More spam getting through Honeypot lately

Updating the title to reflect the trend a little more clearly.

I've noticed this as well—but I've noticed that more spam is getting through on _all_ my sites, including the ones (most now) where I have Mollom in addition to Honeypot, and even the site where I'm using reCaptcha.

I've heard similar rumblings from a lot of others who are involved in spam fighting, so I'm wondering if there's a large human spam initiative that's been clogging up sites lately. I, too, would like to hear from others who are seeing an uptick in spam, as there may be some ways we can continue to keep the bots at bay—though if it's human-based spam, as I suspect, more drastic measures might be necessary.

I have seen the same. I tried increasing the time limit and changing the empty form ID without any luck. I had to re add Captcha to the forms to prevent the bots. Waiting for a solution.

Maybe unrelated, but noticing similar on 8.x-1.x.
Oddly, looking at logs, comment posts are being flagged (blocked), then allowed. Updated to the latest Honeypot release since I was a few commits behind, hopefully that will help. Haven't had a chance to look at cause otherwise.

Not sure if others are seeing similar in their message log.

From the logs:

EDIT:
Looking at the access logs on my server, i see that it is, in fact multiple submissions with a delay. Perhaps built into a bot or just random timing?

IP.xxx.xxx.xxx - - [24/Jan/2016:12:32:15 -0600] "GET /blog/looking-into-past HTTP/1.0" 200 SIZE "http://www.chrispanza.com/blog/looking-into-past" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36"

IP.xxx.xxx.xxx - - [24/Jan/2016:12:32:16 -0600] "POST /comment/reply/node/12/comment HTTP/1.0" 200 SIZE "http://www.chrispanza.com/blog/looking-into-past" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36"

IP.xxx.xxx.xxx - - [24/Jan/2016:12:32:34 -0600] "POST /comment/reply/node/12/comment HTTP/1.0" 303 SIZE "http://www.chrispanza.com/blog/looking-into-past" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36"

IP.xxx.xxx.xxx - - [24/Jan/2016:12:32:34 -0600] "GET /blog/looking-into-past HTTP/1.0" 200 SIZE "http://www.chrispanza.com/blog/looking-into-past#comment-486" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36"

IP address redacted, not sure why I did that. Spammers deserve privacy?

I do think some of the standard bot scripts are picking up on Honeypot now—I've noticed that even on other sites that aren't built with Drupal but have had Honeypot-like timestamp behavior built-in, more spam is starting to leak in.

Interestingly, this seems to vary site-to-site, as my personal blog gets around 1,000 posts per day, and about 995 are spam—and only 2-4 get through. So it seems only some spammers are targeting Honeypot sites directly—could also be humans involved, if they get blocked, then wait and post it later.

I've been thinking about building some sort of 'honeypot_analytics' module lately, to do some deeper inspection into each form request through more logging... it would be a performance killer, but if turned on for a few minutes at a time, it could help get more helpful data as to how exactly the bots and/or real spammers are getting through.

IP address redacted, not sure why I did that. Spammers deserve privacy?

Haha!

Things seem to have died down lately; maybe there was some massive spam network that was recently shut down, or maybe all my sites just had a bad spot of a few weeks and it's over? Anyone else still noticing this large influx of spam?

I'm going to roll a new release with a few small fixes/tweaks, maybe one of them will help deter spammers even better :)

In the last 24 hours I got hundreds of human-like registrations and content postings. The honeypot field was filled in with appropriate (although occasionally misspelled) content. One of the new users was able to get 3500 pages of content uploaded (about 12 per minute, it seems) before I was able to shut things down.

I am turning on account verification required for now until I figure out a better filter on my generally-quiet site.

The honeypot field was filled in with appropriate (although occasionally misspelled) content.

@bunthorne - Do you mean spammers entered text into that field, but the form was not rejected as spam? If so, either Honeypot is not functioning correctly on your site, or the honeypot field wasn't added by this module...

My mistake. I was getting confused about my fields ... I have a field that asks for an intelligent human answer, and these spammers are filling it in with intelligent answers unlike the last few years when the bots would just enter a two-letter acronym or repeat their user name. It was the easiest way I had to pick out the ones that got through Mollum and Honeypot.

@bunthorne - I see; it looks like your site is one of the lucky ones to have been targeted by actual human spammers... and unfortunately, not even Mollom/Akismet/Honeypot/other passive systems will be able to handle that well :(

I came to see if others are having issues this year. I have ridden waves of spam. The last attack of spam I had I used Honeypot to stop it, and it worked for around a good year or little more. Now in the last 30 days, I see a slow escalation of spam. It seems to be increasing every day (maybe they are testing).

I am getting spam user registration and spam email subscriptions into my ESP. I am getting A LOT of email registrations that are all being inputted at the same time, so it appears to be coming from multiple IP addresses. I haven't got into web logs yet because it's an AWS ELB and it's a pain. I am getting around 30 to 50 spam user registrations, and they are slowly inputted (about one every 15 minutes). The registrations and the email spam is all perfectly periodic too, so it has to be scripted. The email registrations come at the top of the hour, and the user registrations are spaced exactly 15 minutes apart (most of the time).

reCAPTCHA isn't a possibility for email subscriptions because this is marketing landing pages. I don't want reCAPTCHA on those.

About to spend more time investigating this problem this afternoon. Glad to see I am not the only one.

I was researching this recently and came across an article that could shed some light on this: http://www.smartfile.com/blog/captchas-dont-work-how-to-trick-spam-bots-...

To sum it up, the spambot authors could be adapting their scripts to work around honeypot. For example, if the hidden field is always named the same thing or is in the same position, then it's possible to build a workaround.

I wonder if a new version of Honeypot could integrate some features to make it more dynamic, even potentially altering the valid form fields (to make them look like honeypots) and making the hidden fields look valid, then shuffling everything back to normal before submit. Certainly, it's a lofty goal, but it might have to be the future.

Interesting read. Some of those things could be easily implemented. I may see about writing code for a couple of those and submit a patch back here.

Closing out some old issues; some good suggestions in the thread above, but unless someone takes the time to write them into a patch I don't know if I'll have time to tinker and get them in place. As it is, there are also a few other small fixes in the issue queue which may help improve the spam prevention at least marginally.