Add a Honeypot to Website Forms to Reduce Spam Signups


In the world of messaging and email marketing, a “honeypot” is a tool used to detect if automated bots are working to add subscribers to your client list or subscribe for your product. It’s a way to help ensure only real and interested customers subscribe to receive your messages, protecting clients ’ solitude and your company’s reputation.

The term derives from the area of cybersecurity. A “rdquo & honeypot; is a computer safety mechanism. It is a decoy that works and looks like the target system you’re trying to protect but has been set up purely to attract and detect potential attackers. By monitoring the decoy, the owner of the system can detect if they are being targeted by cyber threats.

A honeypot is a simple and efficient method to make certain you only send messages to genuine subscribers.

In this tutorial, we will show you how you can use HTML forms and sections in Vero to set up a honeypot that prevents spam signups and bad actors from subscribing to your mailing list.

In this instance, we’ll use a blog subscription type but you can use this approach for many online forms, such as trial signup forms or surveys.

The most common method to permit users to subscribe to your messages is to provide a form on your site. Utilizing our Vero HTML forms, you can add subscribers directly to your account.

To create a form in Vero, pick Types > New Form and add the fields for the information you want to collect. In Vero, we call these fields ‘User attributes ’. The value entered for each user property is stored on the client profile in Vero.

In this example, we keep things simple and just ask our new subscribers for their ‘First name’.

honeypots tutorial gif 1

Notice: if you’ve previously created a user property in Vero, you may simply pick the property on the left-hand to add it to the form.

When a form is submitted by a user, their information will be added to your Vero account. The form will also trigger an ‘event’, describing the action that the user just took. In the case above, we named our event “Subscribed to blog”.

‘Events’ are a highly effective method of tracking user behavior. Vero’s forms and APIs use events to enable you to track important customer action. These events can be used to automate workflows and the messages your customers see.

Learn more about event tracking.

Before you pick ‘Generate Form’, you need to add a ‘hidden field’ to discover bad actors.

Now that you’ve configured your form, it’s time to add an additional field to detect if a subscriber is a genuine person or an automated bot.

To do so, we rely on the premise that an automated bot or script will complete every field in our form. We can, therefore, assume that when that field is finished, the user created in Vero is a bad actor, fake or spam account.

Attackers are always improving their approach so to help increase the effectiveness of your honeypot, we recommend picking a name for your decoy field that’s sensible — but not a data field you would like to track anywhere else. Some examples you may use:

  • fax_number
  • second_name
  • pets_name
  • first_school

Add this field to your Vero form and choose ‘Create form’.

 Honeypots tutorial gif 3

Now you’re ready to add the form to your website.


When adding the HTML form to your site, you will need to make a final adjustment to the code created by Vero.

By making your hidden field a checkbox, instead of a standard text area — the value will either be set to “1” if completed by a bot (rather than random values set by automated bots in text fields) or will not exist on the user whatsoever (i.e. it will be blank).

Ensure the checkbox is |ac462a5de587a8169f86f53eb5ba93b8| so that |4e25a0ff0580a03879b9b820e73bd047| cannot see it, and for that reason unable to complete it. This way, only attackers using automated tools can finish this field.To do so, you need to alter the HTML generated by Vero (example below).

You want to edit this HTML so that your decoy field is a “checkbox” (see below). Learn more about HTML checkboxes.

Next, add the CSS style "display: none! Important" to make the area is hidden, followed by tabindex="-1" autocomplete="false" — this ensures the field is empty by default and can’t be tabbed to, by the user (see below).

Pro tip. If you want to place the CSS style on your main CSS style file which will work fine too. There’s no particular reason to bring the style right on the element.

At this point, you can add the HTML to your website. For most people, this means adding the HTML to your blog template in WordPress, Squarespace or a similar platform, or using a popular type manager that accepts HTML forms.

Once your form is installed, the easiest way to check it is to complete the form with your details and hit ‘Submit’. This will include a test user to your Vero account and enable you to check the hidden decoy area you’ve added is not being recorded (this value should only be present if the checkbox is ticked).

In your Vero account, browse to Clients and look for the email address of the test user. By viewing their customer profile in Vero, you can check that the field is not set.

To test more thoroughly, remove the "display: none! Important" in the checkbox in the form HTML. Then, tick the checkbox and submit the form using a test user. View the test user in Vero, and affirm that the honeypot value is set to “1”.

Honeypots tutorial

If so, everything is working as expected. Don’t forget to re-add "display: none! Important" into the decoy area in your HTML form.

Now that you’re able to detect attackers using your concealed, decoy field, it’s vital to ensure you only message or email valid subscribers.

To do so create a new section in Vero and include a state ‘has property [decoy field] does not exist’.

Vero Segments let you create custom groups of clients with similar properties so that you can deliver a more relevant and personalized customer experience.

Honeypots tutorial gif 4

In this segment, we’ve included only those users who have this property not put . Any user with this field set must, by nature of our honeypot, be an automatic bot or invalid signup.

The final step is to include this condition in your Newsletter segments and Workflow filters to ensure you deliver messages to valid subscribers.

Get started now — Attempt Vero for free.

The article Add a Honeypot to Website Types to Reduce Spam Signups appeared first on Vero.