Filter By:

Understanding Form Spam

How to Reduce Form Spam

Even if you have never heard of the term “spam” before in relation to websites and email communication, you have most likely still experienced it more than once. According to research done by, 96.8% of people have received spam messaging in some form. Spam is everywhere, in fact that same research shows that out of the approximately 333 billion emails sent daily, 162 billion are considered spam, which is just under half (49%) of the total emails sent a day. 

162 billion spam emails

When it comes to your business’ website, this titlewave of spam can have a drastically negative impact on your business’s productivity, brand trust, and security. However, this is not a lost cause, as there are meaningful tools that can be utilized to hold back the flood of spam out there on the internet.

What is form spam?

The primary way that spam interacts with your business’ site is through form spam. Simply put, form spam is any unwanted and contextual meaningless messaging submitted through a user form submission or comment box. Much like a public messaging board online or even a cork board at your local corner store, anyone can fill out the form, or write a comment, and submit their response to your site. As a business owner, you love the idea of allowing your current and potential customers to have ready access to reach out and connect with you, but like all good things, there are those who will take advantage and misuse it. Because anything can be submitted, spammers and spam bots can fill out the form and comments with messaging that is unwanted, and does not relate in any way to the stated, or contextually unstated, purpose of that form or comment section. For example, a contact us form on your site, which is intended for potential customers to reach out and ask questions about your services, can be used by spammers to advertise their own services to you or maliciously get you too click a link that has malicious software attached to it that could compromise other areas of your business.

Why does this type of spam exist?

There are a number of reasons why form spam exists:

  1. The spammer has malicious intent and is attempting to compromise your site or business in some way. Often this kind of spam will include links inside the messages that they submit that when clicked could infect your site with malware. The malware could potentially steal customer information, allow for the spammer to insert code onto the site to display unwanted content or ads, or even change links on your site to direct traffic away from your site to other malicious sites.
  2. Similar to the first but not quite as malicious, spammers may try to use form spam to boost their own traffic to their site. This is essentially common if your site allows for user submitted comments, as the spammer can include a link to their site over and over again in hopes that anyone will simply click the link and land on their site.
  3. Form spam can also be a way for spammers to attempt to sell their own product either directly to you as the owner or the users though a comment section. This can be seen as a way to get free advertising and they are attempting to use your brand awareness and customer base to elevate their product.

These are only a few examples of why form spam exists, but in more simple terms, form spam exists because it works. As we will see, spamming vulnerable sites is relatively easy and quick, and even if the spammer only gets a small percentage of a result back from their attack, it is most often worth it as the investment on their end is very minimal.

How Does Form Spam Work?

There are two main avenues in which spam is created and is submitted to your site:

  1. Manual spam. This spam is generated by a real person who is taking the time to access your site, like anyone else, to fill out a form or comment on a post or video. Often you can see an example of this kind of spam when the submitted content is more personable and actually may even reference specifics of your site or company, but it is still not related to the context of the form or content that it is being commented on. A very common example of this kind of spam is when a so-called “SEO expert” reaches out to you through your “contact us” form informing you that your site’s SEO can be improved and that they would love to talk to you about improving it. They may reference one or two SEO related aspects of your site, but ultimately, they are just using your form as a way to advertise their services to you.
  2. Bot spam. This spam is the most common form of spam and allots for nearly half of all emails sent daily. It is pretty self explanatory, spam bots are created by programers to crawl your site, identify vulnerable forms or comment sections, and then fill out the input fields with a predetermined set of inputs and messages.This allows the spammers to hit potentially hundreds of thousands of sites a day all without having to manually input any information themselves. This is why some cases of spam hitting your inbox can be so high.
Manual spam

How to Defend Against Form Spam?

With so much spam and so much seemingly stacked against your business it may be tempting to just remove all forms from your site and go back to offering a mailing address for people to reach out to you through. But before you do that, there are proven methods to implement first that can help you drastically reduce the amount of spam that you receive. We use many of these steps for our clients at Sanctuary.

