Honeypots For Ghost Form Submissions (Web Spam / Form Spam)

Netmatters Ltd
Posted by Netmatters Ltd
5th February 2016

Site owners may from time-to-time receive a large proportion of emails originating from their own websites. Generally, these are created forms which have been added to the site to collect visitor information (contact forms, enquiry forms, download forms, etc).

Some rogue users have tools which will take advantage of these forms to automatically push a message to the intended recipient of these (usually to try sell them something).

Recipients of these messages (generally the website owners) will often mistakenly assume that the way to prevent these is to adjust settings on their email accounts, when the root cause is actually within the web forms themselves.

The most popular known method of preventing these Ghost Form Submissions at this point in time is CAPTCHA checks, where a site visitor is asked to confirm they are a real user by answering a simple question (ie: type the code you see on the image, what is 3+4?, etc).

A lesser known alternative, but one which provides a much better user experience because it doesn't require the user to do anything extra, is the inclusion of HONEYPOTS (so called because they lure automated submissions into a sticky situation).

A Web From Honeypot works on the principle that bots (automated submission programs) are on the look out for certain items within a form - often an email field - to help them identify bots from true users.

The example below shows a web form making use of a honeypot trap designed to separate bots from users, and allow only genuine visitors to submit their information.


The web form:
<form action="send-mail.php" method="post">
   <input id="email_is_bot" name="email" size="25" value="" />
   <input id="email_no_bot" name="email-user" size="25" value="" />
   ... any other fields required.
The css rule:
#email_is_bot {
   display: none;
mail sender (send-mail.php):
// only process form and send email if 'email' field is empty.
// real users will never see it, so would never pass a value.
// bots by default look for an 'email' field and generate a value for it.
if ($POST['email'] == "") {

Guides See How We Do It