- What is a honeypot?
- How to add a honeypot to your site form
What is a honeypot?
In the world of messaging and email marketing, a “honeypot” is a tool used to discover if automated bots are trying to add subscribers to your client list or subscribe for your product. It’s a way to help ensure only and interested customers subscribe to receive your messages, protecting customers’ solitude and your organization ’s reputation.
The expression derives from the world of cybersecurity. A “rdquo & honeypot; is a computer security mechanism. It’s a decoy that looks and operates like the target system you’re trying to protect but has been set up purely to attract and detect potential attackers. By tracking the decoy, the owner of the machine can detect if they’re being targeted by cyber threats.
A honeypot is an easy and effective way to make certain you only send messages to real subscribers.
How to add a honeypot to Your Site form
In this tutorial, we will show you how you can use HTML forms and sections in Vero to set up a honeypot that prevents spam signups and bad actors from subscribing to your mailing list.
In this example, we’ll use a blog subscription form but you can use this approach for many online forms, including trial signup forms or surveys.
Step 1: Create a form so users can subscribe to your own messages
The most common way to allow users to subscribe to your messages is to provide a form on your site. Utilizing our Vero HTML forms, you can add subscribers directly to your accounts.
To create a form in Vero, select Types > New Form and insert the fields for the information you want to collect. In Vero, we call these fields ‘User attributes ’. The value entered for every user property is stored on the customer profile in Vero.
In this case, we keep things simple and simply ask our new subscribers for their ‘First name’.
Notice: if you have previously created a user property in Vero, you may simply pick the property on the left-hand side to add it to the form.
When a user submits a form, their information will be automatically added to your Vero account. The form will also activate an ‘occasion ’, describing the action the user just took. In the case above, we named our event “Subscribed to blog”.
‘Events’ are a powerful way of tracking user behaviour. Vero’s forms and APIs use events to enable you to track important customer action. These events can be used to automate workflows and the messages your customers see.
Learn more about event tracking.
Before you pick ‘Create Form’, you need to add a ‘concealed area ’ to discover bad actors.
Step 2: Add a hidden field to your form as a decoy for bad actors
Now that you’ve configured your form, it’s time to add an extra field to detect if a subscriber is a genuine person or an automated bot.
To do this, we rely on the premise that an automated bot or script will finish every field in our form. We can, therefore, assume that when that area is finished, the user created in Vero is a terrible actor, fake or spam accounts.
Attackers are constantly improving their strategy so to help increase the effectiveness of your honeypot, we recommend choosing a name for your decoy area that is realistic — but not a data field you intend to monitor anywhere else. Some examples you might use:
Add this field to your Vero form and select ‘Generate form’.
Now you’re ready to add the form to your website.|9841b56c1af3bcecb655dbbf2c69effe|
When adding the HTML form to your site, you will need to make a final adjustment to the code created by Vero.
By making your hidden field a checkbox, instead of a normal text field — the value will either be set to “1” if completed by a bot (instead of random values set by automated bots in text fields) or will not exist on the user at all (i.e. it will be blank).
Ensure the checkbox is |0b6bbc237fd994b818ae2682e63769e0| so that |4e25a0ff0580a03879b9b820e73bd047| can’t see it, and for that reason not able to complete it. This way, only attackers using automated tools can finish this field.To do so, you need to alter the HTML generated by Vero (example below).
You need to edit this HTML so that your decoy field is a “checkbox” (see below). Learn more about HTML checkboxes.
Next, add the CSS style
"display: none! Important" to produce the area is hidden, followed by
tabindex="-1" autocomplete="false" — this ensures that the field is empty by default and cannot be tabbed to, by the user (see below).
At this point, you can add the HTML to your website. For most people, this means adding the HTML to your blog template in WordPress, Squarespace or a similar platform, or using a popular form manager that accepts HTML forms.
Step 4: Capture and view the form area
Once your form is set up, the simplest way to test it is to complete the form with your details and hit ‘Submit’. This will include a test user to your Vero account and enable you to check that the hidden decoy area you’ve added isn’t being recorded (this value should only be present if the checkbox is ticked).
In your Vero account, navigate to Clients and search for the email address of the test user. By viewing their client profile in Vero, you can check that the field isn’t set.
To test more thoroughly, eliminate the
"display: none! Important" in the checkbox in the form HTML. Then, tick the checkbox and submit the form using a test user. View the test user in Vero, and confirm that the honeypot value is set to “1”.
If so, everything is functioning as expected. Don’forget to re-add
"display: none! Important" into the decoy field in your HTML form.
Step 5: Use sections to filter out junk users
Now that you’re able to detect attackers using your concealed, decoy field, it is vital to make sure you only message or email valid subscribers.
To do so create a new segment in Vero and include a state ‘has property [decoy field] does not exist’.
In this segment, we’ve included just those users who have this property not set. Any person with this field set must, by nature of our honeypot, be an automatic bot or invalid signup.
The final step is to include this condition in your Newsletter sections and Workflow filters to make sure you deliver messages to valid subscribers.