Protect your forms from spambots and maintain the quality of your contact lists. Here are some methods for preventing bots from spamming your forms or registering with false email addresses.

Unfortunately, if you send or receive emails, collect email addresses, or work with email in any way, you are familiar with spam. Spam is a constant source of irritation, especially for business owners and email marketers.

Most likely, you want to build your business by getting more subscribers or connections on a regular basis. A signup form on your website is one excellent approach to do this. If you don’t already have one, you should create one to collect information about people who are interested in your product or service. However, you must anticipate that you will receive fraudulent or spam signups. There could be a lot of them, which can make your marketing campaigns a lot more difficult.

Part of the challenge is to keep your forms secure without making them too confusing. As a result, typical users can continue to enter data with considerable simplicity. Here are several strategies to keep your forms running properly for new contacts while preventing bots or other spam sign-ups..

What is a spambot?

A spambot is a malicious program designed to gather email addresses and information from online sources like forms, chat rooms and websites. This information is usually collected in order to build lists for sending an unsolicited email – spam. Since emails have a distinctive format, it’s easy to create such a bot. Sadly, it’s much harder to avoid them. Some use address munging to confuse the bot by providing email in different formats, but it does have its downsides. That’s why we got some fool-proof ways to prevent bots from spamming your forms!

How to stop bots from filling out forms? Best ways


A CAPTCHA is almost definitely something you’ve seen before. You’ve completed a CAPTCHA if you’ve had to try to decipher some jumbled letters or numbers and submit them. Some forms still ask for this information. Fortunately, this procedure has been greatly simplified to make it more user-friendly. Essentially, you’re putting sophisticated programming in place to let users to check a box confirming that they are a living breathing human. Humans find this simple, while algorithms find it challenging. Because reCAPTCHA provides this service for free, you can use it to protect yourself. reCAPTCHA.

Use a double opt-in form

You should use a double opt-in approach to validate sign-ups in order to protect your form. This means that when someone fills out your form and gives you their email address, you’ll automatically send them a confirmation link. To use the link, the user must go to their inbox, open the email, and click it. It will confirm that both their email and they are genuine. This stage is highly unlikely to be completed by a bot. Any signups who do not finish this step should be removed from your list.

Add a test question to your form

Elastic Email is a double opt-in web form that you can quickly integrate into your website or landing pages to collect new sign-ups. You can change the look and feel of this form in a number of ways. This entails adding new HTML to your website page, which you’ll copy and paste.

You may add a basic question to the form that all people will know the answer to, but bots will have a hard time answering. Here’s an illustration:

Email address: <input id=email><br>
A panda is black and <input id=white><br>
<input type=submit>

This way you know it’s a bot if the input is not the word “white” and can delete the submission. Of course, you need to consider carefully the question you use. It needs to be something everyone will know in order to avoid any frustration for your potential subscribers.

Add an unseen extra field or honey-pot

When it comes to form submissions, a honey-pot means you’re adding an extra field that bots will see and fill out, but not your real human users. It’s essentially a filtering step that safeguards your forms behind the scenes. It doesn’t add any more steps for genuine people who want to join your mailing lists.

This can be done by adding HTML to the page and then styling it with CSS. Some sophisticated bots can now read CSS and Javascript, which is true. However, if you have some basic programming skills, this is still a viable technique to explore. Here’s an easy example:

.dispnon{display: none}

<input class=”dispnon” name=”field_name” type=”text”>

This gives you the basic idea. You’ll want to make sure whatever field you’ve implemented as a honey-pot is not displayed on your actual form. If you get data that includes hidden information, you know it’s a bot sign up. There are a variety of ways to do this and the code can be simple or more complex. An internet search can provide more examples if it’s something you want to explore further.

Block Comment Spam

There are a few ways to specifically block comment spam and they can include changing the file names of standard URLs or moving your form pages from time to time. Another easy service to implement is Akismet. This service is designed to filter out comment spam and is implemented by using an API to activate their plugin.

Implement time-analysis

When creating a form, keep in mind that it takes an average of 3-5 seconds for someone to fill it out. They must provide their email address, name, and any other information you have requested, then confirm their subscription by clicking the button. The same principle may be used to any additional forms you use on your page. The upshot is that it takes a human a long time to enter all of this information. Bots, on the other hand, are not bound by the passage of time. They immediately fill out the form.

It can be a great way to initially verify all the registered email addresses by monitoring the passage of time since a person clicked on a specific section or accessed the page with the form. You can also adjust the time depending on your personal needs. If you have more forms, how many fields are there to fill out. All this should be considered while setting up the time cut-off. There is a downside that you should take into consideration – the autocomplete option.

Many people use this option to automatically recognize and fill out the fields in a contact form without typing their details over and over again. Spending a long time to figure out the optimal amount of seconds to differentiate bots from a human can be a lot of work. It’s worth measuring the time from the moment users will click on the field up until they click “send”. You will be able to verify which ones are bots (that are instantly filling out the forms) and which ones are users with the autocomplete option. (Where it will still take around 2 seconds between clicking on the fields and clicking on the button.) Additionally, you can put a captcha that will require more time for a human to fill out the form.

Hide target request

One way of securing your contact forms from attacks is to not give the spammers the option to do it. Sensitive data like list IDs, account ID or form ID shouldn’t be available from the browser. Instead could be added from the backend side of it. The only thing your contact form will do is collect the information that the customer typed in and send it to your server. Then, you are able to fill out the actual sensitive data. It will trigger adding a contact to the list or sending a specific message.

Anybody can attack from the customer’s browser angle, but not from your server since they have no access to it.

Another way to secure yourself from spambots is to block the form once it’s filled out. Instead of allowing a person to sign up over and over again, allow them to sign up only once from a specific IP. Then, every time they access the page, instead of empty fields to fill out, they’ll receive a “you already signed up” message. This should only be used with newsletter signups though, as disabling the “contact us” form will just make it more difficult for you to maintain a good relationship with the customer. If they are blocked from asking questions, they will quickly move on to a different company.

Form validation after geolocation of the IP address

Similar to various sites blocking their content based on your location, you can disable the forms for certain locations with increased spambot activity. By monitoring their activity, you should be able to pinpoint the area that has the highest risk and block it. However, this can have a major negative side to it. If you block a certain location, you could ultimately stop the real users from the same location. Implement this solution only if you are sure that a certain area is generating significantly more problems than benefits.

Use Web Application Firewall

Web Application Firewall is a useful tool that can help you with XSS attacks and SQL injections. Now, this sounds foreign and scary but in reality, the concepts are pretty easy to understand. An XSS attack can inject malicious javascript or any other scripting code into a targeted browser and launch it. This can result in replacing the website content to make customers give up their data running a keylogger or stealing cookies.

An SQL Injection is very similar, although it injects an application in an SQL query instead. Then it can avoid authentication mechanisms, get unauthorized access to the whole database, read, create and launch files on the operating system it runs on and so on. The threat is very serious, and that’s why using WAF is so important. Usually, with free hosting or a shared server, this firewall will already be configured, but if you bought the hosting yourself, it’s your responsibility to set it up.

Blacklist IPs

If upon verification, you see suspicious activity coming from one IP address, you can blacklist it to ensure it will not send any more spam. Due to the nature of this method, it is kind of trial and error, where you first need to spot the spammer and then mark it.

Limit IP addresses

Set up a limit, for example, 10 forms, before blacklisting an IP address. With this, you can filter through the IP addresses and automatically block the ones that exceed the limit of available forms that can be sent during a specific timeframe.

Beware of Cross-Site Request Forgery

Simply put, Cross-Site Request Forgery forces the affected browser to launch an unauthorized action. In this case, it’s an HTTP request that’s being forged or modified. This crafty attack damages the customer’s browser, not the server-side of the app. However, the server can see such requests as a perfectly legitimate communication with the browser. That’s why it is so important to protect yourself from it. Luckily, the solution is easier than you think. What you need to do is embed additional authentication data into the request, so the web application will be able to detect the unauthorized requests. There are a few ways to approach this.

A way of protecting yourself from this might be using Double Submit Cookies. It is done by sending a random value that is equally the same in an HTTP request and in a cookie. The server then checks if these values are equal. If they are not, it is recognized as a CSRF attempt.

Another option is using Anti-forgery tokens. They are typically random numbers that are stored in a cookie or on a server. What will happen is the server will compare the token attached to the incoming requests with the value stored in the cookie or the server. If the values are identical, the server will approve the request. Similarly, it will reject the request if the token is missing or is incorrect.

Finally, you can set up additional authentication for sensitive actions. This is a simple extra step when users perform such action. It prevents the attacks in case the user logs into a publicly accessible computer and forgets to log in as well as greatly minimizes the chances for a CSRF attack.

Spam signups can mess up your lists

If you’re not currently convinced that it’s important to prevent spambot signups or you’re worried that adding an extra step to your form will stop people from adding their email to your contact lists, let’s consider the alternative.

Not preventing (at least the majority) of spam signups can compromise the integrity of your entire email marketing program. When your list is comprised of a mix of legitimate and invalid email addresses, you’re setting yourself up for a frustrating outcome the next time you send an email campaign.

Not only will you potentially damage your sender reputation by racking up a high invalid email count, but you’ll make it harder for mail to reach the real people who actually wanted to get your messages. Recipient servers start to filter or reject mail from domains that send too many emails to bad addresses.

Protect your forms

Spam isn’t going away anytime soon, unfortunately. Take the time to put one or more of these suggestions into action, and you’ll save time and work in the long term. The most effective solution is a combination of several strategies, but even a simple reCAPTACHA option can help you prevent spambots without complicating your sign-up process.

If you have any questions, please contact our helpful Customer Success team.