How to avoid form spam using marketing automation

by | Last Updated: Aug 24, 2023 | Business issues, Data management, Email marketing, Featured, HubSpot, Pardot | MC Account Engagement, Solutions

Why is invalid web traffic bad?

Research has shown that nearly 40% of web traffic is “invalid”, meaning it is from bots or human spammers or people with ill intent.

Accurate marketing data is a necessity for making wise business decisions. But website, form, lead funnel and click analytics are heavily skewed by these bad actors.

Form spam is not only very annoying and a huge problem for marketers due to time-consuming false leads, but arguably more important than the inconvenience is the fact of skewed analytics from invalid web traffic which can misguide on where to spend marketing budget and allocate resources.

If you don’t catch spammers or invalid emails on the front end (before or during form submission), or filter them out of your database on the backend, then you run the risk of damaging your email sending reputation once your outbound emails start bouncing.

And you certainly don’t want spammers or people with malicious intent receiving or replying to any of your emails (which could lead to someone in your organization inadvertently installing malware on your network if they open a malicious attachment or click a malicious link).

There is also the possibility of fraud taking place through your web forms, ecommerce, and other methods which could lead to a breach of sensitive data or cause monetary damage.

Spam bots and human spammers

Bad actors

Form spam comes in two main flavors: spam bots and human spammers.

Spam bots and human spammers typically originate from “bad actors”. These are people with ill intent, nefarious organizations or even governments trying to cause trouble, gain information and possibly bring down your website.

Whatever the reasoning of these bad actors and whatever the originators of form spam think they might gain by attacking your website, they are working hard at it. We’ll discuss several methods on how to defeat form spam.

Spam bots

Spam bots are automated web crawlers that work against and attack your website 24/7 but can usually be defeated with one or more of the methods outlined below.

Good web bots

Not all web crawlers are bad; spam bots are outright bad since they are harvesting information to be used with ill intent.

Human spammers

Human spammers on the other hand are much harder to defeat since they can pose as authentic users. These spammers are often from spam farms made up from groups of people, often located in problematic countries. They can defeat many of the methods outlined below, so we will try to show which methods are more effective against human spammers.

Best methods to defeat form spam


This is arguably the most popular solution and is best for defeating spam bots rather than humans. reCAPTCHA is a CAPTCHA system owned by Google. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

There are different versions of reCAPTCHA:

– v2, which is based on more intrusive set of visible challenges

– v3, which offers a less intrusive invisible validation managed by Google where they only show a visible challenge if Google is suspicious of the IP address

Pro tip: reCAPTCHA v3 currently does not work with Pardot or HubSpot.

reCAPTCHA is fairly effective at stopping spambots. Since it typically uses image challenges to verify the authenticity of users before form submissions, it can seem a poor user experience. Plus the fact that humans can simply defeat reCAPTCHA makes it only somewhat useful.


The aesthetically unpleasing v2 reCAPTCHA

You can implement reCAPTCHA either through your form by adding a reCAPTCHA field that most form builders provide, or there is a method of adding special reCAPTCHA code from Google to your website or to your form template to apply to your forms more en masse.

Turnstile from Cloudflare

A newcomer to form challenges is a new product from Cloudflare called Turnstile. Recently out of beta (spring 2023), Turnstile looks to be a good alternative to reCAPTCHA.

Cloudflare Turnstile

It allows websites to combat form spam without spoiling the user experience of their human users, since it does not require a visible challenge.

Block bad actors by IP address

Blocking by IP address or IP range is supported by some marketing automation platforms like Pardot and HubSpot.

If you are hosting your web forms outside of your marketing automation landing pages—not using HubSpot CMS or Pardot landing pages or similar—then you have options for blocking some form spam based on IP address using your web host. This method should work well against spam bots and human spammers.

With Cloudflare or some web hosts like WP Engine you can set rules to block problematic countries and/or IP ranges known for spam bots or even spam humans filling forms from accessing your website (i.e., Russia, North Korea, etc.).

Cloudflare WAF

You can also try using a blacklist of bad domains. This list would be in the hundreds and require constant updating, so maybe it is not a great option. Blacklisted domains is a subject unto itself, but here are a couple of resources if you are interested:

Pro tip: Tool to check periodically to make sure your domain is not blacklisted!

