That's a great point, Same. Thanks.
The spam-bots have been falling for the "confirm_email" and filling it in with the "correct" value, but I think I'll try switching it to something obtuse that the auto-fillin isn't likely to have a value for. "what_would_you_do_for_a_klondike_bar" comes to mind...
From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of Sam McDonald
Sent: Tuesday, October 25, 2011 11:26 AM
To: [log in to unmask]
Subject: Re: [CODE4LIB] web spam block less awful than Captcha?
Long time reader, 2nd time poster?! (since 2000?).
Regarding honey-pot field labels...in some recent Chrome versions (and probably in current versions) Chrome helpfully auto-populates fields based upon the field label.(under default config, can be changed via Options, Personal stuff, autofill).
If a field label has been used before (presumably on any previously filled out form using that browser, but perhaps only to forms served from that domain), it will auto-populate it. So, if your trap presumes that a field should be null, since you "hid" it from the spam bots, AND Chrome helpfully (& invisibly) auto-populates it (without the user knowing about it at all), the form will be trapped, and fail, and the user will have nearly no way to figure this out..the clever users will try a different browser and then meet success.
I don't believe that the mass-attack spam bots look for labels that are needed to be filled in.
That being said, perhaps a label needs to look tempting, but unlikely to be used by a developer, maybe something like
First__Name_ the caps, double underscore and trailing underscore are unlikely to be used on purpose elsewhere, but not quite as obvious as "spam_trap" or "asdhgashdvasbmvf"
Ah, here's some other people noting the problem http://www.electrictoolbox.com/html-form-honeypots-autofill/
...more can be found via Google using "chrome autofill honeypot"
PS I originally discovered the Chrome form thing the hard way.