by Greg Dunlap

Module Monday: Honeypot

Fighting spam is an ongoing cat and mouse game as site owners come up with protections against spam, and spammers come up with increasingly impressive ways to bypass those protections. Solutions like Mollom have been popular in recent years, however Mollom is tied to an external service and only works while that service is running smoothly. Additionally, it costs money if your site has a lot of traffic. CAPTCHA challenges are also a popular solution, but they have accessibility problems -- and automated tools are getting increasingly successful at bypassing them.

Honeypot module takes a different tack towards spam-prevention by using spammers' technology against them. Spambots will typically hit a form like the user registration page, fill in all the fields, and submit the form. Honeypot adds a hidden field to the form that users won't see but spambots will. If that form is filled in, you know you've found a bot and the submission is discarded.

Additionally, you can configure a required amount of time a form must be displayed before it is submitted. Spambots will blaze through a form and submit it instantly, but humans take a little longer.

This combination of tricks ends up blocking most automated attempts to fill out forms with absolutely no impact on usability for human visitors.

Honeypot configuration form

Configuring Honeypot is pretty simple. After installing the module, you choose whether to protect all forms or only specific ones, and configure the time limit if you wish to use one. Honeypot also offers a 'Bypass Honeypot form submission' permission, allowing certain roles to be able to use these forms unhindered. Finally, an api is offered to modify these configurations on the fly, or to be able to add Honeypot protection to your own custom forms.

The module does have a couple caveats. The most notable one is that using the time limit causes page caching to be disabled for any page containing a protected form. This can be devastating to site performance if you are protecting a form like user login which can appear on every page.

Additionally, Honeypot is only useful against automated spam attempts. These days, spam is increasingly created by humans being paid per message left. This is where a tool like Mollom with its text analysis comes more into play. The combination of both tools can be a powerful weapon in the fight against spam on sites of all sizes.

You can also watch the (non-free) Drupalize.Me Honeypot video tutorial.