How to Prevent Web Form SPAM


Identifying the SPAM Source

Need Help with Form SPAM?

We’ve all gotten SPAM, but the first step in preventing it is knowing the source because these 3 types are all handled differently — whether it’s email SPAM, blog comment SPAM, or web form SPAM (i.e. contact forms, etc). Web form spam includes any form on your website that you are receiving notifications from (via email). If you are interested in how to prevent other kinds of spam issues, see our SPAM category of related posts that I linked to below for you:

How to Prevent WordPress Blog Comment Spam
Prevent Your Newsletters From Being Marked As SPAM & Improve Email Deliverability
How To Whitelist And Make Sure You Receive Your Website’s Contact Form Emails!

Understanding How Form SPAM Works

First of all, there are two types of form spammers and you should know that these spammers get paid very well for what they do or they wouldn’t be doing it, so the best you can do is prevent them from abusing your forms in any way possible.

  • “spambots” — programs that find any and all web forms to abuse indiscriminately but their main targets appears to be pages that allow them to post comments touting products and spreading links. Contact forms are caught in the cross fire.
  • manual spammers — people hired by companies to manually find web forms to abuse, sometimes more targeted to specific websites, but these are difficult to prevent because they typically can make it through all honeypots and captchas mentioned below.

How they work is by setting up a group email to place in the Email field of your form as well as advertisement text/links via the comment/message field. Since most default forms have an auto-responder setup it allows them to send their message to the group email address thereby abusing your servers to send out their spam emails. Some bots will even try inject scripts into your site by submitting HTML and Javascript.

Get a Good Contact Form!

We recommend and use Gravity Forms for our WordPress sites which has all of the options mentioned below! If you use Contact Form 7, there are two plugins that add on the honeypots and recaptcha functionality.

Hide your Forms from Search Engines

Hide your forms from search engines via Webmaster Tools (Google Index > Remove URLs), a robots.txt file, or sitemap/SEO WordPress plugin.

To Prevent Spambots:

Disable Auto-responders

Because most default settings of forms offer an auto-responder that sends an email to the person who filled it out saying “We will get back to you” or restating what they sent in the comments field, this ends up being the perfect “crime” for those spammers who want to spread their message through your form. Don’t fall prey to this easy doorway in, just disable it and instead place a thank you message on the page itself when the form is submitted. Then manually reply to each and every contact message personally.

Disallow Links

Because most form spam is aimed at spreading links, an easy way to get rid of it is to disallow all links in messages. Check your form/plugin settings for this option.

Enable Honeypots

To prevent robot spammers: Some forms allow placement of a honeypot (hidden field) that is designed to be blank but automated submission robots don’t know this and will often try to fill it out anyways. When they submit the form with this “bot trap” field filled in, it will prevent submission.

Use Conditional Logic to Display the Submit Button

Adding a conditional logic field to dynamically display or hide the submit button based on values from another field will add another layer that the spammers will have to get through. If using Gravity Forms follow the instructions in this post.

Add Anti-Spam Fields or Captchas

To prevent robot spammers: Because spam bots are written to work with a large number of sites across the internet, they are relatively easy to fool by simply adding an extra question, simple math equation, or a reCAPTCHA to the contact form that the user has to answer in order to prove they are human. If setting up with Gravity Forms read their instruction post here. Also here is a great article that gives you other CAPTCHA options: 10 Best CAPTCHA Versions to keep out the Bots.

Prevent Manual Spammers:

Use Akismet to Mark your SPAM Entries

To prevent manual spammers: Use Akismet plugin to mark incoming entries as spam as soon as they are submitted. Akismet will work with any contact form plugin and is free for personal sites but $5/mo for commercial ones (pricing).

For Other Types of Forms

For specific forms like user registration forms, sign-up forms, social networking sites, etc. you may have to do some research on what works best for that specific type of form. If you need help with that, hire Evolv to help you do the research.

Request Help with Form SPAM

back to top