What is the best way to achieve a honeypot style form captcha?

Question

I have heard of honeypot style captcha systems either loading the form with javascript, which might load after the page has rendered. Or checking if a hidden field is filled in, which could possibly be mitigated.

Is there a full-proof way to achieve this functionality without compromising user experience?

Answer 1

The basic idea is to have the form contain honeypot fields that will get the request rejected or silently dropped if they are filled out, and which are made invisible to the user through CSS or Javascript DOM manipulation.

Here's a blog post that describes a fairly complex way of making it nearly impossible for bots to distinguish between regular and honeypot fields. I've used it with 100% success so far, but it only helps if they bots rely on field names. I suspect that most generic spam bots don't even try to fill out fields selectively, so you wouldn't need it, and targeted spam bots would easily defeat the scheme by identifying fields via their position in the HTML rather than the name.