Support » Plugin: Contact Form 7 Honeypot » Is a honeypot really protecting from SPAM

  • Ambyomoron

    (@josiah-s-carberry)



    In a separate thread, several users have complained that this plugin has stopped working or that they are suddenly receiving a lot of spam. I think it would be useful if we had a more detailed explanation of changes to the plugin so that our expectations be more realistic.
    The original principal of the honeypot assumes that an automated visitor will be intelligent enough to detect a field to be completed, but not intelligent enough to determine that it is a hidden field that no human user would see or complete. This assumption might be valid for the most naïve of spammers, but surely most spammers have caught on by now!
    So, my question is whether the plugin is applying any other logic to try to prevent SPAM? As it is open source, there is nothing to hide, is there?

Viewing 15 replies - 1 through 15 (of 15 total)
  • Hello, put TWO honeypot fields and the plugin will work as intended.

    • This reply was modified 8 months, 3 weeks ago by  Li-An.
    netsales

    (@netsales)

    Hi,

    i have a massive problem with SPAM and i test it with two honeypot fields…but no chance, it comes again.
    Have everybody a solution?

    Here is a filled form from SPAM:

    Von: Custom Essay Writers <desiree@mailllc.top>
    Betreff:

    Telefonnummer: 82692953398

    Nachrichtentext:

    college research paper good research paper research paper http://researchpaper.store – list of research papers

    Datenschutz: Der Datenschutzhinweis wurde Zugestimmt.
    IP-Adresse: 46.161.9.56
    Zeit: 17. März 2018 22:57
    Benutzer-Info: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
    Seiten-URL: https://empatis-jugendhilfe.de/kontakt/
    Honeypot:

    Plugin Author Ryan

    (@daobydesign)

    Change your honeypot field’s name. Currently it’s the default generated name: honeypot-266 — that’s a redflag to bots. Change it to something like email-hp-266 (or whatever you’d like… but I think “email” or “website” works best).

    netsales

    (@netsales)

    Hi Ryan,

    I hope that’s the solution…if so, it would be really nice and so easy.

    Thanks
    Tilo

    no, tried (we onw 150 blogs)… nothing with double honeypot nor changing the standard name etc etc.
    I start to think the problem is elsewhere not the form itself since we receive only some sorts of spam and only on some forms (and other not).

    I can confirm that…the SPAM slips through anyway.
    What can i do??? The PlugIn is useless…also captcha.

    Her ist the last one:
    Von: Web Assign Utah <litlsybil@mailllc.top>
    Betreff:

    Telefonnummer: 82528133953

    Nachrichtentext:

    research paper on earth do my research paper for me good research paper research paper

    IP-Adresse: 46.161.9.56
    Zeit: 28. März 2018 19:09
    Benutzer-Info: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36

    knguyen2011

    (@knguyen2011)

    I deleted the form and created another form. But I haven’t show it up yet but they could still send me. So I bet there was something wrong with the plugin itself.

    I get spam too. Does it mean it’s some fool actually coming and pasting their spam into the form to send?

    I get also spam, can you please fixthis issue.

    Thanks in advanced.

    Regards
    Marc

    You can see my different tests and how I manage to make it work : https://wordpress.org/support/topic/honeypot-seems-to-have-stopped-working/page/3/

    1. Move inline CSS (optional) when creating the field.
    2. Change the name of the field in something basic (text, email…)
    3. put two honeypot fields
    4. clear cache plugin if you have one

    I’m afraid the developer won’t be able to find any other fix and if you have spam after that, you’ll have to find another solution.

    this is what it generates

    <span id="syeo74yo7" class="wpcf7-form-control-wrap website-wrap" style="display:none !important; visibility:hidden !important;"><label class="hp-message">Please leave this field empty.</label><input class="wpcf7-form-control wpcf7-text" type="text" name="website" value="" size="40" tabindex="-1" autocomplete="nope"></span>

    I would say, there are way too many clues for bots to leave this alone.

    Surely Please leave this field empty.
    autocomplete=”nope”
    this would really be taken care of by bots?

    Ambyomoron

    (@josiah-s-carberry)

    Why would an intelligent spammer complete a field that is not mandatory and gives no obvious way of communicating the spam message? Of what use is such a field to a spammer?

    Plugin Author Ryan

    (@daobydesign)

    @funsail, there are ways to modify this to tweak it in any way you like or feel might work better. All the outputted HTML is filterable, and there are instructions on the plugin page.

    The field has to strike a balance between being a hindrance to spam bots and not resulting in false-negatives from real people trying to submit a form. Thus the accessibility message, which should only ever be read by screen readers used by the visually impaired.

    The autocomplete=”nope” attribute is a bit of a cross-browser pain, as different browsers support it differently. However, because many browsers will try to auto-fill fields (even visually hidden fields), this was implemented to prevent this field from being auto-filled by browsers. I don’t think bots would care about that attribute, as there are plenty of reasons to have an attribute like that which are not spam-related.

    But yes, there are plenty of clues a smart bot can look for and each user will have different opinions on how strong/risky they are willing to be in regards to denying legitimate submissions in an effort to prevent spam. By default, the plugin needs to err on the side of caution out of the box.

    @josiah-s-carberry — you’re right, this plugin definitely isn’t developed for intelligent spammers. It’s right in the description, it operates on the premise that bots are stupid. Honeypots cannot compete with intelligent spamming, which is where more aggressive (and annoying) anti-spam measures come in — like sniffer/blacklists (Akismet) or captcha systems. There’s no way to develop a honeypot that works with a required field that I can think of.

    I would expect screen readers would skip hidden fields. Is this not true?
    I guess you could style the field so that it’s small and hidden behind another field.

    How can we find out if spam is manual or a bot beating this?

    Still getting spam, but could be from human spammers.

Viewing 15 replies - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.