ianlandsman
commented
12 years ago Hard to say, if the bot is going to wait for the css then it might let the JS render also. JS def isn't a definitive solution, though it will slightly raise the bar. I think we should keep it like this for now and see how it goes. I am going to make the time element harder to bypass by encrypting it here shortly. Then they'll be no way around waiting the time.
I'm not really sure if using inline css to hide the honeypot is the best way to hide it to human users.
Might spambots parse the css, discover it's hidden from users, and leave it empty on purpose?
I think JS is less likely to be executed by spambots, so the solution might be more bulletproof.
What's your say?