Support » Plugin: Contact Form 7 Honeypot » Honeypot fails to block SPAM

  • Resolved greyowl


    I have added one, and later a second honeypot field to this form. I output the customer-entered content of the fields, to check if it’s working. They are empty, but the SPAM message is delivered nevertheless.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thanksgiving. Black Friday. Cyber Monday. Are you guys all on holiday?

    Plugin Author Ryan


    Hi @greyowl, I don’t fully follow your message. What do you mean you “output the customer-entered content of the fields” — do you mean “input” values into the form? What are empty? The honeypot fields should be empty, and the expected result would be the form would send if they’re empty.

    I checked your URL and the form seems to be rendering properly.

    As for the time to response, please keep in mind that this is an entirely free plugin and unpaid support. It’s offered as-is and as-available.

    Thanks for taking me seriously, Ryan.
    My Contact 7 form is as follows:

    <label> Ihr Name* [text* your-name] </label>
    <label> E-Mail-Adresse* [email* your-email ] </label>
    [honeypot Date]
    <label> Betreff* [text* your-subject ]</label>
    [honeypot Time]
    <label> Ihre Nachricht* [textarea* your-message ]</label>
    <label>[submit “Senden”]</p>

    This form generates an email. In the Message Body I have the following:

    Spamschutz: [_remote_ip], [Date], [Time]

    The SPAM message I receive contains the line:

    Spamschutz:, ,

    This shows the two honeypot fields ([Date], [Time]) were indeed empty (i.e. not filled in by the bot). In that case I expected the message to be rejected as SPAM and not delivered. But it was delivered.
    That’s my problem.

    Plugin Author Ryan


    Thanks for the more thorough explanation. I think you’ve misunderstood how a honeypot field works. The field must be empty for the form to submit. The spam message is being delivered because the spammer/bot/tester is not filling in the honeypot fields. A honeypot has to trick the bot into filling out those fields, while a regular user wont fill them out because they can’t see them.

    This is basically the opposite of how a captcha or math “prove you’re human” field works, which forces the user to enter the correct value into a field for the field to validate, in the hopes the bot will not be able to enter the correct value. Honeypots work on the presumption a bot will try to fill in as many fields as possible.

    Thanks. I now see my misunderstanding. Should I put the honeypot field before the first valid field then? Is there any way to see which/how many spam messages are rejected?

    Plugin Author Ryan


    It shouldn’t matter where the honeypot field is placed in the form. Typically I recommend naming it something that would be more likely to attract bots — i.e. “email” or “website” — something that a bot is likely to want to fill out.

    There is no logging/tracking system in place, as the plugin simply uses CF7’s built in validation system. It’s an interesting feature idea though. I’ll make note to investigate it further for the next version.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.