Use a form honeypot

A honeypot is the technique of using a hidden field (usually a checkbox), unseen by users, that is added to forms to defeat spam bots. If a value has been entered in the field when the form is submitted, this indicates that the form was completed by a spam bot. The submission can be blocked or filtered out. You could also use a form that has built-in support for a honeypot so you don’t need to manage that part yourself.

Pro tip: Pardot forms have honeypot features built-in; HubSpot forms do not.

Honeypot options for WordPress

Several WordPress forms have honeypot features built-in:

Gravity Forms are our preferred choice.

Alternatively, or additionally, you can consider using third-party WordPress plugins such as Akismet (recommended in combination with other methods), WordPress Zero Spam or Spam protection, AntiSpam, FireWall by CleanTalk which work out of the box to protect your forms against spam.

Use email address validation

To block some form spam before it can be submitted, some web forms like HubSpot forms, support built-in email address validation. This can help prevent form submissions from invalid email addresses.

Pro tip: HubSpot forms have built-in email address validation, Pardot forms do not.

Don’t have HubSpot yet? Sign up for a free trial on the HubSpot website.

Free HubSpot CRM trial

If you are not using HubSpot and need in-form real-time email validation you might be able to find an email validation service that works with your form, or you may even want to consider switching to a form builder that has built-in real-time email validation like FormStack.

(Validating email addresses after form submission is discussed further below in the ‘Addressing form spam after form submission’ section.)

Use a paid form spam and anti-fraud service

You might want to consider using a paid service that provides some level of form bot suppression. This can also help reduce fraud if you are doing ecommerce. One known such service is Anura. Anura looks for bad actors and, once identified, will disable the ability to submit on forms. It’s been said to be great for filtering out bot traffic.

Their claims of “eliminating bots, malware and human fraud” seem to fall short based on experience, so I recommend that such a service shouldn’t be your only solution since they don’t seem to restrict “bad actor” human form submissions. Anura offers a 15 day free trial. You’ll need to contact sales for pricing after the trial since all pricing is custom based on usage.

Another fraud prevention service is CHEQ. CHEQ claims to protect go-to-market efforts with accurate, real-time IVT (invalid traffic) detection. This detection is powered by an intelligence engine that examines every site visit with 2000+ cybersecurity tests.

Pro tip: For blocking fake advertising click traffic try

More desperate measures you can take to stop form spam…

Visible radio field with “I’m a spambot” option

As a last resort, I sometimes even add a visible radio field with the first option ‘I’m just a spambot’ or ‘Do not select unless you are a bot’. I then filter those out if the first option is selected (most bots and even people will select the first option).

Spam bot blocking

Conditionally hide the submit button

Some third party form builders (i.e., Gravity Forms for WordPress) support using conditional logic to hide the submit button until a specified checkbox field or similar is selected. I’ve done this in the past. It may cause confusion for some users if the submit button is not visible, so I wouldn’t use this method unless you really need to.

The method or methods you choose to implement depend on how you want to approach the problem. You may wish to experiment with a method that is the least intrusive to affecting the customer experience, and if you are still having problems then try implementing additional methods.

Addressing form spam after form submission

Use CRM formulas to identify spam

If you are using Salesforce or a similar CRM you can also add a formula field to identify bad contacts that made their way to your CRM. The formula could check for things like:

  • First name and last name are the same
  • Phone contains 1111 or 1234
  • Email contains test

Perform proper list hygiene

Make sure you use good hygiene to keep lists clean. If your lists are ‘dirty’ you risk receiving a ton of spam form submissions due to a spam bot email address in your database that may forward to a bunch of other bots that could then fill out your forms.

There are several third party email address validation services that can validate email addresses, whether those email addresses originated from a form submission or other sources. Though maybe not ideal since this method doesn’t block spammers but cleanses data after form submission, third party email address validation services can be used as a backup method to screen out spammers or to validate your email list if you are getting emails from sources other than web forms.

Pro tip: Ask us about our proprietary Form Journey which can prevent form autoresponders from being sent to any identified bad actors or competitors.

Your final defense: manual intervention

Your last line of defense is manual intervention. Add a ‘spam’ checkbox to the contact record so that you can review each form submission and check this for any spam form submissions, then filter these contacts out. That may be your final option for form spam from any bad actors willing to waste everyone’s time submitting form spam that has defeated all of your other spam avoidance measures.

Filter out all spam contacts from your databases

We’ve saved what are arguably the most important steps to take to defeat form spam for last. These steps are not to be overlooked.