  1. Use Google Recaptcha on Your Forms – Google reCAPTCHA is the largest anti-spam tool used across the web. From the outside, this tool appears to just be another checkbox on a form that should be easy enough for a spam bot to detect and check. However, google has been training this tool through very specific and sophisticated methods to identify the behavior differences between when a human is filling out a form and when a bot does. If the reCAPTCHA fails and it determines the form filler to be a bot, the form will not be submitted. There are a few different versions of this tool available and we would always recommend using the most recent version for best result, currently version 3. However, even version 2 is better than not having it. The best part is that this tool is completely free. It only requires you to register your domain and it then allows you to hook it up to your site how you wish. Our recommendation is that you utilize a reputable form creation plugin that integrates natively with reCAPTCHA, such as Gravity Forms or WP Forms.
  2. Implement The Honey Pot Method – The name of this method is not initially very self-explanatory, however when explained it does make sense. Essentially, this method is similar to recaptcha as it attempts to determine human behavior versus automated bot behavior when filling out a form. It does this by adding an additional hidden (invisible) field on your form. To a human filling out the form, the field is invisible, and they won’t be able to fill it out seeing as how humans cannot see invisible objects. However, the way that a spam bot views a page is different from how a human does. A spam bot is crawling through the HTML code of the page (the code that is needed to create all the elements of a webpage) and when it comes to a form it will be able to see the added field and it will fill it out. Essentially this method is attempting to catch the spam bot with its hand in the forbidden cookie jar. If the added form field is filled out when the form is submitted, then the submission will either be marked as spam or will not be allowed to be submitted. This functionality can be built pretty simply with the help of a developer, however it is also built into the options for every form created with the Gravity Forms plugin. We enable this feature on all of the forms we create at Sanctuary.
  3. Create your own filtering methods – Honey pot is a great filtering method for spam, but not all filtering methods need to be invisible. there are other ways to try to determine the difference between a spam bot and a human being. For example you can ask for the form user to answer a very basic and specific question that has an absolute answer, such as 1 + 1. You can then enable conditions on if the form is submitted based on if the answer provided to that question is correct or not (i.e. the input in that field is 2). This works because spam bots are not actually dynamically reading each label for each input so it knows the best way to input its preassigned input data. In most cases, the bot is only looking for fields that are labeled ‘name’, ‘email’, ‘comments’, ‘questions’ and any other required fields on a form the bot will just enter either duplicate data or a random string of text. This means when it comes to your custom filtering input field it will get the answer wrong, thus indicating it is a bot. Other suggestions for this field could be asking “Which letter comes before the other; A or B”?, or “In what month is Christmas?”
  4. Block IP Addresses or Entire Regions –  In some cases, spam can be coming from a singular source over and over again. if this is the case you could isolate the ip address that the submission is coming from and block it from being able to continue accessing your site. There are many plugins that offer IP blocking, and even your website host may offer this functionality. This method is not perfect, as a persistent spammer can simply change their IP address or utilize a VPN to spoof their IP, but it could offer some level of respite from the spam. If you are experiencing a high level of spam from a specific region well outside your business’ service area, then you could also block specific regions from accessing your site. This would be a more reliable way of defending against spam as a region is a much larger area to block then a single IP address, however VPN’s could still be just as easily used to bypass this restriction and allow spammers to continue accessing your site.
  5. Don’t Allow For User Submitted Content if Possible – This does not mean don’t include forms on your site, as forms are indispensable tools for you as a business owner. This primarily is targeted towards user comment sections. WordPress was and still is a great place to build a blog, and with a blog there is often a place for comments to allow interaction between you and your readers: however, in most cases this functionality is not actually necessary when it comes to your business. Out of the box, WordPress allows for comments to be submitted on every page on your site depending on your theme: it is vitally important that you disable this feature on your site. A comment section is potentially at an even higher risk of spam than a form submission because of the relatively low bar there is for a submission to be posted, if there is even a bar at all. Comments are also client-facing, so as a spam form fill will only be submitted to you and your business team, a spam comment and all its content, including any malicious links, can be accessed by your valued potential and current customers. This can greatly hurt the trust your customers have with you and your site, as well as open potential security risks to them. There is nothing inherently wrong with having comments enabled on your site: in some cases it is unavoidable, especially if your business primarily revolves around posting content and interacting with your community. If this is your case, then there are ways you can mitigate the spam that appears in your comments. First, disallow immediate submission until the comment is reviewed by you or someone else at your business. This will allow you to monitor what is being posted and filter out spam. Second, only allow customers or logged-in users to submit comments. This will act as a barrier of entry that spam bots will not know how to navigate, as a bot will not purchase a product or create an account before attempting to fill out and submit a comment. Third, you can implement some of the same methods listed above for forms for your comment sections. Implement recaptcha before a user can submit the comment, add a hidden field that checks if it gets filled out or not, or ask a simple question to authenticate a human is actually writing the comment.
How to defend against form spam

Utilizing Methods to Reduce Spam

Spam is not only annoying but potentially dangerous to your company, and unfortunately, it is not going anywhere soon, but by understanding spam more and utilizing the methods, discussed you can have a website that is protected against the titlewave of spam that washes over the internet every single day. Spam will always be present, and although having a goal to have absolutely no spam is great, a more realistic expectation is to keep spam as low as possible in the context of your business situation and environment. Spam comes with the territory, some more than others, but there are many tools that can be used to protect your business and customers. 

Share this:
About Luke Wagner:

As Sanctuary’s Website Developer, Luke Wagner works behind the scenes on our websites to ensure that they are functioning as they should. But if they aren’t, rest assured that he’s up for the challenge to find a quick solution. He is extremely motivated to keep developing his skills and growing in the world of web design and development.

Related Articles:

Articles, News, Videos, Podcasts and more! Subscribe for our Academy newsletter for updates and future benefits.

Security Icon

Your privacy is a priority. View our Privacy Policy.

The Academy is a service of Logo