Every marketer with a form fill on their website can tell you they have at one time or another been plagued by spam form submissions.
What are spam form submissions?
Spam form submissions are any form submission that contains unwanted or harmful information. While sometimes human users will also attempt to flood forms with undesired results, these submissions are more often the result of a bot crawling known websites and automatically submitting your forms.
Spam can contain seemingly innocuous information such as false user data, but also SEO-damaging backlink injections, user-deceiving injected redirects, and even severe SQL injections designed to take down your site or steal your user data.
How to deal with human-generated spammy form fills
First in regards to malicious human users, these submissions are less spam and more direct attack. Unfortunately, you can’t necessarily deter a user with less than honorable intentions from filling out your form on your site. The silver lining is that you are less likely to be inundated with a slew of these types of submission because a human user typically fills out these forms as a means of direct targeting your site. These attacks are rare and usually target larger organizations with highly valuable data.
How to stop bots from submitting forms
When it comes to preventing bots from filling out forms, there is good news and there is bad news. The good news is that there are tools available to you as a user that can assist in mitigating spam form submissions.
Honeypots and captchas are the two widely used methods to stop bots from submitting forms.
Solution 1: Honeypots
Honeypots prevent bots from submitting forms by adding a hidden form field that users can’t see. This method is the least intrusive to the user experience since users can’t see the forms. But automated bots can detect these hidden forms and will fill out all fields by default in an effort to complete all required fields.
Honeypots can be effective in many cases in preventing spam form submissions, but this method is no silver bullet. The bad news is that actors creating these bots will often write code to try and determine what fields may or may not be a honeypot based on information like naming conventions, commonly used tools to create the honeypot (I’m looking at you Contact Form 7 Honeypot), or more creative methods – after all, beating a honeypot can be a proud moment for a bot creator.
Solution 2: Captchas
Captchas are the most popular method for preventing bots from submitting your forms.
The downside to captchas is that they require a user action to complete their submission. While some forms require simple text input, these forms can get complicated or annoying for many users. Often times the best defense is a complicated captcha asking users to do math, type a phrase or sequence that is partially obscured or difficult to read, type the one item in a list that doesn’t belong, or select every box in a grid that contains a sign.
When it comes to the use of captchas, you’re really sacrificing some user experience for security. The good news is that in the modern web, users have come to expect captchas on many of the forms they fill out.
Regardless of whether you choose to use a honeypot and/or a captcha for your forms, you are never completely impervious to spam form submissions. The good guys will continue to develop new and inventive ways to prevent spam form submission, while the bad guys will continue to be just as inventive in beating them. This is the lifecycle of spam, and while you will never prevent spam form submissions, you can use the latest tools to help mitigate the amount you receive.