Fighting Spam In Drupal: The Honeypot Method

There's no doubt about it: fighting spam has clearly become the single most annoying task in administering a website today. No longer sent by ambitious humans with a bad sense of netiquette, black hat marketers now use spambots. 

These spambots are automated computer-generated scripts that are designed to collect and harvest email addresses from your website with the objective of building mailings lists for sending unsolicited mail. We'll try not to judge those who write these scripts for a living, but we'd really like it if they stopped and found something better to do with their coding skills. 

How we typically protect against spambots

In any case, the most common method to try and stop spambots is the CAPTCHA (which stands for "Completely Automated Public Turing test to tell Computers and Humans Apart"). A CAPTCHA is a usually visual challenge that assumes the user to be human and not an automated spam-posting process when the correct answer is given.

This is a reliable approach that has significantly improved once partnered with ReCAPTCHA; however, there is a growing aversion to this method. They are seen as awkward and clunky, having out-of-focused images that never seem to compliment any site’s design. Users constantly report that they can be quite challenging to complete, suggesting that unsuccessful responses results in loss of potential clients.

How many times have you tried to fill a CAPTCHA that just wouldn't work? It's especially difficult on mobile, where someone might need to zoom and tap around to see the whole CAPTCHA, and where the risk of typing error is much higher.

Enter the Honeypot Drupal module

The Honeypot method is a less intrusive approach that inserts a hidden form field to a form with an assigned field name. Human users will not see the field, so they will not be able fill it out. However, spambots will see the field and will proceed to add something to it. The Honeypot module detects this and blocks the form submission if there is anything in the field.

Just like Winnie the Pooh is drawn towards honey jars, spambots are drawn towards form fields, especially form fields they think will give them the ability to link back to their own websites.

Smart, no? We think so too.

This Drupal module also has a timestamp deterrent. Forms typically take several seconds to be filled out by a real human. However, spambots can do so much quicker because of their automated scripts. To exploit this characteristic, the Honeypot module has an adjustable time allocation to set a minimum timeframe that the user has to spend on the form prior to submitting it.

In other words, aside from rejecting form submissions that fill out the hidden form field, this module will also reject forms that are filled too quickly.

The Honeypot + Timestamp form protection method is a very good defense against spambots.

Honeypot is extremely flexible, with a wide range of settings. Implementing this module is quick and easy: you can enable the protection on all your forms with a single click or identify specific forms to protect. Another nice setting is having the ability to bypass protection for certain user roles, say site administrators and developers, where they maybe able to process specific forms under the prescribed timeframe without being rejected.

No more spam, no more annoyance

Spam can definitely make a nightmare out of any site admin's life. If you are developing real spam issues, you should seek advice and discuss the possibility of adding in Mollom or another more intelligent spam prevention service. It has been reported that Mollom works nicely with Honeypot; however, you should always complete proper testing before implementing them.  

For me, the one greatest advantage of the Honeypot method is that the user is given no extra obstacles to complete a form. It is a very user-friendly way of preventing spam.