All docs
3 min read

Honeypot

A honeypot is a hidden form field that real users never see and never fill. Bots scrape the DOM, see an <input>, and dutifully type something into it. When the submission lands with that field populated, Formspring marks it as spam.

It costs nothing to add and catches a surprising amount of automated junk. Every form has it on by default.

Default field name

The default field name is _gotcha. If you're using your own HTML form, just include it as a hidden input:

<form action="https://formspring.io/f/your-form-id" method="POST">
  <input type="email" name="email" required>
  <textarea name="message" required></textarea>

  <!-- Honeypot: hidden from users, irresistible to bots -->
  <input type="text" name="_gotcha" tabindex="-1" autocomplete="off" aria-hidden="true">

  <button type="submit">Send</button>
</form>

Style it off-screen, not with display: none (some bots skip those). A standard pattern:

.gotcha {
  position: absolute;
  left: -9999px;
  width: 1px;
  height: 1px;
  opacity: 0;
}

Custom field name

Bots that target Formspring specifically learn the default name eventually. On the form's edit page, set Honeypot field to anything you like — website_url, confirm_email, nickname. Pick something plausible-looking so naive bots are more likely to fill it.

If you change the field name, update your HTML to match.

Why it preserves accessibility

A well-built honeypot is invisible to screen readers and keyboard users:

  • aria-hidden="true" removes it from the accessibility tree.
  • tabindex="-1" keeps keyboard navigation from landing on it.
  • autocomplete="off" stops password managers from auto-filling it (which would falsely flag real users).
  • Off-screen positioning keeps it out of view without display: none, which some bots use as a signal to skip.

Real humans never see, hear, or tab into it. Bots — which usually run a headless browser and parse the DOM — happily fill every field they find.

What gets flagged

When a submission arrives with the honeypot field populated, it's stored in the spam folder with a reason of honeypot_filled. Nothing is dropped silently. You can review and recover any submission that was flagged.

Limitations

The honeypot stops naive scrapers and form-spam scripts. It doesn't stop:

  • Targeted human spam (someone manually typing junk into your form)
  • Sophisticated bots that detect off-screen positioning and skip those fields
  • Bots that only fill fields with name attributes matching common patterns (email, name, message)

For those, layer in rate limits, captcha, or AI moderation.

Recovering false positives

The honeypot has a near-zero false-positive rate, but if a user with a particularly aggressive password manager fills the honeypot anyway, the submission is still in the spam folder — just open the spam tab on the form and click Mark as not spam. The submission moves to the inbox and downstream actions (notification email, autoresponder, webhooks) fire as if it had landed there originally.

If you see honeypot false positives clustered around one user agent, give the field a more obscure name in form settings — _gotcha is the well-known default and password managers occasionally take an interest in it.

What's next

← Previous
Spam protection overview
Next →
Rate limits