Honey Pot help?

Hi Guys!

Sorry for my post here to be asking for your wisdom in helping me fix an issue but I’ve run out of patience! I’ve inherited a website with my current job built by someone who previously worked for the company. When building they didn’t put any sort of anti-spam filters onto the enquiry form and the amount of emails from bots is getting unmanageable and is a constant issue!

I’ve looked up and used tutorials previously but they all seem to be coded differently than my own, I’m okay with HTML and CSS but anything further than that and I start to get muddled up, so I’m very wary of breaking it.

What I would like to do is add a honeypot field that can filter out some of the bots that we’re getting but as I’ve said I’ve been unable to, below is a link to the webpage in question along with the HTML and PHP for the form.

Any help is greatly appreciated!

http://www.nationwideutilities.com/enquire.html

<form id="enquiryForm" class="imageBox" name="enquiryForm" method="post" action="scripts/enquiry.php">
<h2 class="fontFace">Request a callback</h2>
<label for="name">Name<span>*</span>:</label><input type="text" name="name" id="name" />
<label for="company">Company:</label><input type="text" name="company" id="company" />
<label for="telephone">Telephone<span>*</span>:</label><input type="text" name="telephone" id="telephone" />
<label for="email">Email:</label><input type="text" name="email" id="email" />
<input type="submit" class="buttonBig yellow" name="submit" value="Enquire now" />
<p>We will not share your information with third parties.</p>
<p><span>*</span>required</p>
</form>
<?
$mailto = 'webenquiries01@nationwideutilities.com' ;
$subject = "CALLBACK REQUEST from www.nationwideutilities.com" ;

$formurl = "http://www.nationwideutilities.com/enquire.html" ;
$errorurl = "http://www.nationwideutilities.com/enquire-notsent.html" ;
$thankyouurl = "http://www.nationwideutilities.com/enquire-thankyou.html" ;

$uself = 0;

$headersep = (!isset( $uself ) || ($uself == 0)) ? "\\r\
" : "\
" ;
$name = $_POST['name'] ;
$company = $_POST['company'] ;
$telephone = $_POST['telephone'] ;
$email = $_POST['email'] ;

$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['telephone'])) {
	header( "Location: $formurl" );
	exit ;
}
if (empty($name) || empty($telephone)) {
   header( "Location: $errorurl" );
   exit ;
}
if ( ereg( "[\\r\
]", $name ) || ereg( "[\\r\
]", $telephone ) ) {
	header( "Location: $errorurl" );
	exit ;
}

if (get_magic_quotes_gpc()) {
	$message = stripslashes( $message );
}

$messageproper =
	
	"\
Hello,\
" .
	"\
This is an enquiry coming from: $http_referrer\
" .
	"\
=====================\
" .
	"CONTACT INFORMATION:\
\
" .
	"Name: $name\
" .
	"Company: $company\
" .
	"Telephone: $telephone\
" .
	"Email: $email\
\
" ;
	
mail($mailto, $subject, $messageproper,
	"From: \\"$name\\" <$email>" . $headersep . "X-Mailer: chfeedback.php 2.07" );
header( "Location: $thankyouurl" );
exit ;
?>

What’s complicated about adding the honey pot to this page? All he needs to do is add a hidden input textbox to his form, and some php code to the form handler. Here’s what I use (maybe someone else has something that work’s better) -

Put this in the form:

<input type="text" id="honeypot" name="honeypot" placeholder="Leave Blank If Human" autocomplete="off" />

Put this in the form handler code:

  if ($_POST['honeypot'] != '') {
  	 die("This form submission has been compromised. If you are a human, please try again.");
   }

You might also want to consider adding a hidden field with a timestamp and once the form is submitted compare the timestamp of the submitted time with the what will now be the current time and if there is less then a given number of seconds elapsed, reject what has been submitted on the basis of it being a suspected bot (submitting data quicker then a human could)

My response “What’s complicated about adding the honey pot to this page?” was in reference to a post saying that adding a honey pot to an already coded form was too complicated. This post has since been removed by the mods, I guess. It was not intended for the OP and it sounds a bit off without the post it was intended for. Sorry.

Hi guys appreciate the help! (And the clear up on the post - I was a little baffled at first!)

I’ll give it a go and see how it goes

Okay so I’ve added the code supplied by WebMachine into the existing pages and included the CSS to hide the form but I’m getting this as a result, any advise?

In your css, use the following code to hide the honeypot (Sorry I forgot to include that in my original code :slight_smile: )

#honeypot {
     display: none;
}

Thanks for all the help! I believe I’ve got it to work, is it work changing the name from ‘honeypot’ to something a little less obvious for the bots?

I’ll leave it for now, as long as it’s working and the spam is decreased that’s all that matters!

Thanks again!

You can name it anything you want, if you follow the php naming convention. Just make sure you change every instance of “honeypot” to your new name.

I’m glad it worked for you.

Update.

Having had the honey pot up for almost two weeks now the spam email has gone from 10-20 per day down to zero so far! So I’m just extended my thanks to the users that helped out! Thanks guys!

I was giving this very subject some thought, not too long ago.

I know it’s highly unlikely to happen, but what if the creator of the bot notices that it isn’t working with your form, does a “View Source”, and bypasses the honeypot field?

I was working on a randomization script that would not only randomly change the position of the hidden field within the form so the location couldn’t be indexed, but would also randomly name the “display:none;” CSS class, name, and ID for the input field.

Yeah, I know… overkill… :slight_smile: Glad the OP has fixed the SPAM issue.

Thanks Brandman. It’s great to have some feedback like that in a thread. :slight_smile:

Hi,
If the spam starts again i would consider changing the id of the hidden field. If it’s called ‘honeypot’ or ‘spamtrap’ etc it would be reasonable to assume that the bot would be programmed to ignore certain fields with specific id’s and get past your spamtrap.

I called a folder ‘adverts’ for an image folder and couldn’t work out why my computer at home wasn’t showing them. Then realized i have an ad blocker which was seeing the folder name and blocking it. So programs do look at folder names and ids and i would assume a bot could be programmed to do the same.

I was getting spam through my forms. The bots finally broke a really simple anti-spam random 4 digit check i had, so tried google re-captcha and that was worse than useless. So in the end i put up a single picture of an animal and asked the user to write what the animal is in the picture. EG horse (if your picture is a horse :wink: ) haven’t had a single bit of spam since and haven’t had to change the image. The bots aren’t clever enough to ‘see’ what is in the picture.

hth

Thanks for that ‘folder name’ suggestion. I am going to make that change to my honeypots too.

What effect does the image anti-spam technique have on accessibility? It’s a great idea, but I have a few concerns about visually challenged users.

Good point might have to adjust the way i am doing this too. Either adopt the honeypot method above or perhaps add an audio clip to my system. HTML5 is nice and easy to play an audio clip now.

thanks