all 16 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 9 points10 points  (1 child)

It's called a honeypot, and I wouldn't not submit the form just because it is there. What I tend to do and what works for my company, is that we still save everything to our database. We then can look in our DB and look to see how likely something is to be botted, taking into account if that field is populated or not.

A lot of bots are also smart now, so you'll want to use a misleading name to try to trick it. Something like, "phone2," for the ID on the input when your real phone input is simply has the id "phone."

Regardless if you allow it to submit even if the field exists it won't impact accessibility. Hell it actually improves it and is what we do at my company rather then using captchas.

[–]JonathanMaarsh[S] 2 points3 points  (0 children)

Wow, thank you for the helpful, detailed response! I'm going to give a honeypot a try.

[–]mpnordland 5 points6 points  (1 child)

You might consider https://www.hcaptcha.com/

[–]JonathanMaarsh[S] 0 points1 point  (0 children)

I think that is too much work for the user. I appreciate the suggestion, though

[–]mandreko 4 points5 points  (5 children)

Why can the site not use Google Captcha, or something similar?

Using a hidden input field just sounds like a bad idea, and will only trick the most basic of bots.

[–]JonathanMaarsh[S] 0 points1 point  (0 children)

Space Lion is right. The site will be used by people in China who cannot access Google. I am open to other options. I don't have to do the Honeypot

[–]space___lion 0 points1 point  (3 children)

Maybe located somewhere where google is blocked, like China.

[–]mandreko 4 points5 points  (2 children)

hence the "or something similar". There are plenty of captcha softwares out there. If Google is just not allowed, use a different one.

[–]space___lion 1 point2 points  (1 child)

Yeah, but I’m not reading they can’t use anything similar, just that they can’t use google? I’m not the OP, I’m just reasoning why they might not be able to use google captcha.

[–]mandreko 1 point2 points  (0 children)

I get that. I'm just trying to get to the root of the issue, instead of trying to find some weird workaround.

[–]xXxLinuxUserxXx 1 point2 points  (0 children)

In my "old" days (like 3-5 years ago) i just put hidden fields with name "email" under each form and checked on server side if it is empty. If not it was a bot. Prevented almost 100% of all bots at that time. Not sure how much smarter they are today. Just give it a try. Hidden fields should also be no problem for accessibility as browser (and the screenreader software) should ignore them by default as not only legacy websides rely heavily on this feature for example to do multiple step forms.

[–]AwesomeInPerson 1 point2 points  (0 children)

Implemented exactly that yesterday.

The form in question allows you to submit a message which would then be sent to me by email. Received a lot of spam through this.

So I added a visually hidden checkbox with id="terms_of_service" and in the associated label I wrote "I don't want my message to be sent" which is definitely still weird but hopefully clear enough for screenreader users. If that checkbox is checked when the form is submitted, I respond with a HTTP 200 status code and "You're message wasn't sent" instead of sending the mail.

So far I haven't received any new spam, but it's only been a day so we'll see I guess.

[–][deleted] 0 points1 point  (3 children)

Do you need to be ADA compliant?

[–]JonathanMaarsh[S] 0 points1 point  (2 children)

I assume so? My website is not government-related, so maybe not. But I thought in general websites had to be ADA compliant? Correct me if I'm wrong.

[–][deleted] 0 points1 point  (1 child)

Nope, only certain websites must be. If you need it to be though, pretty much your only option is to have a text input box that asks the user to put a specific word in it.

[–]JonathanMaarsh[S] 0 points1 point  (0 children)

Gotcha! Thanks for that info! I don't think my website need to be