Spam Bots

It has long been known that the default Magento CAPTCHA is not effective. Some people have even taken to breaking CAPTCHA into a sort of sport .

With that in mind, Nucleus Support has been installing a honeypot module to cover the customer sign up, newsletter signups and any additional contact forms. Recently, however, a more nefarious hole has been found using the wishlist available on many eCommerce sites.

Many of our clients have the ability for legitimate users to send their wish lists to friends and family. This is sent out through the email server that the website runs on. Using this functionality some of the clever spambot creators have found a way to essentially use the website Server as a spam delivery tool. To address these bots, Nucleus Support has started adding a honeypot to these areas as well.

It is a constant battle between the nefarious ne'er-do-wells of the internet and the legitimate eCommerce companies.

In these conversations with our clients, we usually get asked what is the best practice or what do we suggest? Typically there are two approaches to handling these types of malicious spam attacks. However, we recommend the honeypot solution over CAPTCHA in almost all cases.

What is CAPTCHA exactly?

A captcha everyone is familiar with. If not, Google has a good write up on the technical details of how they work.

What is a honeypot?

A honeypot is an extra field added to a form that is not seen by a human user. Since bots will fill in every field available in the form before submitting, if that hidden field has a value then it is not a human user.


If you or a client are seeing an influx of spam customers on a Magento site, or any eCommerce platform, give the spam close attention as this can be a preemptive move. Bots will use the site to stage broader social engineering attacks if not properly addressed.

Nucleus Support has seen a large influx in these sorts of attacks and exploits for our Magento merchants in the last few weeks. Vigilance on the part of a business IT team will reduce these but even a small compromise can damage the company brand.

Nucleus Support suggests a honeypot in most cases, as it is becoming apparent that a Captcha alone will not solve spambot issues.