A few days ago Phil Haack wrote about Honeypot Captcha:

At the same time, spam bots tend to ignore CSS. For example, if you use CSS to hide a form field (especially via CSS in a separate file), they have a really hard time knowing that the field is not supposed to be visible.

To exploit this, you can create a honeypot form field that should be left blank and then use CSS to hide it from human users, but not bots. When the form is submitted, you check to make sure the value of that form field is blank.

A great idea, which didn’t occur to me before. And Phil wasn’t even the first one with that idea.

I added a “regular” captcha control to my site some time ago, but removed it again after a couple of days. Why burden the innocent commentor? He’s not the problem. The comment spammers are.

So I took the idea of the honeypot and leveraged Community Server’s spam filtering capabilities.

First, I replaced the original Community Server’s WeblogPostCommentForm with my own version by simply copying it to my own assembly. (If you build CS from the SDK, you can also just edit the existing one.)

  1. Added the private member

    private TextBox HoneyPot;
  2. Added the property HoneyPotTextBoxId, which references the actual TextBox in the form:

    public string HoneyPotTextBoxId
        get { return ((string)ViewState["HoneyPotTextBoxId"]) ?? string.Empty; }
        set { ViewState["HoneyPotTextBoxId"] = value; }
  3. Added following lines to the method AttachChildControls:

    HoneyPot = WeblogControlUtility.Instance().FindControl(this, HoneyPotTextBoxId) as TextBox;
    StringBuilder sb = new StringBuilder();
    sb.AppendLine("\n<script type=\"text/javascript\">");
    sb.AppendLine("document.getElementById(\"" + HoneyPot.ClientID + "\").style.display = \"none\";");
    CSControlUtility.Instance().RegisterStartupScript(HoneyPot, typeof (TextBox), "honeypot", sb.ToString(), false);

    You see that the honeypot field is hidden dynamically via JavaScript. No CSS is giving a hint to the spammer that the control will not be visible. Instead, as soon as the page is loaded, the textbox will be hidden programmatically.

  4. Added following lines in Submit_Click right before WeblogPosts.Add is called:

    if (!string.IsNullOrEmpty(HoneyPot.Text)) { 
        EventLogs.Info("Spammer entered \"" + HoneyPot.Text + "\" in the honey pot", "Spam Rules", 0); 
        c.SetExtendedAttribute("GotchaInMyHoneyPot", "trapped"); 

    So whenever the honeypot textbox is filled in, the comment gets an extended attribute named GotchaInMyHoneyPot.

Now this new form must be used on the actual page. There’s only one page (per theme), which allows visitors to leave comments, which is post.aspx. Unfortunately, this must be done for every theme.

So open post.aspx and replace the original WeblogPostCommentForm with our new one, add the HoneyPotTextBoxId attribute to the form, and add the textbox. Don’t forget to use the same id for the textbox (this example uses tbBody, which shouldn’t ring a bell for the spammer.) Here’s the modified form declaration from the PaperClip theme:

