This trick is simple stupid and should not work but somehow the simple spam bots have not improved.
This does not work for sophisticated bots (never met one) or the ones programmed specifically for your site (happens very rarely).
My team at Microsoft recently open sourced a tool called Accessibility Insights (https://accessibilityinsights.io). The web version is a chromium extension that includes both automated scans and also a guided assessment option that leads you through how to test for and fix the stuff that has to be found manually. This is the tool Microsoft pushes its own teams to use as part of their release processes.
* WAVE (Chrome or FF plugin, https://wave.webaim.org/extension/)
* AXE (https://www.deque.com/axe/)
* AChecker (https://achecker.us/checker/index.php)
* Funkify (Chrome plugin, tries to emulate various disabilities)
* Lighthouse in Chrome Dev Tools also checks some accessibility rules
The full list of things that you need to take care of: https://www.w3.org/TR/WCAG21/ (it's huge I know, it takes 5-7 days to test everything from this list)
First, can you navigate your entire site without using a mouse (including any widgets, forms, embeded stuff)? You should also have a "Skip to main content" button that is the first element you hit when you tab into your page.
Next, download the NVDA screen reader, which is free, turn off your monitor (or close your eyes), and navigate your site using it. I recommend using FireFox for this.
Finally, use a color contrast analyzer plugin for your browser to ensure you have enough contrast between all of you elements.
From there, you can review the WCAG 2.0 spec to get into the fine details. If you have the budget, hire a consultant/contractor. What I described above doesn't make your site pleasent to use for a disable person, just usable.
just google relevant keywords
and if you want the full experience: just enable the screen reader and try to use your website with it.
/edit: and i almost forgot: chromes build-in Audit tool in the Developer Panel includes some Accessibility tests as well
Screen readers often cost significant amounts of money, and are not trivial to "just turn on".
It's also always place this field after the Submit button with the idea that a user with a screen reader would never make it that far. Bots still see it and add it to the post request since I don't think they care about the order of the form fields.
An element that is not displayed should not be 'displayed' by screen-readers either.
It works surprisingly well.
The basic prerogative of a sophisticated bot is to ensure you believe that.
Having written a variety of sophisticated bots - some from pre-existing libraries, others from scratch; for specific websites and for general purpose - I'm reasonably confident most people who think they've never seen a sophisticated bot are mistaken.
I agree with you that anything more sophisticated or bespoke than a mass-spam bot is rare. But rare things happen often to most websites with nontrivial traffic. The types of bots with the most funding and skill behind them are the ones which don't try to spam anything on a website at all.
So if you have a contact form, this simple method may reduce the spam content to a low enough level that the effort to implement some type of third-party service is not necessary. There is not enough incentive for someone to target the form directly.
In addition, the captcha service may actually deter real submissions, whereas this is completely invisible to non-bots.
If you have a form that has a greater incentive for bots to abuse, then you need something more sophisticated.
To be illegal the website must be run by a business which employs 15 or more full-time employees. Or the business is some form of public accommodation like a hotel. From what I have read.
Of course it would be better to make sure the website is accessible, but I'm mostly commenting on the statement that it is illegal.
They even have a compliance tester.
That said, we encounter many sophisticated bots and also a decent number of what I'm pretty sure are real people in low-wage countries pasting data into forms. That last one is tough.
It's not a definitive solution, but it's an easy and practically free first line of defense for a young project, and depending on the project, can stand for years.
Overall, it depends on the sophistication of the bots your project attracts.
To be sure, you could add aria-hidden="true", which I'd guess most bots don't recognize.
If it doesn't, its a bug in the screen reader.
Disclaimer: I don't know how a screenreader would present this, example only
"Form entry. Input name. Input email. Ignore this field it's for spambots. Input url. Submit" -- In this case does the message more naturally apply to email or url? I'd imagine there'd be a pause after input email (to wait for the input)? I need to set up a screen reader :)
Admittedly, I am not familiar with screen reader standards, but my gut feeling is that they are doing their users a disservice if they are not representing what browser users are seeing as similarly as possible.
Do you anticipate any problems with form auto-filling tools?
Depending on where it is the name= would be surname (where the form submission has a name field rather than a first name surname split), website, url, etc
Ideally it would have a varying id / name and a varying ARIA attribute for blind users, saying something like "human users, please ignore this".
It would not stop a really sophisticated bot that runs an actual browser and uses machine vision to detect page elements. But unless your site is very high-profile, running such a sophisticated bot to defeat its protections likely won't be profitable.