2007 14:11:43 +0000

I was thinking about this the other day. What if you just did a position:absolute; left: -5000px; on the input field or input container? This way the bots wouldn’t even have a display:none; to look at, but the field would be off screen and hidden from all human users. You could even pre-populate the captcha input element with “Do not fill out” so the humans would ignore the field if they had no CSS available. In my experience, the bots would still overwrite it. Of course, it would be trivial to bypass…

By: Marcel

Marcel — Fri, 26 Oct 2007 13:43:20 +0000

I experimented with making all posts go through my mailserver (which has good anti-spam and anti-phishing software) as an e-mail. My website would then call a function that opens that specific mailbox, finds the e-mail by the expected subject and looks at the spam score.

Depending on that score I let it post the contents of the e-mail message, or I block it.

The spamfilters are updated automatically on a regular basis. So I’m always one step ahead of spammers. Worst case scenario: I have to lower my “delete message when spam score is higher than X” setting a bit.

That in addition to a 3-number Captcha field (slightly scrambled) to fend off the old fashioned spammers.. well, so far.. it works like a charm :-)

By: Laszlo Marai

Laszlo Marai — Fri, 26 Oct 2007 13:35:03 +0000

Yepp, all hacks like this will be worked around after a while. The bots will have a quite potent web browser in them in the end (without the UI of course). Nothing keeps the bot from parsing the CSS. Finding a “display: none” attribute is not that hard.

Hashcash is on the other hand a good solution even if they use a built in script engine because it makes the bot do a small amount of computation and thus slows it down. That’s the intent behind hashcash.

By: John Wards

John Wards — Fri, 26 Oct 2007 13:15:49 +0000

Ah sadly thats been figured out by quite a few bots. We have been using that technique for a year or so but have had to switch to an image based one on our more popular sites.