Using honeypots to fight comment spam

The guys at rustylime describe how they are using a honey pot form fields to detect spam bots.

This method is interesting, since the false positive rate will be close to zero – any decent browser will not show the ‘honey pot’ fields and a human won’t be able to enter information there accidentally. The false negative will be low, since most spam bots will enter information on those fields. The problem, of course, is that the spam bots can be adjusted specifically for rustylime (now that they outlined their spam comment fighting technique), either by looking for these specific field names or by calibrating their spam bots to render the page and filter out invisible parts (this would be a serious technical challenge for the spammers).

Of course, a post on SecuriTeam blogs, a web site that is probably frequently read by spammers, is not going to help them keep a low profile against spammers – so my apologies to the rustylime people. Lets hope their comment spam queue remains clean, and maybe someone can pick this up and find a more generic way to fight comment spam using browser-invisible fields.

Share
  • http://www.securitybrigade.com Yash Kadakia

    I recently wrote a paper on Automated attack prevention techniques, that covers about 6 – 7 different methods to detect and block attack bots such as web scanners, site rippers, spammers etc.

    Take a look and let me know what you think ;)

  • http://www.securitybrigade.com Yash Kadakia
  • http://www.thespanner.co.uk Gareth Heyes

    Yawn, they aren’t invisible, are they?

    This method can never work against spammers. All they need to do is use a regular expression against your css code and html code. It bugs me that anyone is considering using such methods because they are a waste of time.

  • http://www.whiteacid.org/ Sid

    I’ve seen things like this used before, iirc Chris Shiflett uses this. I’m pretty sure he knows it’s not a good method, but that he’s hoping he’ll simply fly under the radar.

  • Chris

    I don’t think Gareth is being fair – did he read the original? It is currently working, and has been working with 100% effectiveness, so how is that a waste of time? The guy does not claim to be a security expert, or even makes any claim that this will always work. Clearly there are ways to get around it (and other counter measures that can be taken) but this does not invalidate it, if no-one is actually posting spam to his site.

  • http://www.rustylime.com Michael Ott

    Howdy. I can indeed verify that since the implementation (over 6 months ago) we have not had a single instance of comment spam (except for some jokers posting manual spam), whereas previously I would be manually removing up to a hundred a day.

    We are currently working on a version 2 honey pot which with some improvements and should satisfy accessibility concerns as well.

    Thanks for the positive feedback.

    Mike.
    http://www.rustylime.com

  • http://www.thespanner.co.uk Gareth Heyes

    Chris I am being fair, yes it might work in the short term but soon spammers will wise up and then write a 1 line regular expression to submit comment spam.

  • http://www.securitybrigade.com Yash Kadakia

    Gareth,

    What you are pointing towards is that it is not foolproof and can be defeated very easily.

    Thats true, but then again when you receive a few 100 spam comments a day and this will stop about 95 of them. Its good enough.

  • http://www.rustylime.com Michael Ott

    It seem that, perhaps because of the exposure on this site, we are getting hit by spam bots again :-(

    I think it might be time to force registrations now, although that is not something I wanted to do.

    My only other option is to do what Youtube does – and simply not allow any comments to be posted that contain a URL.

    Man I hate fighting spam.

    Mike.
    http://www.rustylime.com

  • Gareth G

    Rustylime’s “version 2″ approach, combined with filtering out any comments/etc containing “http”, “www”, “url” etc seems to be effective. I like the tarpit idea too – which should result in having your IP taken off a spambot’s list.

    Yes it’s a bit of a drag but not as much as having to delete spam comments on a daily basis :(

    Keep fighting the fight..

  • http://www.rustylime.com Michael Ott

    Gareth is correct. No spam since.

    Rusty Lime 1:
    Spammers: 0

    Mike.
    http://www.rustylime.com

    PS: I like this blog.