Honeypot issues

[VIPStephan]

I’m getting spam emails despite having the honeypot setting checked, so I was going to see what I can do. Is the honeypot field that hidden checkbox with name “p01-contact_fields[totally_legit]”? I have no idea how spam bots work but isn’t a plain checkbox a little too simple to get around?

Also, I tried to uncheck the setting to use a honeypot field out of curiosity but apparently this isn’t working, i. e. after saving the settings it will still/again be checked.

[ohnonot]

I'm also getting spam every now and then. If it's created by a human actually sitting at a browser, no hidden checkbox will help. But I suspect that some bots also get around the honeypot. With PicoCMS gaining popularity, this is likely to happen more often. Looking at my access logs, I think renaming your contact page link from /contact to something less obvious should help already. The pesky ones - I tell my firewall to block their IPs. Thankfully this plugins sends emails that include the sender's IP address.

[nliautaud]

The honeypot is indeed a very basic protection that probably most of the bots nowadays are able to bypass. I included it at the time because.. whynot.

The only fireproof solution that I knew of were advanced captcha, and without enabling that the sum of the default mechanism that I implemented seemed to filter most of the spam.

I didn't study the subject for a while, but feel free to give insights about possible improvements.

[VIPStephan]

I think honeypots are still a good basic protection. But I also think that a text field would be better than a plain checkbox. My gut feeling tells me that bots are trained to fill out text fields but don’t care too much about checkboxes. So, perhaps let’s try to change the current checkbox for a text field (or even have both?) and see whether that helps?