alt Hacker News> Maybe they should change the button to say, "I am a robot"?
Long time ago I saw a post where someone running a blog was having trouble keeping spam out of their comments, and eventually had this same idea. The spambots just filled out every form field they could, so he added a checkbox, hid the checkbox with CSS, and rejected any submission that included it. At least at the time it worked far better than anything else they'd tried.
Replies
This was a common approach called a "honeypot". As I recall, bots eventually overcame this approach by evaluating visibility of elements and only filling out visible elements. We then started ensuring the element was technically visible (i.e. not `display: none` or `visibility: hidden`) and instead absolutely positioning elements to be off screen. Then the bots started evaluating for that as well. They also got better at reading the text for each input.
Yeah, this is a classic honeypot trick and very easy to do with pure HTML/CSS. I used a hidden "Name" text field which I figured would be appealing to bots.
That's more or less how Project Honey Pot [0] worked for forums, blogs, and elsewhere. Cloudflare spawned from this project, as I remember, and Matthew Prince was the founder.
I know people who did this decades ago and it worked
I did something almost identical. I think I added a bogus "BCC:" field (many moons ago).
It worked almost 100% of the time. No need for a CAPTCHA.
Would not work in this case, because it is actually rendering the page in a browser.
Something like this is used in some Discord servers. You can make a honeypot channel that bans anyone who posts in it, so if you do happen to get a spam bot that posts in every channel it effectively bans itself.