<tfr:HoneyPotWeblogPostCommentForm runat="server" ValidationGroup="CreateCommentForm" 
        <CSControl:GoToModifiedUrlAction runat="server" QueryStringModification="CommentPosted=true" TargetLocationModification="commentmessage" /> 
        <fieldset id="commentform"> 
        <legend><CSControl:ResourceControl runat="server" ResourceName="Weblog_CommentForm_WhatDoYouThink" id="rc_think"/></legend> 
            <p /> 
            <div><CSControl:FormLabel runat="server" ResourceName="Title" LabelForId="tbTitle" /> <em>(<CSControl:ResourceControl runat="server" ResourceName="Required"/>)</em><asp:RequiredFieldValidator runat="server" ErrorMessage="*" ControlToValidate="tbTitle" ValidationGroup="CreateCommentForm" /></div> 
            <div><asp:TextBox id="tbTitle" runat="server" CssClass="smallbox" ValidationGroup="CreateCommentForm" /></div> 
            <p /> 
            <div id="NameTitle" runat="server"><CSControl:FormLabel LabelForId="tbName" runat="server" ResourceName="Weblog_CommentForm_Name" /> <em>(<CSControl:ResourceControl runat="server" ResourceName="Required" />)</em><asp:RequiredFieldValidator runat="server" ErrorMessage="*" ControlToValidate="tbName" ValidationGroup="CreateCommentForm" /></div> 
            <div id="NameDesc" runat="server"><asp:TextBox id="tbName" runat="server" CssClass="smallbox" ValidationGroup="CreateCommentForm" /></div> 
            <p /> 
            <div><CSControl:FormLabel runat="server" LabelForId="tbUrl" ResourceName="Weblog_CommentForm_YourUrl" /> <em>(<CSControl:ResourceControl runat="server" ResourceName="Optional" /></em>)</div> 
            <div><asp:TextBox id="tbUrl" runat="server" CssClass="smallbox" ValidationGroup="CreateCommentForm" /></div> 
            <%-- the honeybot textbox --%> 
            <asp:TextBox id="tbBody" runat="server" CssClass="smallbox" ValidationGroup="CreateCommentForm" /> 
            <p /> 
            <div><CSControl:FormLabel LabelForId="tbComment" runat="server" ResourceName="Weblog_CommentForm_Comments" /> <em>(<CSControl:ResourceControl runat="server" ResourceName="Required" />)</em><asp:RequiredFieldValidator runat="server" ErrorMessage="*" ControlToValidate="tbComment" ValidationGroup="CreateCommentForm" /></div> 
            <div><asp:TextBox id="tbComment" runat="server" Rows="5" Columns="25" TextMode="MultiLine" ValidationGroup="CreateCommentForm" /></div> 
            <asp:PlaceHolder runat="server" id="RememberWrapper"> 
                <p /> 
                <div><asp:CheckBox id="chkRemember" runat="server" Text="Remember Me?" ValidationGroup="CreateCommentForm"></asp:CheckBox></div> 
            <p /> 
            <asp:Button id="btnSubmit" runat="server" Text="Submit" ValidationGroup="CreateCommentForm"></asp:Button> 

But that’s only the first half. Now whenever the honeypot field is filled with some text the comment will have an extended attribute GotchaInMyHoneyPot.

The second step is to give the comment “spam points”, which is done by a CS spam rule. Keyvan Nayyeri published a complete tutorial how to write your own spam rules, so I won’t get into details. Here’s the complete code for the new rule:

public class HoneyPotRule : BlogSpamRule { 
    private static readonly Guid _ruleId = new Guid("57E216D4-D100-468d-BB37-1B7A0A103CEF"); 
    private const int _defaultPoints = 10; 

    public override ArrayList GetAvailableSettings() { 
        ArrayList list = new ArrayList(); 
        list.Add(new RuleSetting(_ruleId, "points", "Points", _defaultPoints.ToString())); 
        return list; 
    public override int CalculateSpamScore(WeblogPost weblogPost, CSPostEventArgs e) { 
        if (weblogPost.BlogPostType == BlogPostType.Comment) { 
            if (!String.IsNullOrEmpty(weblogPost.GetExtendedAttribute("GotchaInMyHoneyPot"))) { 
                EventLogs.Info("A spammer fell for the honey pot", "Spam Rules", 0); 
                return Globals.SafeInt(GetSettingValue("points"), _defaultPoints); 

        return base.CalculateSpamScore(weblogPost, e); 

    public override string Name { 
        get { return "HoneyPot"; } 

    public override string Description { 
        get { return "HoneyPot description"; } 

    public override Guid RuleID { 
        get { return _ruleId; } 

I’m running this solution for a couple of days now on my site, and it works pretty well. It’s amazing how many spam bots fill each and every textbox they can find. But I admit that a lot of steps are involved in my solution, there’s lot of programming required. However, I decided against publishing an all-inclusive package, because I’d like to add this solution to next release of either the CSMVP CSModules or Community Server Stuff. So either follow my instructions above, wait for an official release, or leverage Phil’s honeypot control which is part of the Subkismet project (not released yet too, but you can already get the sources.)




Very cool! Regarding using CSS to hide the field, we’re going to update the Subkismet control to use a Web Resource handler so that the CSS is in a different file.

That way the control itself doesn’t give any clue that it is invisible.

The reason I want to use CSS for the honeypot is that I’m using Javascript for the Invisible Captcha. http://haacked.com/archive/…

It’s sort of my two-prong approach against spam bots. So far, Invisible Captcha catches all comment spam on my blog. It just doesn’t deal with trackbacks/pingbacks for obvious reasons.

Leave a Comment

Your email address will not be published. Required fields are marked *