How to Handle Web Form Spam

Bots clogging up your lead funnel? Use these tips to filter out bogus inquiries.

So you have a shiny new or shiny old industrial B2B website that is poised for greatness. It is SEO friendly, fast loading, stuffed with great content, and has all the necessary features. Once a certain level of popularity has been reached or publish time has elapsed, the inevitable spam bots will find your site and begin their campaigns, assaulting you with endless amounts of web form spam.

Unless you’re really interested in viagra, cheap mortgages, miracle diets, Nigerian princes, and the like, you’ll need to slog through all the incoming cruft to find the legitimate contact requests that are potential leads.

How do you protect your site, as well as overcome this annoyance (and inefficiency)? Let’s begin by establishing why web form spam exists in the first place.

Why Does Web Form Spam Exist?

Everyone is familiar with typical email spam. Fortunately, most email providers have gotten a good handle on email spam with filters and systems designed to block messages. Web form spam is a different problem. Web form spam results in a large volume of unwanted form submissions containing “junk” text and often irrelevant web links.

Since these junk submission usually only wind up in admin interfaces and admin inboxes, you might wonder, “Why are they doing this? What are they trying to achieve? How do they think I’m ever going to fall for these spam offers?”

Lead form spammers have two primary goals. First, they are looking for vulnerabilities that will allow them to hijack your form and use it to relay email spam messages. Next, they are hoping to get their message published on your website through comments, guestbooks, or other means. If the message gets published with their hyperlinks, it can theoretically lead to an SEO boost for the spammer or the spammer’s clients.

To better understand, consider spam at a large scale. These spammers have “bots” (automated systems that crawl the web). These bots look for web forms, fill them out with spammy text and links, and finally submit the form.

No doubt your site software is up to date so these bots won’t find any vulnerabilities in your web form to exploit. And you’re probably also using moderation or another way to prevent comments from automatically being published on your site.

But spammers know this — they know that the vast majority of sites have protections in place to keep their spammy links from being published in comment feeds, etc., and that most sites won’t have a form that they can exploit to send their own email. However, they don’t care, because they target millions of sites on the Internet. It’s a statistics game for them and getting their spam to work on just one site is a success.

What Can You Do?

There are a few methods you can use to combat web form spam. Some are easy, having little effect on users, and some are more difficult and intrusive. We’ll cover three popular techniques, all of which will likely require a web developer to implement, but site updates like this should not break the bank.


A popular non-intrusive method deemed a “honeypot” should be the first line of defense against web form spam. It is an easy technique and does not interfere with the user experience.

A honeypot works by including a decoy hidden field in a form. Spam bots usually fill out all fields carte blanche when encountering a web form. Since humans don’t see the hidden honeypot field, they leave it blank. Thus you can assume all submissions that have filled out the honeypot field are automated and consider them spam.

To implement the honeypot technique, all that’s required is adding a hidden form field to your form. The form field can have any name, but make sure to hide it from users with css or another method.

Here’s an example that creates a hidden form field for an email address:

honeypot form field

The field “name” and “type” does not matter.

Random Questions

Another technique for deterring web form spam bots involves including a question in your form that it would be difficult for bots to answer. If this question is not answered correctly, the site will bar the form submission.

For this technique to be effective, the question must change each time the form is displayed. The questions should be easily answered by any human that can read the language.

Here’s an example:

random trivia question

Other example questions include:

  • What comes first, C or Y?
  • What is the capital letter of “y?”
  • What is the first letter of the word “cat?”
  • Which is larger, a dog or a speck of dust?


The nuclear option in the war on web form spam is the dreaded captcha. CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” Captchas are usually a visual test that humans can decipher easily but that is difficult for machines to understand. Some offer audio or other alternatives as well. They all require more work from legitimate users to submit the form they are attached to.


You’ve no doubt encountered a captcha on the web and the ensuing frustration that comes along with it. Sometimes they are so effective, no humans nor machines can answer them correctly.

At any rate, captchas are negatives when it comes to user experience. Bots are also getting smarter by using A.I., machine learning, and other computing advances to increasingly solve captchas. Fortunately, Google has a free no captcha recaptcha solution that works quite well and in most cases has a minimal impact on UX.


The Google reCAPTCHA starts with a single checkbox that, when checked, is enough for most human visitors. If suspicious activity is detected when checking the box, reCAPTCHA will escalate to a typical captcha task that asks users to identify elements from visual puzzles.

This hybrid approach delivers the best of both worlds: a nice user experience unless a higher spam risk is detected and then added verifications if spam seems likely. Obviously, Google will not divulge exactly how the technology works for fear of tipping off spammers, but users’ mouse movements, scrolling, cookies, logged-in status for Google services, and more likely come into play. Learn more about implementing a reCAPTCHA on the official site.

Why Web Form Spam Matters

The contact form on your site may be its most critical feature. Web form spam bots will find it soon after your site goes live, making it a chore to sift through all their garbage submissions to find true leads and genuine customer inquiries.

You can protect your site, make the task of identifying leads easier, and improve your response time by using the techniques outlined here. It’s well worth the relatively small investment to combat web form spam and free up your time to respond to leads quicker and make more sales.


About the Author

Not so fast!
Don’t miss our latest B2B marketing insights. Sign up to receive Industrial Marketer in your inbox.