How to Prevent Spam Submissions with your Contact Form

You’ve created an intake form, and now you’re getting encouraging numbers of responses. It’s an exciting time for any small business, except…

Many of the form submissions in your inbox are spam entries, completed by bots in an attempt to circumvent your security measures. These messages come from companies who somehow believe this is a viable strategy for selling their services! The phenomenon is both frustrating and concerning.

And it’s commoner than you’d think. A 2022 report from Imperva revealed that 27% of online traffic consists of malicious bots. Most website traffic consists of around 20% bot-created messaging.

Here are some more statistics:

  • In December 2021, 45.37% of ALL emails were spam. [source: Statista]
  • In July 2021, 283 billion (out of 336 billion emails sent) were spam. [source: Statista]
  • A single spam message has a carbon footprint of 0.03g of CO2e, which means that in 2021, spam accounted for around 4.5 tons of CO2e. [source: Profile Books]

Spam is an evil, not just for small businesses, but for the environment at large, it seems. Anything we can do to discourage or minimize it, therefore, is worthwhile.

Why are Bots so Irritating?

Spambots waste everyone’s time. They pose security threats and make it harder to operate small businesses. Dealing with spam messages is annoying for a range of reasons:

  • Identifying spam slows down your processing of real potential customers.
  • The URLS in spam messages can expose you to malware or other malicious code.
  • If you don’t have good anti-spam measures in place, spam can require manual filtering.
  • You can waste a lot of time dealing with poor leads who will never convert.

Spam is not not an especially new problem. Bots have been around in one form or another since 1988, with the invention of IRC (internet relay chat). Before the internet, there were spam faxes, believe it or not! Before faxes, people received a huge volume of junk mail (and sometimes still do). As long as there have been technologies for public communication, there have been scammers and spammers.

How do Bots Work?

Bots are simple programs targeted with a list of potential URLs and desirable keywords. They then locate web pages containing these keywords, which also contain online forms. Bots check for security measures and then automatically begin filling out mandatory fields, inserting their own sales content where possible and hitting submit.

Because they operate blind, unmediated by human operators, bots can quickly fill inboxes with near-identical and pointless messages. It’s almost impossible to trace them back to source, which makes it difficult for online security firms and governmental agencies to tackle the problem. Usually, no crime has been committed when someone sends you a spam message, so legal measures cannot be taken.

So how can you combat these unwanted intrusions? Fortunately, there are two security measures you can take, and several handy form design tips which will make your page less appealing to those pesky bots. Let’s look at the technology first.

These are just three of the most significant reasons to use an online form to secure first-party data. Now let’s turn to the many uses to which you can put such a form.

Two Ways to Protect form Spambot Attack


You’ve probably completed these features yourself. They require a click input, or a text input, and usually take one of three forms:

  • A tick-box users must complete to prove they are human.
  • A squiggly piece of text visitors must interpret and retype.
  • A selection of images form fillers must identify and select.

The latter has become the most common ReCAPTCHA tool, since bots have been invented which can identify and tick boxes, or even identify complex strings of hand-drawn letters. Identifying the squares containing traffic lights in a segmented image is still a challenge for them, however.

[Side note: when users complete ReCAPTCHA image frames, they are actually helping train Google’s own AI, by showing it images and then identifying what they are. Google’s AI can then use machine learning to aggregate and store this information for future use. You have been warned!]

By incorporating Google’s ReCAPTCHA into your site, you can make this process mandatory before a form can be submitted. This should thwart all but the most cutting-edge bots.

The only downside is that some users can find these irritating and site visitors with visual impairments like dyslexia (for instance) may have trouble completing them.

2: Honeypot Fields

This may sound like a children’s book about industrious bees – it’s not. In truth, honeypots are a clever technique for fooling bots. Honeypots don’t stop spam form submissions; they do allow them to be reliably flagged and then quarantined.

A honeypot is a tiny form field (often no larger than a few pixels in size) which is invisible to the human viewer, but which traps the bot, which can’t differentiate this field from normal ones. The bot auto-fills this field, which will be left blank by all human visitors.

This means you can simply red flag all submissions which have a honeypot field completed. Measures exist in most form collation tools (including Headlessforms) to quarantine these spam submissions.

Honeypots don’t slow down human user submissions, and don’t disadvantage visitors with visual impairments. There may come a day when bots know how to circumvent them but, for now, they are a very useful feature to implement in your form design.

Design Measures for Combatting Spam Submissions

There are other ways to prevent bot submissions, or at least quarantine non-human ones. Here are a few tips and tricks you might employ:

  • Email Validation. It can be a little irksome, but we’re all used to being asked to validate email addresses. The user can’t fully subscribe or join up until they have received a URL link or button in an email, then clicked on it and travelled to the submission completion page. Submissions which have been through this process are pretty much guaranteed to be from human recipients.
  • Data Validation. You can minimize incorrectly completed or bot-completed forms by making sure that your form fields are validated. In other words, specify a format for a date (MM/DD/YYYY) and reject submissions which don’t fit that format, or ask for a minimum or maximum number of words. If you want a user to set a password, set out the rules in writing, then set the validation accordingly. Most good form builders allow for this kind of validation, and it’s highly effective at preventing spam.
  • Link Prevention. If possible, disallow URLs to be included in text fields. Since this is often the whole point of spam messages, it should limit the bot submissions you receive.
  • Blocking or Blacklisting IP addresses. If many submissions issue from the same IP address in a short space of time, then they likely come from automated bots. If your site allows you to blacklist IP addresses, then this could be a useful additional measure for identifying malicious submissions.
  • Test Questions. You can create your own variation on a ReCAPTCHA by asking a question which requires a numerical answer. You could ask “how many letters are in the capital of France?” or “what is 2 plus 3?” A bot will not usually be able to interpret and answer such a prompt. You’ll need to clarify that this question is for spam-prevention, of course, or it will just confuse your site visitors!
  • WordPress Plugins. If your site is built with WordPress, there are specific plugins you can add to build greater security measures. Here are three of the most popular:
  • Askimet Spam Protection. You’ll need to purchase an API key for business use, but this plugin, from the people behind WordPress, is very popular. It checks form submissions against an established and ever-changing spam database.
  • CleanTalk’s Antispam and Firewall. This plugin runs a linguistic analysis of submissions and quarantines those likely to be suspicious. This could be a useful way of filtering out bot submissions which sneak through your other site security measures.
  • Titan Antispam & Security. This is an all-in-one security suite including malware scanning, spam protection, site accessibility analysis and threat auditing. There’s a basic free version and a more sophisticated paid subscription.

Use a Reliable Form-Builder with Anti-Spam Measures

It’s best to design your online form using a form builder that has built-in spam protection measures.

If you’re considering using Headlessforms’ form builder for your intake form design, then you’ll be reassured by our sophisticated anti-spam functionality. We support both honeypot and ReCAPTCHA measures for spambot blocking, as well as the range of other form design options described above.

In addition, we have our own proprietary anti-spam detection measures which quarantine any suspicious responses that get through. You’ll still have access to every form submission, but you can assign low priority to the quarantined responses and only check them from time to time, as you would a “junk items” folder in your email inbox.

If you want to know more about Headlessforms’ anti-spam measures, check out our product here.

Alternatively, check out some of our other blog articles on related topics including lead collection and evaluation forms.