How effective is the honeypot technique against spam?

With below technique, I block 100% of spams.

  1. honeypot with display:none. if failed, run extra script to collect IP address and write it in .htaccess file on deny from line.
  2. count number of URL on comment field. if failed, warn only because this can be human.
  3. measure the time to post. if less than 5 sec, show error message and let them try again because human can write pretty fast with auto-filling plugin.
  4. trim htaccess file dailly with crontab so deny lines won't go over 30 lines (adjust accordingly).

Deny access with IP address is very effective because bots keep trying to sneak in with same IPs (if they change IP then I put that new IP on htaccess so no problem). I trim .htaccess file daily with crontab automatically so the file won't be too big. I adjust the number of IP to block so same bot with same IP will be blocked for about a week or so. I noticed that same IP is used by bot for 3 days attacking several times.

The first #1 trick blocks about 99% and #2 blocks about 1% and the bot won't go through those 2 so #3 might not be necessary.


Old question, but I thought I'd chime in, as I've been maintaining a module for Drupal (Honeypot), which uses the Honeypot spam prevention method alongside a time-based protection (users can't submit form in less than X seconds, and X increases exponentially with each consecutive failed submission). Using these two methods, I have heard of many, many sites (examples) that have eliminated almost all automated spam.

I have had better success with Honeypot + timestamp than I have with any CAPTCHA-based solution, because not only am I blocking most spammers, I'm also not punishing my users.