Effective Spam Prevention – CAPTCHA, Honeypot, or Both?
Available since 2007, CAPTCHA and its variants are offered by Google as a free service to help protect websites from spam and abuse. The system distinguishes whether a site visitor is a human or a bot by requiring some type of action to be performed that could only be done by a human, such as fill in specific text, add up some numbers, or select appropriate images. For the visually impaired, the challenge can even be issued in audible form.
By adding CAPTCHA to email forms on your website, for example, you can block automated software from using the forms, but allow legitimate users to send you information because it is easy for humans to pass such tests, but hard for “bots” and other malicious software to figure out.
The original CAPTCHA systems had some drawbacks. Requiring users to solve a problem prior to completing a desired action during their website experience can lead to frustration and abandonment. Frequent failures at entering the correct CAPTCHA solution have been shown to result in a negative impact on conversions and therefore on revenue.
While newer versions of CAPTCHA that use images instead of text are easier for humans to solve, they can still be difficult for individuals with disabilities. Furthermore, several studies have shown that there is an approximately 15% abandonment rate when users are faced with a CAPTCHA challenge. To overcome such issues, Google has updated the system to reCAPTCHA 3, a system that requires no participation on the part of the website visitor. But that’s not the end of the story…
Hacker Bypass Solutions
Bypass scripts and services are now readily available to bot operators that can overcome all versions of CAPTCHA. Even the most advanced version, reCAPTCHA 3, which is designed to identify and stop bots based on their activity, rather than challenging them with puzzles, can be bypassed. Some researchers have demonstrated bypass success rates of over 97%.
With the effectiveness of CAPTCHA diminishing as hackers create bots that circumvent the system, website owners are turning to other techniques to replace and/or augment CAPTCHA. One of these techniques is known as the “honeypot”.
Honeypot to the Rescue
The idea behind the honeypot is simple: bots are dumb and they will fill out anything they find. While some spam is manually-typed, possibly to reach a specific target, the vast majority is submitted by bots scripted to reach the largest number of online forms. When they encounter a form, they blindly fill in the fields, regardless of whether a particular field should be filled in or not.
The honeypot takes advantage of this behavior by introducing an additional field in the form that, if filled in, will cause the form not to validate, with the result that the form cannot be sent. Although bots will see the honeypot field and fill it in, the field is hidden from human view on the website so it cannot be filled in.
The Double-Barreled Approach
The honeypot gives website operators an effective alternative to fighting spam, particularly if the operator believes CAPTCHA is ugly, burdensome for users, or not effective enough. If these problems with CAPTCHA are not seen as very significant, both CAPTCHA and honeypot can be used together quite effectively to achieve double-barreled spam protection.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.
Everything You Need. More Than You Expect.
703-407-4363 | firstname.lastname@example.org