Hacker News new | past | comments | ask | show | jobs | submit login

This will not take a lot of time for spambots to figure out. Would it?

Are there any web-application-firewall level spambot filtering that would ensure that the bot traffic can be continually monitored and the rules to block spambots can be continually updated?




In my previous job an honeypot field with a random name in the form of email__($randomString of 3 to 6 chars) was enough to block 100% of the spam.

Simplicity is the ultimate sophistication.


Agreed. A honeypot worked 100% for me for a long time. I had a bot start to slip through, somehow, so I added an additional layer of protection. I began checking server side for the time between initial request for the page to submit. If less than five seconds, the submission fails. Still a simple idea, but the execution is a little more complex.


I'm sure you probably tested this with your particular needs, but just in case you haven't: five seconds is a long time and there are many forms that can be filled out by humans in less than that. I stepped on my own toes once setting what I considered to be reasonable minimums until I tried to use my own site and found myself getting blocked because I was submitting requests too fast.


Thank you. Yes. Excellent point. The particular form I needed this for is moderately involved, so I erred on the longer side. I suspect a spambot wouldn't want to intentionally throttle itself, but they may introduce a one- or two-second delay if this becomes common enough. Definitely have to tailor it to the form.


I am sure that worked for you and I do not want to undermine the importance of simplicity. However my question was drawn from my previous experience where it was one hell of a task to keep the spam bots out.

Therefore, just to offer a counterpoint, I would like to register my experience here. A random name surely did not do the trick for us. Simple tricks like creating a random hidden field would be broken by spambots in less than 48 hours. It took a great deal of expensive WAFs like Barracuda and a lot of Lua scripting combined with cookie analysis (and overall request header analysis) to detect spambots with only a 90%-95% accuracy and keep them out.


If a spambot targets you specifically, that's another story of course.

Most of the spambots jsut search for forms to fill on the internet.


As far as I know the reverse captcha (thats what the honeypot is) is still not seen by bots and they just fill out the field as per usual.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: