How to Prevent Form Spam

What is form spam?

Form spam is when mass messages are sent through website forms, such as contact forms on websites. These are often designed to trick people into ordering questionable products or contain links that, when clicked, install malware or viruses. Sifting through spam messages not only wastes your time, but can cause serious damage. Not to mention, it wastes your time and effort for those who really want to contact you.

Basically, all forms on a website can be misused to send spam. In addition to contact forms, all forms that are used to send a text message are also affected. Spammers rarely make a distinction. The more forms that can be flooded with spam, the higher the probability that the sending will be successful.

How does form spamming work?

As a rule, spam is not sent directly by people. This may happen, but since it is very time-consuming, spam senders write simple computer programs (spambots) that search websites for forms. The forms found are automatically filled out with the fraudulent content and sent.

This type of automated spam is relatively easy to combat because the bots are not human and just stubbornly follow a fixed pattern. However, that doesn't make them any less harmful. Some spam bots try to inject scripts into the website in order to hijack the website or to leave hidden links in order to gain an SEO advantage.

The spammers who use spambots don't care if they can stop them. These bots are so powerful that they can access millions of websites every day. Eventually, they will find a vulnerability that they can exploit.

How do I protect myself from this spam? We have put together an overview of protective measures that you can use to quickly and easily secure your online forms.

Methods for avoiding spam

If you want to combat form spam, you need to make it difficult, if not impossible, for automated bots to fill out your forms. But at the same time, you don't want to make it unnecessarily difficult for real website visitors to use them.

Let us now look at the methods available for avoiding spam and what advantages and disadvantages they bring.

The tricky CAPTCHAs

You are probably familiar with these cryptic boxes with hard-to-read letters or other visual tasks. The form can only be submitted once the required task has been solved correctly, for example by entering the correct letters. These little puzzles are called CAPTCHAs and are intended to be easy for the form users to solve, but represent an almost insurmountable hurdle for spam bots.

The functionality of the CAPTCHA is usually provided by an external provider. To do this, you must register with such a provider and receive a script that can be integrated into your own website. This script then brings the display and function of the CAPTCHA into the website and communicates with the provider when the form is filled out in order to check that the input is correct.

The best known service is certainly Google's. Google calls this service reCAPTCHA and offers different versions. Version 3 does not even display a puzzle at all and carries out the check invisibly for the user. The description and instructions for installation can be found on the reCAPTCHA page at Google.

Other providers are hCapture or Friendly Captcha, which are characterized by a focus on data protection (GDPR compliant).

Experience shows that CAPTCHAs provide good protection against spam abuse. However, it should be noted that CAPTCHAs are not perfect and can occasionally be overcome by more advanced automated systems. Furthermore, CAPTCHAs can be difficult for some users, especially those with visual impairments, to solve. Furthermore, when using a CAPTCHA provider, you should be aware that on a technical level they will have access to the form entries and the activities on your website. This can be viewed critically in terms of data protection and requires a certain level of trust in the service provider.

• Good detection of spam mail
• Some site visitors have difficulties using
• Installation requires basic technical knowledge
• Third party receives access to website activities

Using the Honeypot Method

If you are not a fan of CAPTCHAs, you can also use the honeypot method instead.

The honeypot is basically a trap for spam bots. When the trap is triggered, the form cannot be sent.

But how does this trap work? It's actually quite simple. An additional input field with an inconspicuous name is added to the form. This field acts as the honeypot. If it is determined when the form is submitted that content has been entered in the honeypot field, the trap snaps shut and further transmission is prevented.

To prevent real users from filling out this field, the honeypot field is hidden in the display. It is hidden from the website visitor with a simple CSS instruction (display: none). This makes it invisible to the website visitor on the frontend - so they don't write anything in it.

Why is the field filled in by a spam bot?
Spam bots usually work by automatically reading the source code of a website and the form and inserting content into all input fields found in order to fill in any mandatory fields.

For the technical implementation, a query must be built into the website system that checks whether the honeypot field has been filled in and if the form transmission is aborted. This is integrated into the server-side program that takes care of receiving the form submissions. With the appropriate programming expertise, you can easily implement this yourself. Or you can use a service that already has the honey method.

If you use our in-house form backend for your form, all you need to do is enable the honeypot feature in the settings area and set the name of the field so that it can be recognized as the honeypot field during transmission. For more information, see our documentation.

In an online form, a honeypot is very effective at preventing spam bots from submitting forms - without any concerns about data protection or accessibility. The nice thing about this method is that the user is not aware of this protection and only sees the normal input fields on the form.

• good detection of spam mail
• easy integration into the website
• no obstacle for users
• harmless in terms of data protection & accessibility

Answering a task

Another technique you can use to prevent form spam is to create a form field that asks site visitors a question that they must answer correctly. You could ask a text question or a math question that visitors must complete before they can submit your form. The important thing is to make the question so that people can actually answer it.

Similar to the honeypot method, a check must be built into the sending process or programmed accordingly so that the response input is also checked.

• good detection of spam mail
• Programming knowledge required for installation
• harmless in terms of data protection & accessibility
• additional effort and hurdle for users

Advanced protective measures

Advanced defense methods can help provide reliable protection against spam and contain particularly high levels of spam. Below we will show you which techniques are available and how you can use them in your web form.

Validation of the sender address

Almost every form has a field where the user enters their email address. This protection method checks the entered address for several aspects and only allows the form submission to go through if it is a valid email address.

The address is checked for technical validity, among other things. Whether the email server behind the address is reachable and does not return any errors. It is also checked whether the address is on various lists of known spam addresses.

Spam filter

A spam filter is probably the most powerful tool against spam mailings. The filter analyses the submitted form entries and calculates the similarity to content in the stored database. If a mailing has a high similarity to known spam content based on the text content, this mailing is recognised as spam. The spam filter's content database is continuously fed with additional content from mailings manually marked as spam. This makes detection increasingly reliable and all users of the spam filter benefit from shared use.

Domain releases

By allowing certain domains, the form is checked during the sending process to see whether it was sent from a website with an approved domain. If it is a different domain, the submission is classified as spam. This is to prevent you from receiving form submissions from a copied website.

Use on your website

In contrast to simple protection methods, these advanced techniques are more complex and require considerable effort to operate. Therefore, these methods are usually only viable on a large scale.

However, if you would like to use these in your forms without having to put in a lot of effort, we have a simple solution for you with our professional form backend. Our backend service takes care of the transmission of your form submissions and offers all of the methods described for spam prevention. And all of this is completely free of charge in the basic version.