Skip to main content
Newspaper illustration

What to Do When Spam Bots Are Filling Out Your Forms

What Are Spam Bots?

Spam bots are machine-run services that perform unwanted, automated data-mining actions on the web or that send or post unwelcome, unsolicited, inappropriate, or malicious messages – all with minimal to no human intervention. Spam bots filling out your forms can be a pain, and they can inject those forms with product advertisements, irrelevant links to website content, scams, links to malware, or other things you just don’t want hitting your Salesforce fields. Sometimes these come in all at once and at volume, maxing out your API calls on your integrations, confusing your sales team, and drowning your marketing and marketing ops teams in bad data, but sometimes spam just trickles in. In both cases, they make your marketing less trustworthy to sales and take up valuable real estate in your MAP and CRM.

Understanding the Impact of Spam Bots Filling Out Forms

Marketers know all too well the impact that spam bots can have on their organization. These include things like:

  • Reducing the accuracy of website and funnel analytics
  • Decreasing website performance for real users, leading to increased bounce rates and fewer conversions
  • Making publicly available organizational contact information for malicious purposes or unwanted marketing
  • Increasing the cost of web tech that is billed by session or usage
  • Adding unwanted data and overhead to martech and other information systems
  • Reducing sales efficiency and effectiveness by adding noise to the funnel and reducing visibility or accessibility to real tasks and leads

While all of these impacts alone can be bad enough for an organization’s faith in the leads marketing is passing over to sales, there are further justifications for taking even spam that trickles in over time very seriously.

  • Web Activity Analysis – Analyze your web traffic for indications of sessions opened by bots such as those with pages views but no time on site. In addition, some analytics tools such as Google 360 Suite allow the creation of views that filter suspected spam bot traffic to allow for easier analysis. Note originating IP addresses and domains of suspected bots if available and employ them when implementing mitigation tactics.
  • Data Analysis – Review conversion data for suspected spam bot patterns such as invalid data invalidated fields or unrelated/lengthy data that does not appear to be human-generated (e.g. Marketing copy such as “Click this link to win a trip to Bermuda” or website links back to unrelated content). Note any common data attributes and patterns that can be used to profile and quarantine such “contacts” before conversion or before allowing them to pass beyond the point of entry marketing systems. Yes, unfortunately, this means digging into those spam leads and actually reading them. We’re sorry about that.
  • Networking Activity – Work with IT, tech vendors, and internet service providers to determine whether they have been able to identify spam bots and if they can share their watch list so that you can employ tactics against the same.

Mitigating the Impact of Spam Bots Filling Out Forms

If you are going to tackle this problem, the first thing to understand is that there is no silver bullet for spam bots, and ensure your teams understand that as well. In addition, it is unreasonable to expect the complete elimination of spam. This is because spam elimination tactics come with the risk of negatively impacting real users with real intent on doing business with you. Further, because spammers are getting better at thwarting defensive tactics every day, marketers are in a digital arms race to combat them. Therefore, rather than expecting the complete elimination of spam, teams must have an ongoing program for continuously monitoring spam activity and adjusting their defensive tactics to match changing behavior. If you’re serious about spam then you should make an ongoing investment commensurate with the level of importance you place on it.

Different organizations are going to have differing tolerances for how difficult or onerous filling out a form should be, but reducing the impact of spam can generally be managed by taking a look at the following tactics.

Protect your web analytics

Web analytics are a critical component of campaign performance measurement and of attribution reporting. Talk to your web intelligence team about the tactics they have employed to deal with spam-generated activity. Listen for or suggest things like creating filtered views that remove known spam bots and IPs and whether they have configured settings for ” Automatic Bot Filtering”. Be diligent about annotating when filters and configuration changes are made to help inform future analysis.

Protect your website

Work with website administrators to ensure that your .htaccess file is configured to prevent known spam bots from loading your website. If you can edit it yourself, be careful and study up since incorrect configuration can prevent legitimate people from connecting to your website. Work with your website service provider and IT department to implement application firewalls that detect spammy activity and can automatically quarantine connections to minimize the impact on your website. Consider subscribing to services that allow you to identify spam bots and botnets in near real-time such as or

Protect your Martech

Your Martech stack needs to be protected from any data being gathered and from spam activity.

  • Ignore spam bots on your website – Any marketing technology that you place on your website via tag manager that is used for analytics or that is billed by session needs to be protected from spam. Use a service such as to determine a connecting client’s public IP and use the results to prevent martech from initializing on your site when spam bots are identified.
  • Quarantine spammy data captured – Configure your collection points to quarantine spammy data submissions before data is synched to downstream systems by using any filtering, processing, or configuration methods native to each system. For example, in Marketo, you can create a smart campaign that quarantines leads that look like spam by placing them in an ignore list or even deleting them outright.

Protect your conversion points

The following tactics are the ones we see most often deployed by marketers. Keep in mind that, again, spam will not be completely eliminated by using them. If you are serious about addressing spam you’ll need to use multiple tactics together for best results. The tactics below work best when employed consistently throughout all conversion points such as in e-commerce, review systems, comment collectors, and content or contact forms. As a final word of caution, some of these tactics may impact the accessibility of your conversion points to people with disabilities, and you may wish to test any tactics you use against best practices of accessibility.