Pro tip: Set up suppression lists and automations to mark specific records as spam and suppress them from any outbound marketing or sales efforts.

Once you’ve identified any spam contacts that have made their way into your database, set up suppression lists and automations to mark these records as spam and to suppress them from any outbound marketing or sales efforts.

Master your master suppression list

I recommend using a “master suppression” list that can catch and suppress some form spam, like phone contains 1111 or 1234, and maybe some keyword filtering on email address and form comments and that sort of thing. Apply the master suppression list to all journeys and outbound email campaigns so you aren’t sending emails or even autoresponders to known spammers.

Pro tip: I recommend also adding known competitors to your master suppression list.

You might even want to set up an automation to mark these contacts as Do Not Email and maybe Lifecycle Stage or similar as “ignore”. Confirm with other stakeholders before taking this action since it has the potential to incidentally affect records unintentionally.

The point here is you want to filter out all spam records from any marketing efforts, operational automations, reporting, and sales follow-up processes.

I generally don’t recommend deleting these spam contacts unless necessary. You might want to keep them in the system so you can identify them in case the same contact submits another form. Just be sure they are filtered out from any outbound efforts and from any usable lists and custom views.


Depending on how inflicted you are with spam, you may need multiple levels of spam protection. Some form spam methods like honeypots and ReCaptcha are decent bot protection but useless against human spammers. So try to understand what type of battle you are fighting, bots or human or both, then use the methods most effective against those types (i.e., this article mentions a few methods that are more effective against human spammers).

I would start with the least intrusive spam protection methods and incrementally add more measures only if needed so you don’t harm the user experience.

What struggles have you encountered? Let us know in the comments if this article helped you, and what worked and what didn’t work. If you’ve found another good solution we may update this article so everyone can benefit. Who doesn’t want to help defeat spammers? Let us know if you need some help setting up your web forms.


Certified Consultant/Owner | Jeff Kemp

Marketing Automation & CRM Consultant

hire Jeff Kemp | Marketing Automation & CRM Consultant

I help select your tech stack and optimize your processes for improved marketing & sales effectiveness, operations, and ROI.

My superpowers are Operational Efficiency, Knowledge, Experience, Business Acumen, Versatility, and Perseverance. I enjoy the intersection of working with people, processes, and technology where I can provide leadership and add value.

With over 30 years of marketing and sales experience I've been laser targeted on Marketing Automation for over 10 years, seven of those as a Salesforce Certified Marketing Cloud Account Engagement (Pardot) Consultant, and also as a Certified Salesforce Administrator and HubSpot Expert. Prior to that I have over 15 years of WordPress development experience and additional high profile roles in sales and marketing management.

Since I've led over 50 client consulting engagements in various industries I've seen several of the same struggles that are common to almost all organizations (as outlined in this article). With each organization and project that I'm involved with I work hard to solve many of those typical problems, plus identifying and solving sometimes unique and complex issues which often involve cleaning up technical debt from legacy systems, and architecting processes and solutions to help organizations set up effective lead management systems and operational efficiencies using best practices and proven methodologies.

I also love dogs :0)

Optimal Business Consulting (OBC) is proud to be a Salesforce Partner since 2018 and also became a HubSpot Solution Partner in 2023. -->More about Jeff & OBC

Content Satisfaction Survey

We value your feedback. You may remain anonymous if you like.

Subscribe to our Blog

Follow Us

Latest Posts

Does migrating marketing automation or CRM platforms actually pay off?

Are you thinking about migrating Marketing Automation or CRM platforms and wondering if it’s worth it? Will your company/organization be better off in the long run if you migrate MAP and/or CRM platforms? Download our ‘Marketing Automation & CRM Platform Migration Checklist‘ Google Sheet as a valuable resource to give you some things to consider before making the jump.

Quick Tip: Syncing HubSpot with Salesforce Do Not Email

If you are connecting HubSpot with Salesforce and setting up HubSpot to sync with Salesforce, you don’t want to map the ‘Marketing contact status’ field directly to Salesforce’s ‘Do Not Email’ (DNE) field; those fields will not sync the proper values based on how they are intended to work.

Trending Posts

Subscribe to our articles

Like this article? Comment with your feedback below, and subscribe for all the latest helpful information.

Apply to be a Guest Poster if you are interested in writing one or more articles for our blog. To qualify you must be a subject matter expert that aligns with one of our current blog categories.

Related articles…