Honeypots For Ghost Form Submissions (Web Spam / Form Spam)

Posted by Netmatters
5th February 2016

Websites with spam content are rendered as low quality by search engines and users alike.

This could be reduced by moderating the number of comment spam your website receives with a Honeypot extension.

Site owners may from time-to-time receive a large proportion of emails originating from their own websites. Generally, these are created forms which have been added to the site to collect visitor information (contact forms, enquiry forms, download forms, etc).

Some rogue users have tools which will take advantage of these forms to automatically push a message to the intended recipient of these, usually to try sell them something.

Recipients of these messages, typically the website owner, will mistakenly assume that the way to prevent these is to adjust the settings on their email accounts, when the root cause is in fact within the web forms themselves.

The most popular known method of preventing these 'Ghost Form Submissions' is to implement a CAPTCHA check to the form. This will request the user to confirm they are a real user by answering a simple, randomly generated question (ie: type the code you see on the image, what is 3+4?, etc).

Google Captcha Example

A lesser known alternative, but one which provides a much better user experience, is the inclusion of 'Honeypots' (so called because they lure automated submissions into a sticky situation).

A Web From Honeypot works on the principle that bots (automated submission programs) are on the look out for certain items within a form - often an email field - to help them identify bots from true users.

The example below shows a web form making use of a honeypot trap designed to separate bots from users, and allow only genuine visitors to submit their information.

The web form:
<form action="send-mail.php" method="post">
   <input id="email_is_bot" name="email" size="25" value="" />
   <input id="email_no_bot" name="email-user" size="25" value="" />
   ... any other fields required.
The css rule:
#email_is_bot {
   display: none;
mail sender (send-mail.php):
// only process form and send email if 'email' field is empty.
// real users will never see it, so would never pass a value.
// bots by default look for an 'email' field and generate a value for it.
if ($POST['email'] == "") {
Logging and reviewing activity via the Honeypot can provide valuable insight into the types of threat your network infrastructure may be facin.

For more information, contact us via the contact form below or call us on 01603 515007