Doesn't Chrome honor the HTML5 'autocomplete="off"' attribute on those form inputs?
Thomas Dowling [email protected] On 10/26/2011 10:18 AM, Ken Irwin wrote: > That's a great point, Same. Thanks. > The spam-bots have been falling for the "confirm_email" and filling it in > with the "correct" value, but I think I'll try switching it to something > obtuse that the auto-fillin isn't likely to have a value for. > "what_would_you_do_for_a_klondike_bar" comes to mind... > > Ken > > -----Original Message----- > From: Code for Libraries [mailto:[email protected]] On Behalf Of Sam > McDonald > Sent: Tuesday, October 25, 2011 11:26 AM > To: [email protected] > Subject: Re: [CODE4LIB] web spam block less awful than Captcha? > > Hi all, > > Long time reader, 2nd time poster?! (since 2000?). > Regarding honey-pot field labels...in some recent Chrome versions (and > probably in current versions) Chrome helpfully auto-populates fields based > upon the field label.(under default config, can be changed via Options, > Personal stuff, autofill). > If a field label has been used before (presumably on any previously filled > out form using that browser, but perhaps only to forms served from that > domain), it will auto-populate it. So, if your trap presumes that a field > should be null, since you "hid" it from the spam bots, AND Chrome helpfully > (& invisibly) auto-populates it (without the user knowing about it at all), > the form will be trapped, and fail, and the user will have nearly no way to > figure this out..the clever users will try a different browser and then meet > success. > > I don't believe that the mass-attack spam bots look for labels that are > needed to be filled in. > That being said, perhaps a label needs to look tempting, but unlikely to be > used by a developer, maybe something like > First__Name_ the caps, double underscore and trailing underscore are > unlikely to be used on purpose elsewhere, but not quite as obvious as > "spam_trap" or "asdhgashdvasbmvf" > > Ah, here's some other people noting the problem > http://www.electrictoolbox.com/html-form-honeypots-autofill/ > http://www.alexanderinteractive.com/blog/2011/02/chrome%E2%80%99s-autofill-and-honeypot-fields/ > http://www.sitepoint.com/forums/showthread.php?727720-Trouble-with-Chrome-filling-in-honeypot > ...more can be found via Google using "chrome autofill honeypot" > > PS I originally discovered the Chrome form thing the hard way. > > -Sam
