Form Spam 101: What You Need To Know

(and how to prevent it)

Capturing the form spam

What is form spam?

Form spam, also known as comment spam or submissions spam, is malicious content created by automated bots that use forms on sites or blogs. Comment, contact or registration forms are especially vulnerable. It is often used to send out phishing emails or malware links. Submissions spam can also be used for advertising or other scams. In addition, it can annoy website owners and visitors and lead to security vulnerabilities and other issues.

How Does Form Spam Work?

Spammers design advanced bots to look for any online form, such as contact forms, sign-up forms, comment forms, and even search boxes. Once the bot finds the form, it will fill out the form with various types of spam submissions. Of course, bots always try to pretend to behave like real human visitors.

Spam form submissions target websites with open forms that do not need user authentication or verification. This allows them to submit their spam without making an account or waiting for a website administrator's response. The bots also can change existing forms to bypass security measures. Some popular spam submissions use cases are:

  • Spam campaigns: Some spammers use automated bots to send large volumes of spam to as many websites as possible.
  • Malware distribution: Other spammers use comments spam to distribute malware. That malware steals sensitive information or gains access to a website's backend.
  • SEO spamming: Some spammers use spam messages to generate backlinks to their websites. They're hoping to improve their search engine rankings.

It would be best if you didn't forget human spammers, too. They're incentivized to post contact form submissions and advertise their services.

The negative impact of form spam

There are a lot of downsides of the form spam. Some examples are:

  • Wasted time dealing with contact form spam emails instead of legitimate customer emails.
  • Spam submissions can lead to a decrease in the morale of employees who must deal with spam emails.
  • Spam comments can have a negative impact on customer experience, as real customer emails may get lost in the mix.

Tips to reduce spam bot submissions

To protect your site from spam form submissions, there are several different measures you can take:

  • Implementing filters that detect and block unwanted posts.
  • Limiting the number of times an IP address makes submissions over a certain period.
  • Enabling a captcha solution in your forms.
  • Validating all input fields so only authenticated visitors may submit posts.
  • Setting up honeypots (invisible fields).
  • Regular reviews/monitoring of your contact forms/pages so you stay informed about any suspicious entries.

How HeroTofu saves your time

Handling spam is annoying and time consuming. It also requires engineering time to add and implement IP-limiting, captchas, and anti-spam features. That's why the friendlier and more cost-effective approach would be to use form backend solutions that are doing all this for you. Here's how HeroTofu helps to ensure your form has a minimal amount of spam.

1. Akismet and custom checks

Akismet is a leading solution for detecting suspicious and spammy comments, and it has more than 7 million users. With its help and some custom checks, HeroTofu can efficiently identify form spam.

Spam protection

2. Rate limiting

HeroTofu also implements proprietary rate limiting. It helps to protect your site from suspicious visitors trying to post spammy content over and over again.

3. Captcha verification

To make sure that only genuine visitors are submitting forms, HeroTofu adds captcha verification to your forms. CAPTCHAs are a type of challenge-response test used to determine whether a user is human or not.

This will help you avoid malicious bots and ensure only real people submit forms. You can decide whether you want to perform a captcha challenge on all form submissions or only on the suspicious ones.

If you're worried about the form conversion rate dropping, you can install Google's reCaptcha right into your form. Then, send the result to HeroTofu for the backend validation. It will result to a one less perceived step for the user.

Spam protection

4. Honeypot field

The honeypot method is a hidden field that detects malicious bots. The idea is to hide a field for humans, and if someone fills it, then we can be sure that there's an automated bot behind it. This is also something that HeroTofu implements for your forms. All you need to do is to name your field as '_honey', '_gotcha' or '_busted'. HeroTofu will automatically discard that form submission if the field is present.

HeroTofu Honeypot

5. Advanced routing

Finally, there is an advanced form routing to place the submissions into different buckets. For example, you could rank submission by specific country and forward it to your email. While all the other submissions would be dequeued and checked once a week or so. Country/OS/Browser information can be attached to the submission as an extra way to focus on specific leads.

Spam routing


Q: How can I tell if my website is receiving form spam?

A: If you are receiving an unusually high volume of form submissions. Plus, many of which are irrelevant or inappropriate, you may be receiving form spam.

Q: Will implementing Captcha negatively affect the user experience on my website?

A: Captcha can be a bit annoying for users, but it is a necessary security measure to prevent form spam. You can install Captcha in a way that minimizes the impact on the user experience.

Q: Can form spam be harmful to my website?

A: Yes, especially comment form spam can harm your website in a variety of ways. It can impact your website’s SEO rankings and reduce the effectiveness of your website’s forms. Of course, only if submissions are displayed in your website.

Q: Can bots get around Captcha?

A: While it is possible for bots to get around Captcha, implementing Captcha can still significantly reduce the amount of spam.

Q: Is there a way to cut form spam completely?

A: Unfortunately, it is impossible to eliminate form spam completely. Furthermore, manual spammers (human users and bad actors, not bots) can evade specific barriers. However, by implementing one or more of the methods outlined above, you can reduce the amount of form spam your website receives.

Your next steps

Form spam is a growing issue that can have a range of negative impacts on websites. Whether you'll try to create a custom solution or trust HeroTofu to do the heavy lifting is up to you.

If you'd like to learn more about how HeroTofu can help protect your website from form spam, there's a 14 days free trial with a generous free tier. No risk, no commitment, why don't you try?