Registration bots crawl the web in search of input forms and pick up the names of the inputs within the form and then substitute or create values to input into them. They do that to find websites where they can inject adverts.
It’s important to block them or else you may end up with hundreds of fake registration email notifications, which may eat up your credit of free ops or reads with providers like Sendgrid, Make, Xano, Firestore, etc…
Basic honeypot:
-
- Add an input field next/below to your email input field (or that of the first name or whatever input field you use for user registration) and hide it. You registration form still looks the same.
-
- Create a text pageVar (mine is called bait) and bind it to the input field value.
-
- In the component tap of your sign-up/registration button, attach a condition with a formula like:
!IS_EMPTY(pageVars.bait) || LENGTH(pageVars.bait)>0)
- In the component tap of your sign-up/registration button, attach a condition with a formula like:
-
- If the bot fills out the empty input field automatically, the field will no longer be empty (text length longer than 0) so first output
truewill fire and make the process idle. You can attach a hide spinner for example to the first output (if you’ve added a spinner at the beginning).
- If the bot fills out the empty input field automatically, the field will no longer be empty (text length longer than 0) so first output
-
- Attach the rest of your registration process to the second
falseoutput.
- Attach the rest of your registration process to the second
But bots can be smart and learn from patterns and consistency so let’s blur the pattern and break the consistency.
Coded honeypot
-
Add a second hidden input next to the first hidden field.
-
Create 2 pageVars. I called mine uid_gen and uid_input.
-
Attach the uid_gen pageVar to the page focused event of your registration page. Assign
GENERATE_UUID()to its value (or use RANDOM if you prefer). What matters here is that the value generated be different each time the page is focused, so it is never the same. -
Attach the uid_input pageVar to the uid_gen var and assign the value of uid_gen to uid_input’s value.
-
Bind the second hidden input field to the uid_input value.
-
Adjust the condition you’ve already set up for the basic honeypot so the formula now looks like:
(!IS_EMPTY(pageVars.bait) || LENGTH(pageVars.bait)>0) || !IS_EQUAL(pageVars.uid_gen, pageVars.uid_input)
The bots will end up filling out the input field and change its value, which will not match the value generated by uid_gen pageVar, therefore triggering the first true output of the condition and stop the process.
This double method can reduce your fake bot registration by 50 to 80%.
If someone can tell how we could log the bots’ ip addresses so we can ban them, that would be great, as I’ve noticed that bots use the same ip a few times for each registration.
Else, maybe I’ll go with banning their email addresses.