On one of the forms, I politely ask that the sender include todays date somewhere in the text, which I then validate to be within +/- 25 hours of the server time.. In other places, I've not even done that and..
I'm not getting spams, I'm not getting robot messages or massive abuse..
Did the scammers and spammers realize that stuffing every input field on the web with commercial links and javascript exploits dosen't actually work ?
Back in the day, I remember having to jump through several hoops to avoid automated spams and angry teenagers trying to flood my inboxes..
How's your experience today versus the past ?
It sounds like you made your own CAPTCHA-lite. If it's not a very attractive form to spammers, sounds like that's fine, but for bigger sites it may not be enough. CAPTCHAs don't have to always be squiggly letters... there are many picture-based puzzles these days, along with human-like interaction checks, audio puzzles, logic puzzles, video advertisement puzzles, etc.
I manage a forum at work and after a few years of no spam, suddenly someone found us and made hundreds of spam accounts and posts over one weekend. And Discourse doesn't have good bulk spam moderation in the UI, so it was a pain going through them afterward =/ I really wish we had a CAPTCHA!
> $.post($(this).attr('action') + '?nospam=1'
(skipping processing but returning a success response when nospam is absent, so I guess it counts as an honeypot)
I also blacklisted the words cialis and viagra.
What remained were serial submissions from pen-testers who then sent emails begging for money, so I implemented a one-click removal of all submissions from an ip range.
That's after Cloudflare's regular WAF.
Not much effort, so I guess it's only an issue if it gets exponentially worse with increased traffic (which it probably does).
I would never use a CAPTCHA though, not my philosophy to outsource effort to the user.
If we are talking about the account creation form of Facebook, you bet you will need some CAPTCHA. If it's a random form with no obvious benefit of spamming then I'm not sure how many "attempts" will be done to begin with regardless of the protection mechanisms.
In those cases you may be enocuntering bots that "blast spam" and usually the slightest form of barrier stops them because they tend to be made for the common denominator, for example by targeting popular blog/forum software that have a predictable form structure that the bot can be programmed for.
I have seen some basic anti-spam features that are "home-made captcha".
For example it says something like "Pandas are black and:" and you have to enter "white".
Those can sometimes be made in a way that is more user-friendly compared to a "real captcha".
However it takes some careful consideration and knowing your audience to make sure that they understand what to do. Some users may not understand it due to language or cultural differences or due to people being used to the traditional captcha.
You may want to remove the protection mechanism to see if you get any spam at all or not (or at least log and measure success vs failure cases).
Without knowing anything about your use case, personally I'd remove the CAPTCHA and see how many spams come through. Then I'd put a very basic and gentle barrier just enough to remove those spams and gradually increase the barrier if required.
Another thing to consider is that if your users have to login you can have some kind of basic reputation metric so that "known good" users are not subject to the same restrictions.
I fail reCAPTCHA at least 50% of the time so it would be hard to be worse.
Lots of spam bots did not run JS back then and tried posting values in fields that were supposed to be empty.
And then there were many many bots that could not properly form an empty multi part upload request, because that was not implemented in the most popular web request libraries (like curl). It is probably not as effective anymore since it's way easier to run the headless browser these days, but I used that approach for many years. :)
My log files were full of spam that was caught this way.
I use a mix of honeypots and Cloudflare Turnstile to avoid the spam.
So a homemade solution like the one in your post works fine for many sites. The bots written for forms without captchas can't solve it, and their developers won't waste the time changing the script to fix that, because it's not worth the effort.
If your site/service becomes extremely popular on the other hand... you'll need a more robust anti spam solution. And given how thoroughly things like Recaptcha have been cracked, those won't cut it there either.
[1] https://rishikeshs.com
How sure are you about this?