How effective is the honeypot technique against spam?
By "honeypot", I mean more or less this practice:
#Register form
<style>
.hideme{
display:none;
visibility: hidden;
}
</style>
<form action="register.php">
Your email: <input type="text" name="u-email" />
Choose a password: <input type="text" name="passwd" />
<div class="hideme">
Please, leave this field blank: <input type="text" name="email" /> #the comment is for text-browser users
</div>
<input type="submit" value="Register" autocomplete=off />
</form>
//register.php
<?php
if($_POST['email'] != ''){
die("You spammer!");
}
//otherwise, do the form validation and go on.
?>
more info here.
Obviously, the real fields are named with random hashes, and the honeypot fields can have different names (email, user, website, homepage, etc..) that a spambot usually fills in.
I love this technique because it doesn't cause the user to be annoyed by CAPTCHA.
Do any of you have some experience with this technique? Is it effective?
Answer
Old question, but I thought I'd chime in, as I've been maintaining a module for Drupal (Honeypot), which uses the Honeypot spam prevention method alongside a time-based protection (users can't submit form in less than X seconds, and X increases exponentially with each consecutive failed submission). Using these two methods, I have heard of many, many sites (examples) that have eliminated almost all automated spam.
I have had better success with Honeypot + timestamp than I have with any CAPTCHA-based solution, because not only am I blocking most spammers, I'm also not punishing my users.