  • Interactive forms – Interactive forms with actions like click to reveal, sliders, checkboxes, multiple steps, or more complex interactions like uploading a file could help make it more difficult for spam bots to make submissions. Checkboxes with a simple question “I am not a spam bot” or form fields with a prompt to solve a simple math question such as “what is 1 more than 2 + 2” can be more effective than you might assume. For some great examples, check out this post by Jenny Lewis.
  • Time-triggered submission – Instantaneous form submission is another clear indicator of bot activity. Even with auto-complete features enabled, humans take a few seconds or more to submit a form, whereas spam bot form submissions are almost instantaneous. This is evidenced by the zero value of the “Time on Site” metric in Google Analytics that is often seen in acute spam bot attacks. Adding functionality to a form that prevents it from being submitted in less than 3 seconds or monitoring the time duration between form load and form submission and quarantining or deleting contacts that meet that criteria can help reduce spammy submissions and contact records.
  • Honeypot fields – A honeypot is a hidden or invisible field placed on a form. The concept assumes that spam bots will complete all fields on forms, even hidden ones. This assumption means that you can prevent form submission if the hidden field ever has a value or allow form submission but quarantine any records that have a non-empty value in the honeypot field. This is a very simple method and should be the first employed to help reduce spam bot impact through forms. When employing this method, name your hidden field something that seems real like “today’s date”, “timestamp”, “last four of phone number” or “your favorite color.” Spam bots are smart and can easily detect things like “spam catcher” or “trap.” Hide the field using the CSS “display: none” attribute or, better still, using height and color attributes to hide the field from legitimate users but give the impression to spam bots that the field is visible. We advise you not to prevent form submission if the honeypot field is filled. Rather allow submission and analyze afterward. This is because auto-form fillers could populate the honeypot field, ensnaring legitimate people in the process. You’ll want to refine your handling procedure before committing to drastic actions like preventing form submissions. Consider creating a score for the probability of being spam and using that to understand how to proceed with captured leads.
  • CAPTCHA – An acronym for Completely Automated Public Turing test to tell Computers and Humans Apart is a method of validating that a human is interacting with a website. If you’ve ever been challenged by the tic tac toe box asking you to identify all of the buses or the “type the word you see” challenge then you’ve interacted with CAPTCHA. ReCAPTCHA is a free and paid CAPTCHA service offered by Google. ReCaptcha works by challenging a user to do something that is easy for humans and difficult for machines. This activity generates an assessment of the user and the id of the assessment is then stored in a field on the form. After submission, the assessment is requested and returns a score that represents the likelihood that that submission was made by a person or a bot. Based on the assessment, the contact record can be deleted or quarantined based on your organizational choice. Notably, ReCaptcha works best for users of Google Chrome who tend to have verified Google accounts. In addition, Google has introduced invisible ReCaptcha methods which attempt to eliminate the intrusive 3×3 picture challenge. ReCaptcha is last on this list because it can be difficult for non-technical people to implement and is also not perfect since spam bots that can successfully pass the challenge already exist. That said, it is an essential tool that should be used as one tactic among many to combat spammy form activity.

Validate Contact Data

As previously discussed spam prevention tactics are not fool-proof and spam contacts will likely still appear in your marketing systems even with other tactics employed. Data validation is another tactic that can be used to identify spam data. Here are two methods of performing this validation:

  • 3rd Party Email Validation – 3rd party enrichment services have become a staple of most martech portfolios. These services can help to verify working email addresses and some even flag spam traps and known spam accounts. 3rd Party email validation is a critical pillar of any mitigation strategy and should be employed to prevent spam from negatively impacting your organization’s email reputation as well as to improve the overall quality of your contact database.
  • Confirmed Opt-in – Another check that can be used to identify unwanted contacts is the Confirmed Opt-in (COI) or Double Opt-in (DOI) approach. This means requiring new contacts to be verified by clicking a link in an email you send immediately after the form submission. Conservative use of this tactic entails only sending confirmation emails to contacts that appear suspicious or whose email cannot be verified by other means (e.g. 3rd party email validation). The link leads to a page that triggers the validation. This works well for sign-ups and subscription services. Spam bots typically use fake emails and are less likely to respond to confirmation emails. In either case, even if some legitimate contacts don’t confirm their opt-in your database will still be healthier given that you’ll be communicating with users who value a relationship with your organization so much so that they opted in, not once but twice. As an extra bonus, this tactic also improves your regulatory compliance for laws like GDPR.

Protect your outbound and inbound communications

Be sure to keep a database of identified spam emails and contacts and use it to check records across all of your systems. Spam bots try and try again, and creating your own spam blocklist database means that even if you delete these contacts from your systems, it will still be easier to re-identify similar records in the future. In addition, while marginally defensive you may wish to reduce the impact of spam on email communications to employees. This can help to minimize phishing and reduce the risk of malware on your systems. Creating a spam trap inbox and placing the address for this email on every page on your website but in a way that is not visible to normal site visitors can help create a list of spam senders. Any emails received in that email box can be considered spam and are candidates for filtering for security reasons.

Spam bots filling out forms is not an easily solvable problem, but it is one that you can mitigate if you understand how all of these solutions can work together to make it harder and less attractive for bots to go after your properties.

Need more help with spam bots filling out forms?


We can help – contact us today.

Get in Touch with Us

At Etumos, we love what we do and we love to share what we know. Call us, email us, or set up a meeting and let's chat!

Contact Us