Written by: Tom Blijleven Published: March 29, 2021 Latest update: March 29, 2021
What is web form spam?
Webform spammers usually intend to promote their websites - by adding backlinks to a comment - or use the form for malicious events like phishing. When you're offering a free whitepaper, for instance, the spammer gets the opportunity to send a phishing link to your mailbox(es). As these links can be harmful to your company, you'd like your webforms protected from these activities.
Generally speaking, there are two types of web form spam.
1. Manual spam
Manual spamming mostly happens when companies hire people to fill out (all) web forms they can find on the web. They get paid to leave comments or submit contact forms containing backlinks. The goal is to increase traffic to their website, gain ad revenue, or create fake leads for a competitor's sales team.
2. Automated spam
Automatically filled in forms (spambots) do the same thing, without the effort of manually looking for forms. Setting up a spambot enables a spammer to spam more in less time, supposedly making them more efficient. The thing with spambots, though, is that they are detected quickly.
The risks of web form spam
Spam activities on your website can lead to:
- Spoiled comment sections;
- Forced login forms (brute force attacks);
- Exposed vulnerabilities in your forms, allowing bots to send malware or spam to other people.
6 Do-It-Yourself Tips to prevent automated web form spam
These are our tips:
- Set maximum lengths;
- Add a quiz element;
- Disallow links;
- Let web forms require cookies;
- Creating invisible fields;
- Pro tip: PHP methods to stop web form spam.
Again, human spammers are much harder to detect than spambots. You'll always have to check the submissions or incoming emails, and judge whether they are spam or not.
(#1) Set maximum lengths
Because spambots usually carry large messages, limiting characters reduces spam risk. On the other hand, it requires your other, real-life customers to shorten their comments, which can be annoying. Be aware that some forms need to have longer input sections, and some can live with a shorter one - it's about balance. In the example below, we’re limiting the characters in the phone number field.
Let’s say we’re creating this simple form with a first and last name field, followed by an email address and phone number.
A simplified version of the form HTML would look like this:
Now, this code only sets names and input types per form field. That means spam submissions can contain a somewhat endless amount of characters. You can limit characters like this:
The maxlength="9" limits the amount of characters in the phone number field to 9, but it of course depends on your situation what that number should be.
(#2) Add a quiz element
Though we're not promoting pictures or fun details (for serious businesses), a web form can contain quiz-like fields. As spambots recognize the "email" field as the field where they can leave an email address, it's much harder to recognize and answer a question. The thing to consider here is how hard your question should be. Sure, you don't want spambots to solve it easily, but your visitors should understand it still.
(#3) Disallow links
A common practice for spammers (manually and automatically) is the spreading of links. By disabling links in your form, you're preventing your website from malicious backlinks or phishing links. It does, however, also prevent clean links from being placed.
(#4) Let web forms require cookies
Another method used to detect and deter spambots is the infamous cookie. With cookies, website owners track their visitors across their website. Spambots, however, do not set cookies. Requiring cookies to fill in a web form thus protects it from these spambots.
(#5) Creating invisible fields
A simplified version of the CSS & HTML of a hidden "email address" field would look like this:
<input class="dispnon" name="emailaddress2" type="text">
(#6) Pro tip: PHP methods to stop web form spam
In addition to all the techniques already named, there are some .php-methods you can use to stop your web forms from getting spammed:
- Record data from submissions, allowing you to block notorious IP addresses. Some spambots fire multiple submissions in a short period of time, from the same IP address. Blocking that address makes sure that won't happen again;
- Change the name of your comments.php. Spambots detect these as being the comment section, even if they're not live on your website anymore. Changing the name reduces this risk.
- Some management platforms, like Shopware, allow you to build your own Captcha in PHP, so you can use it in i.e. your webshop.
Helpful tools to detect spambots in web forms
Another trusted tool to prevent web form spam is reCaptcha. After the original Captcha-project, Google rebuilt the tool to a more sophisticated technique. It automatically detects abusive traffic on your website but does not invade your user experience (like Captcha did).
For European businesses, however, reCaptcha is under review for GDPR compliance, as the tool sends your visitors's data to the USA,
On the Wordpress marketplace, there are numerous tools available to capture spambots and prevent their attempt to spam your web forms. If your website runs on WordPress, you can quickly implement tools like Akismet and Project Honeypot.
- Akismet decides whether someone's input to your web form is considered spam.
- Project Honeypot uses invisible fields (honeypots) to lure spambots. When a form submission contains filled hidden elements, you'll know it's a spam submission.
There are multiple ways to defend your web forms from spam, use them as you wish. However, as effective as they can be, you should always be cautious. Making your forms too difficult for your visitors will result in user churn, losing your customers. It's always a matter of balancing between the effort spammers are willing to make versus the effort your visitors want to put in filling in your web forms.