How to Use Honeypots to Fight Spam

| Coding Tutorials

honeypot We recently released an awesome plugin named OSpam-a-not. This extension protects your forms from a flood of spam. At the moment it's only available for Joomla, but also we have plans to release a WordPress version.

The good news is that you can apply part of the OSpam-a-not code in any situation because it uses a "Honeypot" technique.

In this tutorial, I'm going to explain what a Honeypot technique is and how you can use it.

Step #1. The HTML code

Here's a sample HTML contact form with 3 fields:

  • Name
  • Email
  • Message

To follow this tutorial, save this code in a file called contact.html.

Disclaimer: Please note that this only a very basic contact form and this code shouldn't be used for a real website.


<form name="contact" method="post" action="contact.php">
    <div>
        <input type="text" name="name" value="" placeholder="Name" />
    </div>
    <div>
        <input type="email" name="email" value="" placeholder="Email" />
    </div>
    <div>
        <textarea name="message" placeholder="Message"></textarea>
    </div>
    <div>
        <input type="submit" name="submit" value="Submit"/>
    </div>
</form>

Step #2. The hidden field

So far this form looks like a regular contact page. Let’s add an input field inside the form with a dummy name:


<input type="text" name="name_here_goes" value="" />

We want the previous input field to be invisible for users, so we'll also add CSS to hide the display:


<style type="text/css">
input[name="name_here_goes"]{
    display: none;
}
</style>

This invisible field will work as a bait for spam bots.

Step #3. The PHP code

Now let's create a PHP file named contact.php with the following code:


<?php
// Section 1.
if( $_POST['name_here_goes'] == '' ){
    
    // Section 2.
    if ( !empty($_POST['name']) && !empty($_POST['email']) && !empty($_POST['message']) ) {
    
        $to         = 'to@nomail.com';
        $subject     = 'Contact Form';
        $message     = $_POST['name'] . ': ' . $_POST['message'];
        $headers     = 'From: ' . $_POST['email'] . ' ' . "\r\n" .
                      'Reply-To: ' . $_POST['email'] . '' . "\r\n" .
                      'X-Mailer: PHP/' . phpversion();
    
        // Section 3.
        if ( mail($to, $subject, $message, $headers) ) {
            echo 'Email sent. Congrats!';
        }
    }else{
        echo 'Please fill all the info.';
    }
    
}else{
     
     // Section 4.
     echo 'Spam detected!';
     
}

Let's split the code in 4 sections to explain the purpose of each one:

  • Section 1. This checks to see if the invisible field is empty.
  • Section 2. This validates that all the fields are filled in.
  • Section 3. This sends the email.
  • Section 4. If the invisible field is not empty, the form is being submitted by a bot and the email is not sent.

By adding our invisible field name_here_goes we trick the bots because they automatically fill in all the fields. The key to the Honeypot technique is that the email only can be sent when this field remains empty.

Step #4. Test the result

Upload both files into your server. You won't receive spam emails from this contact form!


About the author

Valentín creates beautiful designs from amongst the tequila plants of Jalisco, Mexico. You can see Valentín's design work all over this site and you can often find him helping members in support.