Reduce Spam Signups on website forms


In the world of messaging and email marketing, a “honeypot” is a tool used to discover if automated bots are trying to add subscribers to your client list or subscribe for your product. It’s a way to help ensure only and interested customers subscribe to receive your messages, protecting customers’ solitude and your organization ’s reputation.

The expression derives from the world of cybersecurity. A “rdquo & honeypot; is a computer security mechanism. It’s a decoy that looks and operates like the target system you’re trying to protect but has been set up purely to attract and detect potential attackers. By tracking the decoy, the owner of the machine can detect if they’re being targeted by cyber threats.

A honeypot is an easy and effective way to make certain you only send messages to real subscribers.

In this tutorial, we will show you how you can use HTML forms and sections in Vero to set up a honeypot that prevents spam signups and bad actors from subscribing to your mailing list.

In this example, we’ll use a blog subscription form but you can use this approach for many online forms, including trial signup forms or surveys.

The most common way to allow users to subscribe to your messages is to provide a form on your site. Utilizing our Vero HTML forms, you can add subscribers directly to your accounts.

To create a form in Vero, select Types > New Form and insert the fields for the information you want to collect. In Vero, we call these fields ‘User attributes ’. The value entered for every user property is stored on the customer profile in Vero.

In this case, we keep things simple and simply ask our new subscribers for their ‘First name’.

honeypots tutorial gif 1

Notice: if you have previously created a user property in Vero, you may simply pick the property on the left-hand side to add it to the form.

When a user submits a form, their information will be automatically added to your Vero account. The form will also activate an ‘occasion ’, describing the action the user just took. In the case above, we named our event “Subscribed to blog”.

‘Events’ are a powerful way of tracking user behaviour. Vero’s forms and APIs use events to enable you to track important customer action. These events can be used to automate workflows and the messages your customers see.

Learn more about event tracking.

Before you pick ‘Create Form’, you need to add a ‘concealed area ’ to discover bad actors.

Now that you’ve configured your form, it’s time to add an extra field to detect if a subscriber is a genuine person or an automated bot.

To do this, we rely on the premise that an automated bot or script will finish every field in our form. We can, therefore, assume that when that area is finished, the user created in Vero is a terrible actor, fake or spam accounts.

Attackers are constantly improving their strategy so to help increase the effectiveness of your honeypot, we recommend choosing a name for your decoy area that is realistic — but not a data field you intend to monitor anywhere else. Some examples you might use:

  • fax_number
  • second_name
  • pets_name
  • first_school

Add this field to your Vero form and select ‘Generate form’.

 Honeypots tutorial gif 3

Now you’re ready to add the form to your website.


When adding the HTML form to your site, you will need to make a final adjustment to the code created by Vero.

By making your hidden field a checkbox, instead of a normal text field — the value will either be set to “1” if completed by a bot (instead of random values set by automated bots in text fields) or will not exist on the user at all (i.e. it will be blank).

Ensure the checkbox is |0b6bbc237fd994b818ae2682e63769e0| so that |4e25a0ff0580a03879b9b820e73bd047| can’t see it, and for that reason not able to complete it. This way, only attackers using automated tools can finish this field.To do so, you need to alter the HTML generated by Vero (example below).

You need to edit this HTML so that your decoy field is a “checkbox” (see below). Learn more about HTML checkboxes.

Next, add the CSS style "display: none! Important" to produce the area is hidden, followed by tabindex="-1" autocomplete="false" — this ensures that the field is empty by default and cannot be tabbed to, by the user (see below).

Pro tip. If you would like to put the CSS style on your main CSS style file that will work good also. There is not any particular reason to add the style right on the element.

At this point, you can add the HTML to your website. For most people, this means adding the HTML to your blog template in WordPress, Squarespace or a similar platform, or using a popular form manager that accepts HTML forms.

Once your form is set up, the simplest way to test it is to complete the form with your details and hit ‘Submit’. This will include a test user to your Vero account and enable you to check that the hidden decoy area you’ve added isn’t being recorded (this value should only be present if the checkbox is ticked).

In your Vero account, navigate to Clients and search for the email address of the test user. By viewing their client profile in Vero, you can check that the field isn’t set.

To test more thoroughly, eliminate the "display: none! Important" in the checkbox in the form HTML. Then, tick the checkbox and submit the form using a test user. View the test user in Vero, and confirm that the honeypot value is set to “1”.

Honeypots tutorial

If so, everything is functioning as expected. Don’forget to re-add "display: none! Important" into the decoy field in your HTML form.

Now that you’re able to detect attackers using your concealed, decoy field, it is vital to make sure you only message or email valid subscribers.

To do so create a new segment in Vero and include a state ‘has property [decoy field] does not exist’.

Vero Segments allow you to create custom groups of clients with similar properties so that you can provide a more relevant and personalized customer experience.

Honeypots tutorial gif 4

In this segment, we’ve included just those users who have this property not set. Any person with this field set must, by nature of our honeypot, be an automatic bot or invalid signup.

The final step is to include this condition in your Newsletter sections and Workflow filters to make sure you deliver messages to valid subscribers.

Get started today — Try Vero for free.

The article Reduce Spam Signups on website forms appeared initially on Vero.