• Dan

How to effectively filter forms spam?

Website forms spam is a real problem. If you have a website with contact form, or any other type of form, it is most likely that you have received submits such as this one:

In some cases you may get more submissions like this one than real submissions from your customers and prospects. So blocking spammers is important for your productivity.

In case you have a form that your visitors can post comments or content that other visitors can read, blocking spammers is also important to keep the website content clean and relevant for your visitors.

So, what can you do to protect your webforms from spammers?

There are few options, and you can use a combination of them for maximum protection

1. Use Captcha tool like Google reCAPTCHA

This is a small javascript file that tries to tell human from bots. It does that by either looking at things like mouse movements, typing patterns, scrolling patterns, etc, or by asking the visitor to analyze some image which would be challenging for a simple bot. This method is fairly effective, but it has the downside of making it harder for humans to fill your form, this potentially reducing your conversion rate

2. Add a field that only a bot can see.

This technique is also known as honeypot.

You can add a field to your form that only a bot would see. If the visitor has filled it you know it's a bot and you can filter it out.

To achieve this effect you can use css and/or javascript to hide one of the fields, for example:

The important thing to note in the above form is the field "xx_password" that using css is hidden. from our experience, even a simple style trick like that is not detectable by most bots. You can be more sophisticated if you want, and use javascript to add the style to the field after the form was loaded.

This method is very effective and has no impact on the user experience of your website visitors.

3. Use CleanTalk to tell who's a bot and who isn't

In Form-Data we send all form submissions to CleanTalk. Form-Data provide the IP address of the visitor, and the email address that they have filled. They compare it to an up-to-date database with hundreds of thousands of records of confirmed bots' IP addresses and email addresses.

We have found this method to be super effective - we have never received a single complaint of a false positive (meaning a legit submission that was blocked), and we have never seen a missed-detect (meaning a bot submission that wasn't detected).

Here's an example response from CleanTalk:

As you can see, in this case both the IP address has a spam rate of 1 and the email address itself appears in their database. This means this this request came without a doubt from a bot.

The statistics of form spam is quite overwhelming. We have seen the numbers go from 30% spam rate, to as high as 80% spam rate in some days.

The advantage of using CleanTalk is that it has no effect on the visitor since it is done completely on the server side, and that has proven to be (at least for us) the most accurate method.


With Form-Data you have the freedom to choose if you want to use Google reCAPTCHA, honeypot, both or none of them. Either way, all submissions are protected by CleanTalk with all plans, so you can enjoy spam-free form data.


Recent Posts

See All