Has anyone else noticed an uptick in spam on forms that have honeypot enabled? I’ve seen this on at least three of my contact forms in the past couple weeks. Any solutions for better mediating these w/o the necessity of a visual captcha? It’d be great to see recaptcha v3 support.
4 Likes
We’ve been seeing a lot more spam coming through forms even when using the honeypot field. Seems like the spammers are getting smarter. We’re looking at ways to improve the effectiveness of the honeypot. Thank you.
3 Likes
Good to know I’m not alone and this will be given some attention. I figured it might be that those bots are simply learning.
I’d be happy to hear some suggestions for this.
I work at a Dutch webhosting company and we’ve seen loads of messages from users that are getting spammed. Not just through their email accounts, but lots sent through comment-forms & form plugins.
With spam its just this annoying circle we’re stuck in. Filters get better, spammers find a way to get past them, filters get better & other solutions are integrated (ie. SPF for spoofing) and spammers find a way to get past them.
So I’d say it appears to be a more general uptake in spammers. We usually recommend integrating reCAPTCHA in all forms and personally I always install Antispam Bee as well (for the comment forms anyway).
1 Like
There’s not any single method that can catch all spammers. Best practice is always to combine different methods at once. In Gravity Forms you can enable the Honeypot + reCAPTCHA + Akismet integration.
Honeypot and reCAPTCHA will take care of spammers in the browser side of things, and Akismet after form submission. So if the spammer was able to sort out both Honeypot and reCAPTCHA, the submission will still have to pass the Akismet database filter.
Bear in mind spam is not always done by dummy bots, there are also low paid humans doing spam, so things like the Honeypot field that are intended for bots, will be useless for this kind of spammers.
There are also some third-party services like https://www.cloudflare.com and https://www.incapsula.com/ that could help to prevent the spammers to reach your site.
3 Likes
Unfortunately we can not use Akismet in the E.U. Can you offer a integration for AntispamBee too? Also, will you let us know if you improve Honeypot so we can give it a try then? My clients are not so happy with the increased number of spam messages. It was one of the features why I recommended GravityForms. Thanks.
Just to bring this thread back to life. Wanted to chime in that during the past month, the amount of spam on all of the sites I use GF has shot up. I’m already using the honeypot, but started to implement reCAPTCHA for just about everything.
Not sure if there is something else the team at GF can do?
There’s not much the Gravity Forms team can do. It’s a problem lately, across all sorts of submitted content in forms, not just Gravity Forms. This support response was written by @sacom at Gravity Forms support:
Fighting against spam is not always easy, spammers are evolving and learning constantly to bypass known anti-spam methods. And also many times these spam attacks are performed by large teams of humans not bots, so automated methods are not effective to stop them. Because of that Gravity Forms provides you some different anti-spam solutions but we can’t guarantee that any of them will be the all encompassing solution to eliminate the spam in your forms.
For better results we recommend combining more than one spam technique at once (e.g. Akismet + Honeypot + reCAPTCHA), that will protect your forms from different spammers type.
If none of the anti-spam methods available in Gravity Forms are helping to stop the spammers. There are also some third-party services like https://www.cloudflare.com that could help to prevent the spammers to reach your site. They already know a large number of IP’s associated to spammers and bad behavior, and they block these IP’s automatically, also in addition to that you can create your own firewall rules to block even entire countries. e.g. If you receive a lot of spam from any specific country, and you don’t expect any legit visitors from that country, you can block the entire country with CloudFlare firewall. This way you would be not only blocking spammers but also not wasting precious server data transfer in unwanted visitors.
Feel free to contact with CloudFlare support if you want more details about their services.
You can also check User IP in entries submitted by the spammers and ask your host to block access to your site to these IP’s or a range of them.
There must be something you can do to make the build-in honeypot perform better. “There’s not much we can do” is not a good enough answer. I use GF extensively and also on new websites. As soon as GF is installed on a new website bang there comes the - mostly Russian - spam. The website is barely discovered and the spam starts! I also use a competing WP form builder and I hardly get any spam from their forms. I think I pay good money to use GF, I think you could improve your honeypot. I don’t like using recaptcha, nor do I like the added work. I prefer honeypot. I like GF but the spam is annoying and if I don’t need too complex of a form I prefer to use a competing product because I know the spam will arrive using GF as soon as I hit publish.
6 Likes
One thing we’ve done is use conditional logic on our contact forms, hiding the Submit button if the message contains “http”. However, we’ve learned that if someone copies/pastes the URL, the conditional logic doesn’t catch it. It’s slowed the tide somewhat, but not nearly as much as we had hoped. And of course there’s the issue of the Russian spam.
So, hiding the submit button helps, anyway. But it would be great to see an improvement on the honeypot or other improvements without resorting to Akismet or something else we’ll need to bill our client for.
3 Likes
That’s a great idea - I’m testing it out on one of the affected sites! Form settings and then:
1 Like
I’ve set my forms to hide the submit button if “.ru” or “http” is included, for example. But, these forms of spam are still making it through. I know its not a character swap issue, because when I copy and paste the messages directly into the form - the button gets hidden! What the heck is happening? How are the spambots getting around the fact there is no submit button?
I recommend opening a support ticket so we can get further information from you:
I have been battling that as well. I keep seem to stop them from getting through. Site is hardened, honeypot turned on, I tried implementing askimet and still I’m getting them daily through our Gravity forms contact us forms… Sucuri says site is clean etc… Feeling very defeated with it right now.
it would be nice if there was an option to block any html on the message field or the ability to block out entire character sets
1 Like
It would be helpful to add language detection so we can prevent submission of content based on language.
4 Likes
I went to the extreme a couple days ago. Most of the spam content has been pretty benign, but one we received on Monday sent me over the edge (porn links and a lingerie photo was included).
Here’s what I did:
Created a quiz that only shows if any of the conditional logic below is true:
If email contains .ru
If company equals google
If comments contains http
Quiz that displays: What is 2+3?
The difference maker - The answer to the quiz is not 5 
My hope is that after they enter “5” a few times and continue to receive the same “please check your math” error, they will give up and move on to another form.
I went back and checked legit submissions and found that no one has added http in the comments, we don’t get any clients from Russia, and Google will more than likely not be looking for our product.
This is pretty extreme and there’s a chance we may block a legitimate lead here and there, but I don’t think it will happen. Plus, we have other forms on the site that don’t have a comments field that the spam submitters (can’t even call them bots any more) ignore. They sure do have a lot to say!
3 Likes
Hi all!
Just wanted to suggest installing our Zero Spam plugin. It works in combination with the existing honeypot field, Akismet, etc.
It’s very lightweight and addresses bot traffic really well.
3 Likes
I have been using your plugin on quite few sites and it is doing a great job.
3 Likes