How we stopped spam messages on our site
We've recently launched, and within a few days we were inundated with contact us messages from spam bots. This wouldn't bother us too much, but we're wasting precious CPU cycles, emails to our admins, and our time emptying our inbox. We even missed a message from one of our real users.
We realised we had to do something, and had a think about using the off-the-shelf products such as recapatcha and hcaptcha, but they were either collecting too much personal information for the likes of Google, or added too much friction to the contact flow. We did then however find something genius on Stack Overflow: using the honeypot field.
We realised we had to do something, and had a think about using the off-the-shelf products such as recapatcha and hcaptcha, but they were either collecting too much personal information for the likes of Google, or added too much friction to the contact flow. We did then however find something genius on Stack Overflow: using the honeypot field.
The honeypot field is a hidden form field, with an innocuous name (like "phone") that should never be filled by autocomplete or by a user. We then check server side if this param is present, and ignore their message. This works as bots, like the ones spamming us, just fill in all the fields on the forms they download. This makes the honeypot field highly effective at preventing spam.
Our implementation (in Ruby) is like this:
<input type="checkbox" name="phone" value="1" tabindex="-1" autocomplete="off">
We then check on the server if the parameter is present:
def create
contact_message = ContactMessage.new(contact_message_params)
if params[:phone].present?
# honeypot em
contact_message.spam = true
end
if contact_message.save
flash[:notice] = "Support request received."
else
flash[:alert] = "We're sorry. We couldn't do that right now. Please try again later."
end
redirect_to contact_us_path
endHere, we're marking the message as spam. Feel free to just disregard the message altogether. We personally wanted analytics on just how useful this measure was, so we mark it as spam and auto-delete it after 14 days. So far, this has prevented 100% of our spam messages.
We also took this a step further, with Rack::Attack, and added a rule for listening for the "phone" paramter - if someone sends this parameter, we block them for a day from the site. This then limits known bots from wasting further CPU cycles on our servers. Be cautious however that the name of your honeypot field does not match any other name of any other field on your site, as you will risk banning regular users. We plan to change our "phone" field to something a bit more unique like "hp_phone".
This one small change meant that we could prevent spam without integrating with a 3rd party solution, or add any friction to our forms. We count this as a major success, and hope to roll it out across the site.
Don't forget to check out what we offer: a comprehensive husbandry management platform for reptile keepers, by reptile keepers. Sign up today and see how we can make your husbandry better with less hassle.