Comment by Izkata
3 days ago
> Maybe they should change the button to say, "I am a robot"?
Long time ago I saw a post where someone running a blog was having trouble keeping spam out of their comments, and eventually had this same idea. The spambots just filled out every form field they could, so he added a checkbox, hid the checkbox with CSS, and rejected any submission that included it. At least at the time it worked far better than anything else they'd tried.
Something like this is used in some Discord servers. You can make a honeypot channel that bans anyone who posts in it, so if you do happen to get a spam bot that posts in every channel it effectively bans itself.
Most web forums I used the visit had something like that back in the day. Worked against primitive pre-LLM bots and presumably also against non-English-reading human spammers.
There is a new method with the 'server onboarding' where if you select a role when joining it auto bans you.
This was a common approach called a "honeypot". As I recall, bots eventually overcame this approach by evaluating visibility of elements and only filling out visible elements. We then started ensuring the element was technically visible (i.e. not `display: none` or `visibility: hidden`) and instead absolutely positioning elements to be off screen. Then the bots started evaluating for that as well. They also got better at reading the text for each input.
Each step in that chain is harder to do and more computationally expensive.
Yeah, this is a classic honeypot trick and very easy to do with pure HTML/CSS. I used a hidden "Name" text field which I figured would be appealing to bots.
That's more or less how Project Honey Pot [0] worked for forums, blogs, and elsewhere. Cloudflare spawned from this project, as I remember, and Matthew Prince was the founder.
[0]: https://en.wikipedia.org/wiki/Project_Honey_Pot
I did something almost identical. I think I added a bogus "BCC:" field (many moons ago).
It worked almost 100% of the time. No need for a CAPTCHA.
I know people who did this decades ago and it worked
Would not work in this case, because it is actually rendering the page in a browser.