Hi all,
Long time reader, 2nd time poster?! (since 2000?).
Regarding honey-pot field labels...in some recent Chrome versions (and probably in current versions) Chrome helpfully auto-populates fields based upon the field label.(under default config, can be changed via Options, Personal stuff, autofill).
If a field label has been used before (presumably on any previously filled out form using that browser, but perhaps only to forms served from that domain), it will auto-populate it. So, if your trap presumes that a field should be null, since you "hid" it from the spam bots, AND Chrome helpfully (& invisibly) auto-populates it (without the user knowing about it at all), the form will be trapped, and fail, and the user will have nearly no way to figure this out..the clever users will try a different browser and then meet success.
I don't believe that the mass-attack spam bots look for labels that are needed to be filled in.
That being said, perhaps a label needs to look tempting, but unlikely to be used by a developer, maybe something like
First__Name_ the caps, double underscore and trailing underscore are unlikely to be used on purpose elsewhere, but not quite as obvious as "spam_trap" or "asdhgashdvasbmvf"
Ah, here's some other people noting the problem
http://www.electrictoolbox.com/html-form-honeypots-autofill/
http://www.alexanderinteractive.com/blog/2011/02/chrome%E2%80%99s-autofill-and-honeypot-fields/
http://www.sitepoint.com/forums/showthread.php?727720-Trouble-with-Chrome-filling-in-honeypot
...more can be found via Google using "chrome autofill honeypot"
PS I originally discovered the Chrome form thing the hard way.
-Sam
----- Original Message -----
From: "Thomas Dowling" <[log in to unmask]>
To: [log in to unmask]
Sent: Monday, October 24, 2011 2:35:42 PM
Subject: Re: [CODE4LIB] web spam block less awful than Captcha?
On 10/24/2011 01:48 PM, Jonathan Rochkind wrote:
>
> Or perhaps the fact that my web form has a 'name' and 'email' form makes
> the spambots decide it just _must_ be a blog comment form. I suppose
> taking away the 'name' and 'email' labels might help, although it might
> mess up our workflow too. Hmm, now I'm thinking about just telling them to
> include their email in one big comment box, and having my own software
> regex out things that look like email to fill out the field in our
> internal system.
I've had some luck making "<input name='email'>" my
invisibible-to-normal-users honeypot, and using "<input name='value_1">
(etc.) as actual form inputs.
Thomas Dowling
[log in to unmask]
|