Eliminate Spam Bots Using the Honeypot Method

By jseevers · PUBLISHED May 26, 2017 · UPDATED May 26, 2017

Today we're highlighting a unique approach to eliminating spam bots provided by community member Joan Nin (Slack: @ninjoan).

Are you afraid that your email marketing efforts using Mautic will be affected by spam bots? Wish that there was another alternative that didn't involve CAPTCHAs? Research shows that CAPTCHAs are having a negative impact on conversions.

The short story is that CAPTCHAs kill conversions. (source)

The pain is even bigger if you have a high traffic website and use external email services like Amazon SES, Sendgrid and Sparkpost. If you don’t control these spam bots, you won't be in compliance with their spam rules.

You know what? You aren’t alone.

Honeypot Method

There is a way to get past this struggle, even if you are not a developer. The solution is to implement an approach called the Honeypot method, in your Mautic forms.

First, login to your Mautic instance. Go to Settings (cog icon), then Custom Fields. In the Custom Field window, add a new field.


In the Label field lets call this honey, click Save & Close, and continue to the next step.


The Setup

Now, let's go to the forms we need to protect using the honeypot method. I would suggest going to the forms that are more prone to attack.

Add a new email field in the forms and select call it email2 and map that field to the honey field we created.


Now in Mautic v2.8+ we have a new field type called HTML Area, we're going to use this field and add the follow code in the HTML area;


#mauticform_label_formname_honeypot { display:none; } 
#mauticform_input_formname_fieldlabel { display:none; } 
#mauticform_label_formname_fieldlabel { display:none; } 

This code will make the email2 field invisible to the human eye, but not for the spam bots.

NOTE: You have to replace the formname and fieldlabel with the form name without space and the field label in your honeypot filed you put in your Mautic.

Another approach to hiding the field would be to specify the Field Container Attribute of the email2 field you want to hide as:


Now let's start eliminating spam bots.

Eliminate the Spam

Go to all the campaigns you have attached to a Campaign form;


Now adding this condition at the first step of the campaign will check to see if the person that submits the form has information in the field "honey". If the field is empty it is likely a real person. If it's not empty, it is a spam-bot and we are going to delete it.

NOTE: If you use a Standalone Form and you have the action to send email to user you MUST disable this and create a campaign associate with this Standalone Form and replicate the step above.

Using the honeypot method will help you stop spam bots and the negative effect they have on your email marketing activities.

Mautic's Rod Martin developed a short video tutorial to walk through this approach step-by-step;

Because of Mautic's robust workflow, there are a number of different ways to accomplish any given task. This is simply one approach. Comment below if you know of others.

The Mautic community is filled with incredible individuals with a variety of backgrounds and experiences. We believe that each perspective represents unique value to the broader community. If you're interested in becoming a contributor to our blog, please contact us.



Great idea! However, I use standalone forms which indeed send out an email immediately, so as stated at the end of this article, that won't really work. I have a solution, which could help others too: Make your website/optinform so, that if the honeypot-field is filled out, the optin doesn't even happen. You can do this for example with jQuery like "if honeypot-field is not empty, than replace form-action-url with http://mywebsite.com/thisdoesnothing.php " (before submitting the form). Or even ""if honeypot-field is getting filled out, redirect him to page http://mywebsite.com/blankpage.php plus block the IP immediately" (before submitting the form). Hope this helps a few people :)
Ricardo Martins

In reply to by Imre


That's nice Imre. However, I'm afraid these robots sometimes doesn't render javascript the way we expect. An invisible reCaptcha feature would be nice.
Ricardo Martins

In addition to Imre comment, I've implemented the idea by adding the following code to my submit button "input attribute" propeerty: https://pastebin.com/xzTuc6Zx This will change the form url if email2 field (honeypot) is filled. I'll follow and see if it works.
Ricardo Martins

In reply to by Ricardo Martins


Update: as expected even after implementing the javascript trick, I still receive subscriptions filling the email2 field (which will be removed later). But the problem still persists on forms that send emails straightforward before the campaign delete them.