Web Form Spam

Apr 9, 2021 | Resources

Long overdue in our series of resource articles is the topic of web form spam.  Commonly known as contact forms, web forms are ripe for abuse by spammers & hackers.  In the early days, combating form spam was as easy as adding CAPTCHA.  However, this is no longer enough to slow these abusers.  Even with CAPTCHA, forms can be spammed using advanced and sometimes very simple techniques.

Why do they spam my form?

Spammers are looking to add a link to their website to your website in order to increase their search engine rank.  They aren’t targeting you specifically. They’ve automated the process (see below) which enables the technique to work, even with a 99% fail rate.

Are they trying to hack me?

Most form abusers are just spammers, looking to get their link on a website with minimal effort.  They use simple software that “blasts” out their link repeatedly, no special hacker skills required.   Hackers trying to break into your website or computer won’t tip you off so easily 😉

Why isn’t CAPTCHA enough?

CAPTCHA and its newer cousin reCAPTCHA are techniques to allow a user to “prove” they are human by identifying characters, or images.  Spammers have not only developed software to “read” the more simple character recognition techniques, they’ve also developed ingenious systems to allow low-paid workers to complete the puzzles.  This works by showing a worker (typically in a country where wages are very low) a grid on their computer screen with 50 or more CAPTCHA puzzles.  As spammers use their software, these humans complete the CAPTCHA challenges by hand, all day, day after day.  This “hybrid” approach, combining software automation with low-wage workers (called Turks) is the new front in online fraud.

Make it stop! What can I do?

If CAPTCHA no longer works, what’s a website owner to do?  Short of removing your web form (which is a viable option) integration of more advanced techniques is warranted.  One technique we’ve demonstrated to be effective is adding a custom question to the form, which needs to be answered correctly in order for the form submission button to be activated.  These questions must be easy to answer, and open-ended (no dropdown) to prevent the bot from simply trying every choice. Examples:

  1. What is the last town on Cape Cod?  Answer: Provincetown
  2. Is Cape Cod located in Massachusetts?  Answer: Yes
  3. What is the color of grass? Answer: Green

The trick is to make a question with an obvious answer to prevent tripping up real users.  Yes it’s annoying. Yes it’s a little ridiculous. But this is the position we’re in until new technology is developed to stop the latest abuse tactics.

Other options include paid, 3rd party hosted web forms (examples: JotForm, Wufoo, FormKeep).  Similar to dedicated email providers like Gmail, these form providers promise better spam filtration than is available to a single website owner, given they oversee a network of many forms which allow them to spot and block common abusers.

White Papers


Recent Posts