The modern web is full of spam bots.
Bots are automated "users" that are programmed for specific tasks. While some bots are good, such as bots designed to monitor website health, many bots are created for malicious reasons. For example, spam bots are created to post potentially harmful content wherever possible. This can lead to a strain on your server resources and lead to unnecessary data populating your databases.
Spam bots can achieve their goal by abusing HTML forms, which exist on almost every non-trivial website. This is how the bot might work:
It inspects the page and looks for HTML
form
elementsIt populates dummy data into the
input
fieldsIt submits the form to the server
In other words, it mimics a normal user's behavior but provides information your application may not care about.
So what can we do to stop these bots?
Honeypot fields can trick spam bots
A honeypot field is a special input field hidden from real users, but visible to spam bots. These fields are hidden visually on the page and from screen readers, preventing most real users from filling them out. On the other hand, a spam bot works by inspecting the DOM and filling out any input
fields it finds.
In other words, a spam bot will fill out fields even when it shouldn't be possible. This means all you need to do is reject any submissions on your server where the honeypot field was filled out.
In the example above, you can see that we have a hidden field that indicates you shouldn't fill it out. Normally, you wouldn't be able to see the field, but if you end up in a state where the field is visible, you'll know that you should leave it alone.
You might be thinking that this is too obvious and a spam bot would know not to fill out the field, but it turns out that most spambots aren't too sophisticated and this is usually enough to trick them.
And that's how honeypot fields work. The next time you want to stop spam on your website, try reaching for a honeypot!