I use honeypot fields myself and they stop a ton of spam submissions. I'm sure timestamp analysis can be very effective too. I'm totally a fan. But are there bots smart enough to defeat it? You bet!

Some of my forms also have a CAPTCHA. I think it's got to be case-by-case. Do you have something desirable to bad guys (like the signup for a new Yahoo account, or a high-ranking blog about pharmaceuticals)? Do you have tools in place to deal with spam submissions effectively when they do occur? Will a bunch of bots signing up for accounts degrade service for legitimate visitors?

For example, the Contact our Sales team form definitely does not have a CAPTCHA. The sales team will gladly sort though a pile of junk if it means one more inbound lead. But the Post a Comment form would be an absolute disaster without a strong CAPTCHA. A surprising amount of junk gets through anyway, in fact. (As far as I can tell, it's actual humans in developing countries copy/pasting into comments by hands. Blocking referrers from Google that have the phrase "post a comment below" made a dent)

"Blocking referrers from Google that have the phrase "post a comment below" made a dent)"

Can you elaborate? I haven't heard this technique (I don't personally have a lot of need for spam fighting), and I'm very curious as to what you mean.

Think he probably means spammers are searching for the phrase 'post a comment below' on Google looking for forms they can spam. You'll see this search term in the HTTP referrer header.

Edit: obviously you could just avoid using this phrase on your site instead.

Ah, that makes sense, and is rather clever.

Thanks

Warning on Honeypots-- some mobile devices like Blackberry seem to trigger them on our service.

Interesting. I found problems with certain crappy browser toolbars that helpfully try to autocomplete forms they encounter, including hidden fields.

If timestamp analysis is effective now, it won't be forever. It would be trivially easy to program an autofiller to leave pseudo-random pauses between filling individual fields. If this becomes a much more common technique, the spammers will adapt.

This will greatly reduce the rate at which they are able to send the spam though, even if the delay is tiny. Similar to how bcrypt works.

No it won't, not if their spambot is multi-threaded. (Which all the good ones are.)

All it will do is increase the latency, the overall throughput will be pretty much unaffected.

Good point. Though keep in mind there are spam botnets with thousands and thousands of members.

If the attack is specifically against your site these won't help.