We've all dealt with web form spam. Website owners that use forms to collect information have inevitably received some spam submissions. Comment sections get stuffed with shabby-looking reactions. Mailboxes get flooded with bad emails. Though it's impossible to prevent all spam, but here are some helpful DIY tips to protect your web forms better.
Webform spammers usually intend to promote their websites - by adding backlinks to a comment - or use the form for malicious events like phishing. When you're offering a free whitepaper, for instance, the spammer gets the opportunity to send a phishing link to your mailbox(es). As these links can be harmful to your company, you'd like your webforms protected from these activities.
Generally speaking, there are two types of web form spam.
Manual spamming mostly happens when companies hire people to fill out (all) web forms they can find on the web. They get paid to leave comments or submit contact forms containing backlinks. The goal is to increase traffic to their website, gain ad revenue, or create fake leads for a competitor's sales team.
Automatically filled in forms (spambots) do the same thing, without the effort of manually looking for forms. Setting up a spambot enables a spammer to spam more in less time, supposedly making them more efficient. The thing with spambots, though, is that they are detected quickly.
Spam activities on your website can lead to:
Again, human spammers are much harder to detect than spambots. You'll always have to check the submissions or incoming emails, and judge whether they are spam or not.
Because spambots usually carry large messages, limiting characters reduces spam risk. On the other hand, it requires your other, real-life customers to shorten their comments, which can be annoying. Be aware that some forms need to have longer input sections, and some can live with a shorter one - it's about balance. In the example below, we’re limiting the characters in the phone number field.
Let’s say we’re creating this simple form with a first and last name field, followed by an email address and phone number.
A simplified version of the form HTML would look like this:
Now, this code only sets names and input types per form field. That means spam submissions can contain a somewhat endless amount of characters. You can limit characters like this:
The maxlength="9" limits the amount of characters in the phone number field to 9, but it of course depends on your situation what that number should be.
Though we're not promoting pictures or fun details (for serious businesses), a web form can contain quiz-like fields. As spambots recognize the "email" field as the field where they can leave an email address, it's much harder to recognize and answer a question. The thing to consider here is how hard your question should be. Sure, you don't want spambots to solve it easily, but your visitors should understand it still.
A common practice for spammers (manually and automatically) is the spreading of links. By disabling links in your form, you're preventing your website from malicious backlinks or phishing links. It does, however, also prevent clean links from being placed.
Another method used to detect and deter spambots is the infamous cookie. With cookies, website owners track their visitors across their website. Spambots, however, do not set cookies. Requiring cookies to fill in a web form thus protects it from these spambots.
A simplified version of the CSS & HTML of a hidden "email address" field would look like this:
<input class="dispnon" name="emailaddress2" type="text">
In addition to all the techniques already named, there are some .php-methods you can use to stop your web forms from getting spammed:
Another trusted tool to prevent web form spam is reCaptcha. After the original Captcha-project, Google rebuilt the tool to a more sophisticated technique. It automatically detects abusive traffic on your website but does not invade your user experience (like Captcha did).
For European businesses, however, reCaptcha is under review for GDPR compliance, as the tool sends your visitors's data to the USA,
On the Wordpress marketplace, there are numerous tools available to capture spambots and prevent their attempt to spam your web forms. If your website runs on WordPress, you can quickly implement tools like Akismet and Project Honeypot.
There are multiple ways to defend your web forms from spam, use them as you wish. However, as effective as they can be, you should always be cautious. Making your forms too difficult for your visitors will result in user churn, losing your customers. It's always a matter of balancing between the effort spammers are willing to make versus the effort your visitors want to put in filling in your web forms.
With years of experience in the email (marketing) industry, Tom currently manages the marketing department at Flowmailer. In this role, he mainly writes about transactional email, email deliverability, and the API-first economy.