How to Combat Web Form Spam

If you have a web form on your website, then it’s likely you have come across spam and junk responses – unfortunately it is inevitable. Not only is it frustrating, but web form spam can also affect your ranking in SERPs. 

Before we dive into the main cause of web form spam, let’s first understand that this spam is not caused by your site’s functionality, or your online marketing campaigns. 

What is a web form spam? 

It’s a method of spamming a website’s submission form with unwanted information, such as links to an offer, advertisements and phishing.  

Form spammers’ primary goal is to hijack the form and use it to their advantage through comments and guestbooks. They are either using it to promote their own business or they use them for malicious purposes.  

Some of these ways include: 

  • Automated bot programs which are created by hackers that find web forms, fill them out with text, spam links and promotional content and submit the form.  
  • Human spammers that manually abuse web forms. They are even more difficult to block as they are able to cross security measures. 

What can you do to prevent web form spam? 

The best way to protect against web form spam is by making it difficult for these auto bots to fill in the form. Here are the three techniques we think could help prevent spammers without hindering your genuine human users.

  1. Captcha and ReCaptcha 

Remember the time when you had to fill up distorted letters and numbers before hitting the submit button? Yes, that would have been the most popular ways of blocking spam. Fun fact – the full form of CAPTCHA is ‘Completely Automated Public Turing test to tell Computers and Humans Apart’. It is built with the purpose of identifying human vs bots. With time, the bots have advanced at deciphering words, and therefore captchas make it even harder to read. However, this advantage can hinder your user experience. reCaptcha from Google is a simplified solution, which causes a minimal negative impact on user experience whilst guarding your form against bots.  

2. Ask Random Questions 

Ask a question that only a human can answer. This way a bot won’t have any idea what to fill in, making it easy for you to filter out submissions with an incorrect answer.  “What is 2+2?” is an easy question for humans, but not for these bots. This is an efficient way to block bot access to your web form.  

3. Honey Pot – It’s a Trap  

Honey Pot is a method that adds an extra field in your form that is invisible to customers but only seen by spam bots, as they read the HTML code. The bots will attack the HTML while leaving the real forms. This tells the form that the submitter is not human, and the submission will be blocked.  

Honey Pot provides the following security mechanisms:  

  • If a value has been entered in the hidden field when the form is submitted, then this indicates that the form was completed by a spambot and the submission is blocked.  
  • If the form is submitted before a specified time has elapsed (five seconds by default), it is assumed that this is too short a time for a human to have completed the form, and the submission is blocked. You can specify the time length.  

Goodbye Spam! 

Besides these techniques, there are several other plugins and tools you can use to help combat nasty spam bots. If you have any other recommendations or advice of your own, then please share in the comments. (Not you, spammers!) 


View all articles

One comment

  1. 1

    Hi Dhwani,

    Another alternative for the developers is to use OOPSpam API (I’m not adding a link since it would be spam 🙂 ). As you know, spam bots are getting smarter and smarter. Hence, the honeypot and asking random question technique are almost obsolete. Google’s reCaptcha is good solution but it also has an accessibility problem.

    Thanks for the article.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>