Building a honeypot +staticred.net +

Building a honeypot

Submitted by darren.harkness on Mon, 04/09/2007 - 15:03

I decided the other day that I had had enough of spambots raiding this site and sending me spam through my contact form. The immediate solution was, of course, to install a captcha as part of my contact form as a way of blocking them. But there are problems with captchas, not the least of which is legibility and accessibility. I think I have fairly decent eyes (even though I wear glasses), and I have a hard time reading some of the captchas. Plus, it flies in the face of anyone with accessibility issues. Surely, I thought, there must be a better way around this.

As it turns out, there is - build a honeypot to collect the IP Addresses of the spambots and store them, then look the IP up when someone submits a contact form. I started off with the instructions here, but decided that I wanted to have something that was MySQL-based, rather than text-file based for both speed and flexibility. I can also, if I decide to later, get statistics on how often banned IPs/user agents show up on the site, something I can't do as easily with a simple text file.

I changed the example given to the following:

So far so good; the script grabs the IP address and User Agent of anything that comes across it It'll fire it into the database, and send me an email any time something gets caught. The next step is to set the trap, as described in the page I linked to earlier.

I peppered the link throughout my site after putting the honeypot folder in the robots.txt, and added rel="nofollow" to the link. This does two things: first, it prevents valid crawlers, like GoogleBot, from getting stuck in the honeypot. The rel="nofollow" should also stop browsers from prefetching the honeypot as well (I wouldn't want normal people to be barred from using the contact form).

Finally, I edited my contact submission form to check to see if the current site visitor is listed in the banned IP address database. If it is, it will spawn an error when the contact page is loaded. If not, it will load the contact page as normal. The code looks something like this:

Finally, I needed a way to add an IP address manually without having to go through too much trouble. I added a line to the email I receive from the contact form, linking to an IP submission page. This page takes the IP address and adds it to the database:

The original example had been created to ban spambots from crawling a site to gather email addresses. I wanted to take the safer way out and only applied it to my contact form. I have already caught a half-dozen spambots with it, and my contact form spam is already less than it was. Time will tell how effective it will be in the end, but for now I'm very happy with it.

Languages

Bands you should listen to.

What I'm saying here

User login

Today's popular content

The Doctor (13)
8O (13)
Today, I had an interesting experience. (13)
do you know where your government is? (13)
LOL<strike>cat</strike>baby (12)

What I'm saying elsewhere...