How to Stop (Most) Online Form Spam in its Tracks


Join our newsletter!

Receive the latest data collection news in your inbox.

The word “spam” refers to the numerous kinds of internet communication that are unsolicited and unwanted. Though many people think of email when they hear the term spam, online spamming started even before email use was common. Use of the term “spam” to describe unwanted online communication reportedly originated as a reference to a segment on Monty Python’s Flying Circus regarding the pervasive nature of the food Spam. 

Early spamming occurred when online users would post the word “spam” repeatedly on Internet forums or chat rooms in order to flood the screen. Since space was limited in early online user interfaces, repeated posting of the term would remove another user’s post from the visible portion of the discussion thread.

In this blog, we’ll explore the different types of online form spam and discuss a number of actions you can take to lessen the negative effects.

Web Form Spam

While FormAssembly takes every precaution to guard our users against spam and offers multiple tools to help lessen its effects, web form spam is an inescapable issue. Most spam prevention methods have to continually adjust their strategies to stay ahead of increasingly sophisticated techniques used by spammers. 

Spammers will often search for vulnerable aspects of online forms in order to exploit them and distribute spam messages through emails to other people.

Varieties of Form Spam

While there are a ton of spam varieties out there in the online world, web form spam is performed in two distinct ways, which are covered below.

Manual Web Form Spamming

Manual spamming occurs when people hired by companies manually enter spam messages into web forms. This kind of web form spam is very difficult to combat since human spammers have the ability to get past most anti-spam measures.


The other type of form spam occurs when programs (spambots) are built to locate web forms across the internet and complete them, mainly with the hope that the message will appear somewhere on the website. This variety of web form spam is easier to fight because spambots don’t have human intelligence and they have trouble getting past advanced anti-spam measures. 

The people behind these spambots can program them to leave links and junk text in form web submissions and comments. They can also be programmed to perform more malicious activities, such as spreading malware, gathering personal information, or gaining control of websites.

How to Combat Spam

Is spam preventable? Unfortunately, it isn’t. Spam is an unavoidable aspect of the modern, digital world. Since most spammers use spoofing to hide their real identity from targets and ISPs, it’s hard to keep them accountable for their actions. Some advertisers and marketers with fewer scruples are even attracted by the low risks and costs of spam. 

If you want to reduce the amount of spam that comes through your online forms, you’ll have to try multiple techniques. Even still, spammers are tricky and won’t go down easily. 

Next, we’ll talk about some of the methods you can use to make your web forms harder for bots to fill out. While it is simply not possible to stop all spam permanently, the best approach is to prevent as much of it as possible. 

Google reCAPTCHA

Google reCAPTCHA prevents spam by requiring users to confirm that they are human with a click. The latest version of reCAPTCHA requires a very small time-commitment, while original CAPTCHA required users to retype random strings of letters. ReCAPTCHA is effective at blocking most spam submissions, but some spambots are sophisticated enough to even get past this method. 

If you’re building forms with FormAssembly, you can add Google reCAPTCHA to any form. This method has the added benefit of enforcing JavaScript in browsers. However, while FormAssembly allows users to add reCAPTCHA to forms, we do not own reCAPTCHA. This means the spam prevention afforded by reCAPTCHA is only as strong as Google can make it. 

We recently upgraded our reCAPTCHA to the reCAPTCHA Enterprise level, the latest version offered by Google, in an effort to improve spam prevention efforts. 

Honeypot Method

In most websites, honeypots refer to snippets of code that can attract spambots by showing a hidden form field to spambots only. These bits of code will stop submission of the form and flag it if the hidden field has a value in it. They will also remain invisible to humans.

You can put this method to work in your FormAssembly forms with a hidden field. You can add regex validation to inhibit form submission if the hidden field is completed, use skip-if formulas to skip past all connector steps if the field is not blank, or both. 

This method works on spambots most of the time, but manual, human spammers can easily get past it. There are even some spambots that have evolved to get past a defense like this as well. The honeypot method is helpful in some cases, but like most methods, it has its limits. 

Human Test Fields

Spambots are designed to gravitate toward the text fields in your web forms. This fact can be used to prevent spam!

Simply add a text field to your form that asks a very easy question—something like, “What is 2+2?” would suffice. Then, make the field required and add some validation to prevent spam responses from submitting. The validation could require numbers, numbers in a range, or could be as specific as using regex validation. 

No Links, Please

If a user is getting spam submissions that contain links, try preventing those links with regex! You can add custom validation that states that the text “https://” is not allowed to prevent a number of spam submissions. You could do this for “https://” as well, but the majority of spam submissions seem to link to websites that are not secure. 

Respondent Authentication

FormAssembly’s Enterprise Cloud and above plans offer respondent authentication options, which allow users to require that respondents log in to fill out a form. This method would obviously only work for people on our Enterprise and above plans, but it’s a surefire way of preventing spam—likely the only surefire way that there is. 

Removing Web Forms From Google’s Index

Google indexes every web page unless you specify a “noindex” meta tag. Manually removing your site or form from Google’s index could help make it harder for spambots to find it to begin with. 

You can use this method on your site by inserting this code in the <head>:

<meta name=”robots” content=”noindex” />

Spam Evolves. So Do We. 

Spam will continue to exist. Period. People have been getting spammed in the form of letters, emails, and more for years—even before the internet existed. Web form spam is simply the latest evolution. Even though spam is inevitable, you can try out the tools and methods that we presented today to help prevent it! 

In addition, it’s smart to watch your response data. If you continue to get spam responses, look closer at exactly what the spam consists of and adjust your methods to account for that particular spammer. You can also ask our Support Team for help if you get stuck.

Spam is a fact of life, and it continues to get smarter with each passing year. Our only option is to continue to evolve our prevention methods along with it.

[et_pb_divider _builder_version=”4.9.1″ _module_preset=”default”][/et_pb_divider]

Learn more about how FormAssembly works to safeguard FormAssembly users and their data on our Security Page

Don’t just collect data
— leverage it