We have some very simple contact forms on our website which are currently using both honeypot and captcha to protect against spam. Is using both of these on each form overkill? I can’t recall the last time we’ve received a submission from a bot.

No, it’s not an overkill to use honeypot and captcha together for the same form. Why?

They both use different approach:

• Honeypots are targeted towards bots falling for common rules.

• Captchas are targeted towards humans passing rules.

Why have Honeypots:

1. When set up correctly, they’ll protect you against wholesale spam bots. It means it’ll automatically detect most common & known form of spam bot attacks that are designed to spam random (not targeted) sites. This will save server resources from captcha generation.

2. If for some reason (e.g. advancement in OCR technology) your captcha fails (even partially, say 40% failure rate for a limited amount of time), honeypot will still be there to protect you from random bot attacks. Since it’s a cat & mouse game, captcha technology will probably catch up in a while, but for that temporary period honeypots will save you from nightmares.

3. There are spam farms that do a combination of random bot + human spam attack. So basically there are thousands of poor people from low income countries hired by these spam farms are using specialized spamming software that’ll fill out all the forms automatically following common spam rules & then serve only the captchas to the person sitting at the desk. These people will then only fill in the captchas (will probably make only a few cents per thousand captchas) and the bot will do the rest. These spam farms don’t do any targeted attacks (unless you are very very popular), since there are millions of sites that fall under the victim of common spam rules. Honeypots will save you from these spam farms.

Why have Captchas:

1. Captchas will protect you from targeted bot attacks. So if someone targets your site and writes automated bots targeting your site specifically, those bots will not fall into the traps set by honeypots.

2. Captchas will make sure spammers targeting your site will not be able to attack you at the rate of computer speed. Even if they manually target your site (human spamming), it’ll be at the rate of human speed.

I can’t recall the last time we’ve received a submission from a bot

• Excellent! That means the combination is working for you. So why bother changing it?

• You are lucky, it also means spammers are not manually spamming your site. Even the combination of Captcha + Honeypot cannot save you from human spammers spamming manually. If & when it happens to you, you’ll have to use a service like Akismet & even then you’ll have to do some manual moderation. But don’t worry, if your site becomes that much popular, you’ll most likely have the money to hire people to do that for you, unless of course you have a site like StackExchange where the community does that for you 😉

So depending on the situation, even having all of the following may not be an overkill to protect your site against spamming:

1. Honeypot

2. Captcha

3. Akismet like service.

4. Real people hired for spam moderation.

All the best.