蜜罐验证码背后的基本思想是你有一个隐藏的(通过 CSS)字段，名为表单"或电子邮件"或内容"，它(机器人只是读取字段名称)看起来应该填写.然后，当服务器查看提交时，您确保这些隐藏字段为空.如果不是，那么您将帖子标记为机器人.

The basic idea behind honeypot captchas is that you have a hidden (via CSS) field named something like "form" or "email" or "content" that (to a bot just reading the field name) looks like it should be filled in. Then, when the server looks at the submission, you make sure these hidden fields are blank. If they aren't, then you flag the post as a bot.

这是一个很好解释的例子(在ASP)，以及这是一个提供蜜罐验证码的 Rails Gem.

我链接的那个 Rails Gem 看起来很容易安装后使用:

That Rails Gem I linked looks like it's very easy to use once installed:

  <% form_tag comments_path, :honeypot => true do -%>
  ...
  <% end -%>

尽管如果您有兴趣了解该方法而不仅仅是实施它，我还是建议您自己动手.如果您自己滚动，请务必确保该字段被 CSS(或其他一些样式/定位技巧)而不是 input type="hidden" 隐藏 - 否则机器人可能会不填写该字段.

Although if you're interested in learning about the approach rather than just having it implemented, I'd recommend you roll your own. If you're rolling your own, it's important to make sure that the field is hidden by CSS (or some other style/positioning trick) and not input type="hidden" - as otherwise the bot might not fill out the field.

正如 Michael Mior 在评论中指出的那样，重要的是在隐藏字段旁边有一条消息告诉用户将其留空 - 否则使用屏幕阅读器的用户可能会错误地填写它.我的 gem 中缺少此功能链接到 - 因此，如果您正在制作一个可访问的网站(您几乎肯定应该这样做)，您可能需要对其进行修改或推出自己的网站.

As Michael Mior pointed out in the comments, it's important to have a message next to the hidden field telling the user to leave it blank - otherwise users with screen readers might erroneously fill it in. This feature is missing from the gem I linked to - so if you're making an accessible website (which you almost certainly should be) you may need to modify it or roll your own.

请记住，这个技巧并不是万无一失的——没有什么能阻止机器人呈现页面并在填写任何字段之前确定用户实际可见的字段——但这种机器人会比一个复杂得多那只是看着表单html.蜜罐验证码在阻止简单机器人方面可能非常有效.

Keep in mind that this trick isn't foolproof - there's nothing stopping a bot from rendering the page and determining which fields are actually visible to the user before filling any in - but that kind of bot would be considerably more complex than one that just looked at the form html. A honeypot captcha is likely to be very effective at stopping simple bots.