Honeypot Setback: Unexpected Issues in Countering Spam Submissions

Hello everyone,

I’m attempting to use a honeypot to block spam emails. I’ve set up a label and input field with the class name “.noaithrough.” I’ve hidden the field by setting the opacity of the “.noaithrough” class to 0, as opposed to the conventional Webflow hidden method.
(My setup is based on the response provided in this post: Issues with Honeypot in Contact Form

The prevention of abnormal submission behavior is achieved by checking whether the input field with the “.noaithrough” class name has been filled in.

On other PHP websites (non-Webflow sites), this setup works well, effectively blocking unwanted submissions as shown in the images:

However, on my Webflow site, it seems that bots are deceiving the system by populating the input field with the “.noaithrough” class name. I find it challenging to understand why the bots can still successfully submit.(The Honeypot field is marked with a yellow background.) Is there any possibility of something going wrong?

A large portion of the attacks on Webflow are gateway-based, not form-based, which means your form and JS aren’t run at all.

You could even delete that form from your site and you’d still be getting those spam submissions.

I haven’t looked into the mechanism, but the only solution I found that worked thoroughly was to switch away from Webflow’s form handler and use a 3rd party one like Basin.

Thank you for your assistance and advice.
May I inquire if this implies that, in order to entirely prevent robot submissions,
it is necessary to comprehensively replace all forms on the website with third-party processing services (such as Basin) and discontinue the current Zapier Webhook integration with Webflow?

It’s unfortunately the only effective solution I’ve found.

For automation I generally go directly from the form to the automation webhook. I don’t go through Webflow’s form handler there, but it doesn’t add value, and because I’ll sometimes have spam issues.

In rare cases I add a spam checking step using a 3rd party service directly into the automation as well, if spam is a problem for that automation.

hey, "memetican’
can you please answer my question too