Increased Volume of Spam w/ Honeypot Enabled

Has anyone else noticed an uptick in spam on forms that have honeypot enabled? I’ve seen this on at least three of my contact forms in the past couple weeks. Any solutions for better mediating these w/o the necessity of a visual captcha? It’d be great to see recaptcha v3 support.

4 Likes

We’ve been seeing a lot more spam coming through forms even when using the honeypot field. Seems like the spammers are getting smarter. We’re looking at ways to improve the effectiveness of the honeypot. Thank you.

3 Likes

Good to know I’m not alone and this will be given some attention. I figured it might be that those bots are simply learning.

I’d be happy to hear some suggestions for this.

I work at a Dutch webhosting company and we’ve seen loads of messages from users that are getting spammed. Not just through their email accounts, but lots sent through comment-forms & form plugins.

With spam its just this annoying circle we’re stuck in. Filters get better, spammers find a way to get past them, filters get better & other solutions are integrated (ie. SPF for spoofing) and spammers find a way to get past them.

So I’d say it appears to be a more general uptake in spammers. We usually recommend integrating reCAPTCHA in all forms and personally I always install Antispam Bee as well (for the comment forms anyway).

1 Like

There’s not any single method that can catch all spammers. Best practice is always to combine different methods at once. In Gravity Forms you can enable the Honeypot + reCAPTCHA + Akismet integration.

Honeypot and reCAPTCHA will take care of spammers in the browser side of things, and Akismet after form submission. So if the spammer was able to sort out both Honeypot and reCAPTCHA, the submission will still have to pass the Akismet database filter.

Bear in mind spam is not always done by dummy bots, there are also low paid humans doing spam, so things like the Honeypot field that are intended for bots, will be useless for this kind of spammers.

There are also some third-party services like https://www.cloudflare.com and https://www.incapsula.com/ that could help to prevent the spammers to reach your site.

3 Likes

Unfortunately we can not use Akismet in the E.U. Can you offer a integration for AntispamBee too? Also, will you let us know if you improve Honeypot so we can give it a try then? My clients are not so happy with the increased number of spam messages. It was one of the features why I recommended GravityForms. Thanks.

Just to bring this thread back to life. Wanted to chime in that during the past month, the amount of spam on all of the sites I use GF has shot up. I’m already using the honeypot, but started to implement reCAPTCHA for just about everything.
Not sure if there is something else the team at GF can do?

There’s not much the Gravity Forms team can do. It’s a problem lately, across all sorts of submitted content in forms, not just Gravity Forms. This support response was written by @sacom at Gravity Forms support:

Fighting against spam is not always easy, spammers are evolving and learning constantly to bypass known anti-spam methods. And also many times these spam attacks are performed by large teams of humans not bots, so automated methods are not effective to stop them. Because of that Gravity Forms provides you some different anti-spam solutions but we can’t guarantee that any of them will be the all encompassing solution to eliminate the spam in your forms.

For better results we recommend combining more than one spam technique at once (e.g. Akismet + Honeypot + reCAPTCHA), that will protect your forms from different spammers type.

If none of the anti-spam methods available in Gravity Forms are helping to stop the spammers. There are also some third-party services like https://www.cloudflare.com that could help to prevent the spammers to reach your site. They already know a large number of IP’s associated to spammers and bad behavior, and they block these IP’s automatically, also in addition to that you can create your own firewall rules to block even entire countries. e.g. If you receive a lot of spam from any specific country, and you don’t expect any legit visitors from that country, you can block the entire country with CloudFlare firewall. This way you would be not only blocking spammers but also not wasting precious server data transfer in unwanted visitors.

Feel free to contact with CloudFlare support if you want more details about their services.

You can also check User IP in entries submitted by the spammers and ask your host to block access to your site to these IP’s or a range of them.

There must be something you can do to make the build-in honeypot perform better. “There’s not much we can do” is not a good enough answer. I use GF extensively and also on new websites. As soon as GF is installed on a new website bang there comes the - mostly Russian - spam. The website is barely discovered and the spam starts! I also use a competing WP form builder and I hardly get any spam from their forms. I think I pay good money to use GF, I think you could improve your honeypot. I don’t like using recaptcha, nor do I like the added work. I prefer honeypot. I like GF but the spam is annoying and if I don’t need too complex of a form I prefer to use a competing product because I know the spam will arrive using GF as soon as I hit publish.

3 Likes

One thing we’ve done is use conditional logic on our contact forms, hiding the Submit button if the message contains “http”. However, we’ve learned that if someone copies/pastes the URL, the conditional logic doesn’t catch it. It’s slowed the tide somewhat, but not nearly as much as we had hoped. And of course there’s the issue of the Russian spam.

So, hiding the submit button helps, anyway. But it would be great to see an improvement on the honeypot or other improvements without resorting to Akismet or something else we’ll need to bill our client for.

2 Likes

That’s a great idea - I’m testing it out on one of the affected sites! Form settings and then:
37%20PM

1 Like

I’ve set my forms to hide the submit button if “.ru” or “http” is included, for example. But, these forms of spam are still making it through. I know its not a character swap issue, because when I copy and paste the messages directly into the form - the button gets hidden! What the heck is happening? How are the spambots getting around the fact there is no submit button?

I recommend opening a support ticket so we can get further information from you:

https://www.gravityforms.com/open-support-ticket/

© 2008 - 2019. Gravity Forms is a project by Rocketgenius Inc.