Form spam, also known as comment spam or submissions spam, is malicious content created by automated bots that use forms on sites or blogs. Comment, contact or registration forms are especially vulnerable. It is often used to send out phishing emails or malware links. Submissions spam can also be used for advertising or other scams. In addition, it can annoy website owners and visitors and lead to security vulnerabilities and other issues.
Spammers design advanced bots to look for any online form, such as contact forms, sign-up forms, comment forms, and even search boxes. Once the bot finds the form, it will fill out the form with various types of spam submissions. Of course, bots always try to pretend to behave like real human visitors.
Spam form submissions target websites with open forms that do not need user authentication or verification. This allows them to submit their spam without making an account or waiting for a website administrator's response. The bots also can change existing forms to bypass security measures. Some popular spam submissions use cases are:
It would be best if you didn't forget human spammers, too. They're incentivized to post contact form submissions and advertise their services.
There are a lot of downsides of the form spam. Some examples are:
To protect your site from spam form submissions, there are several different measures you can take:
Handling spam is annoying and time consuming. It also requires engineering time to add and implement IP-limiting, captchas, and anti-spam features. That's why the friendlier and more cost-effective approach would be to use form backend solutions that are doing all this for you. Here's how HeroTofu helps to ensure your form has a minimal amount of spam.
Akismet is a leading solution for detecting suspicious and spammy comments, and it has more than 7 million users. With its help and some custom checks, HeroTofu can efficiently identify form spam.
HeroTofu also implements proprietary rate limiting. It helps to protect your site from suspicious visitors trying to post spammy content over and over again.
To make sure that only genuine visitors are submitting forms, HeroTofu adds captcha verification to your forms. CAPTCHAs are a type of challenge-response test used to determine whether a user is human or not.
This will help you avoid malicious bots and ensure only real people submit forms. You can decide whether you want to perform a captcha challenge on all form submissions or only on the suspicious ones.
If you're worried about the form conversion rate dropping, you can install Google's reCaptcha right into your form. Then, send the result to HeroTofu for the backend validation. It will result to a one less perceived step for the user.
The honeypot method is a hidden field that detects malicious bots. The idea is to hide a field for humans, and if someone fills it, then we can be sure that there's an automated bot behind it. This is also something that HeroTofu implements for your forms. All you need to do is to name your field as '_honey', '_gotcha' or '_busted'. HeroTofu will automatically discard that form submission if the field is present.
Finally, there is an advanced form routing to place the submissions into different buckets. For example, you could rank submission by specific country and forward it to your email. While all the other submissions would be dequeued and checked once a week or so. Country/OS/Browser information can be attached to the submission as an extra way to focus on specific leads.
Q: How can I tell if my website is receiving form spam?
A: If you are receiving an unusually high volume of form submissions. Plus, many of which are irrelevant or inappropriate, you may be receiving form spam.
Q: Will implementing Captcha negatively affect the user experience on my website?
A: Captcha can be a bit annoying for users, but it is a necessary security measure to prevent form spam. You can install Captcha in a way that minimizes the impact on the user experience.
Q: Can form spam be harmful to my website?
A: Yes, especially comment form spam can harm your website in a variety of ways. It can impact your website’s SEO rankings and reduce the effectiveness of your website’s forms. Of course, only if submissions are displayed in your website.
Q: Can bots get around Captcha?
A: While it is possible for bots to get around Captcha, implementing Captcha can still significantly reduce the amount of spam.
Q: Is there a way to cut form spam completely?
A: Unfortunately, it is impossible to eliminate form spam completely. Furthermore, manual spammers (human users and bad actors, not bots) can evade specific barriers. However, by implementing one or more of the methods outlined above, you can reduce the amount of form spam your website receives.
Form spam is a growing issue that can have a range of negative impacts on websites. Whether you'll try to create a custom solution or trust HeroTofu to do the heavy lifting is up to you.
If you'd like to learn more about how HeroTofu can help protect your website from form spam, there's a 14 days free trial with a generous free tier. No risk, no commitment, why don't you try?