Why is invalid web traffic bad?

Research has shown that nearly 40% of web traffic is “invalid”, meaning it is from bots or human spammers or people with ill intent.

Accurate marketing data is a necessity for making wise business decisions. But website, form, lead funnel and click analytics are heavily skewed by these bad actors.

Form spam is not only very annoying and a huge problem for marketers due to time-consuming false leads, but arguably more important than the inconvenience is the fact of skewed analytics from invalid web traffic which can misguide on where to spend marketing budget and allocate resources.

If you don’t catch spammers or invalid emails on the front end (before or during form submission), or filter them out of your database on the backend, then you run the risk of damaging your email sending reputation once your outbound emails start bouncing.

And you certainly don’t want spammers or people with malicious intent receiving or replying to any of your emails (which could lead to someone in your organization inadvertently installing malware on your network if they open a malicious attachment or click a malicious link).

There is also the possibility of fraud taking place through your web forms, ecommerce, and other methods which could lead to a breach of sensitive data or cause monetary damage.

Spam bots and human spammers

Bad actors

Form spam comes in two main flavors: spam bots and human spammers.

Spam bots and human spammers typically originate from “bad actors”. These are people with ill intent, nefarious organizations or even governments trying to cause trouble, gain information and possibly bring down your website.

Whatever the reasoning of these bad actors and whatever the originators of form spam think they might gain by attacking your website, they are working hard at it. We’ll discuss several methods on how to defeat form spam.

Spam bots

Spam bots are automated web crawlers that work against and attack your website 24/7 but can usually be defeated with one or more of the methods outlined below.

Not all web crawlers are bad; spam bots are outright bad since they are harvesting information to be used with ill intent.

Human spammers

Human spammers on the other hand are much harder to defeat since they can pose as authentic users. These spammers are often from spam farms made up from groups of people, often located in problematic countries. They can defeat many of the methods outlined below, so we will try to show which methods are more effective against human spammers.

Best methods to defeat form spam

reCAPTCHA

This is arguably the most popular solution and is best for defeating spam bots rather than humans. reCAPTCHA is a CAPTCHA system owned by Google. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

There are different versions of reCAPTCHA:

– v2, which is based on more intrusive set of visible challenges

– v3, which offers a less intrusive invisible validation managed by Google where they only show a visible challenge if Google is suspicious of the IP address

Pro tip: reCAPTCHA v3 currently does not work with Pardot or HubSpot.

reCAPTCHA is fairly effective at stopping spambots. Since it typically uses image challenges to verify the authenticity of users before form submissions, it can seem a poor user experience. Plus the fact that humans can simply defeat reCAPTCHA makes it only somewhat useful.

The aesthetically unpleasing v2 reCAPTCHA

You can implement reCAPTCHA either through your form by adding a reCAPTCHA field that most form builders provide, or there is a method of adding special reCAPTCHA code from Google to your website or to your form template to apply to your forms more en masse.

Turnstile from Cloudflare

A newcomer to form challenges is a new product from Cloudflare called Turnstile. Recently out of beta (spring 2023), Turnstile looks to be a good alternative to reCAPTCHA.

It allows websites to combat form spam without spoiling the user experience of their human users, since it does not require a visible challenge.

Block bad actors by IP address

Blocking by IP address or IP range is supported by some marketing automation platforms like Pardot and HubSpot.

If you are hosting your web forms outside of your marketing automation landing pages—not using HubSpot CMS or Pardot landing pages or similar—then you have options for blocking some form spam based on IP address using your web host. This method should work well against spam bots and human spammers.

With Cloudflare or some web hosts like WP Engine you can set rules to block problematic countries and/or IP ranges known for spam bots or even spam humans filling forms from accessing your website (i.e., Russia, North Korea, etc.).

You can also try using a blacklist of bad domains. This list would be in the hundreds and require constant updating, so maybe it is not a great option. Blacklisted domains is a subject unto itself, but here are a couple of resources if you are interested:

• The AbuseIPDB has a community generated database of malicious IPs and domains and you can filter it for items of interest based on the kind of malicious activity associated with it.
• Wikipedia comparison of DNS blacklists
• Zeltser malicious IP blocklists

Pro tip: Tool to check periodically to make sure your domain is not blacklisted! https://mxtoolbox.com/problem/blacklist

Use a form honeypot

A honeypot is the technique of using a hidden field (usually a checkbox), unseen by users, that is added to forms to defeat spam bots. If a value has been entered in the field when the form is submitted, this indicates that the form was completed by a spam bot. The submission can be blocked or filtered out. You could also use a form that has built-in support for a honeypot so you don’t need to manage that part yourself.

Pro tip: Pardot forms have honeypot features built-in; HubSpot forms do not.

Honeypot options for WordPress

Several WordPress forms have honeypot features built-in:

• Gravity Forms
• Formidable Forms
• WP Forms
• Ninja Forms

Gravity Forms are our preferred choice.

Alternatively, or additionally, you can consider using third-party WordPress plugins such as Akismet (recommended in combination with other methods), WordPress Zero Spam or Spam protection, AntiSpam, FireWall by CleanTalk which work out of the box to protect your forms against spam.

Use email address validation

To block some form spam before it can be submitted, some web forms like HubSpot forms, support built-in email address validation. This can help prevent form submissions from invalid email addresses.

Pro tip: HubSpot forms have built-in email address validation, Pardot forms do not.

If you are not using HubSpot and need in-form real-time email validation you might be able to find an email validation service that works with your form, or you may even want to consider switching to a form builder that has built-in real-time email validation like FormStack.

(Validating email addresses after form submission is discussed further below in the ‘Addressing form spam after form submission’ section.)

Use a paid form spam and anti-fraud service

You might want to consider using a paid service that provides some level of form bot suppression. This can also help reduce fraud if you are doing ecommerce. One known such service is Anura. Anura looks for bad actors and, once identified, will disable the ability to submit on forms. It’s been said to be great for filtering out bot traffic.

Their claims of “eliminating bots, malware and human fraud” seem to fall short based on experience, so I recommend that such a service shouldn’t be your only solution since they don’t seem to restrict “bad actor” human form submissions. Anura offers a 15 day free trial. You’ll need to contact sales for pricing after the trial since all pricing is custom based on usage.

Another fraud prevention service is CHEQ. CHEQ claims to protect go-to-market efforts with accurate, real-time IVT (invalid traffic) detection. This detection is powered by an intelligence engine that examines every site visit with 2000+ cybersecurity tests.

Pro tip: For blocking fake advertising click traffic try lunio.ai.

More desperate measures you can take to stop form spam…

Visible radio field with “I’m a spambot” option

As a last resort, I sometimes even add a visible radio field with the first option ‘I’m just a spambot’ or ‘Do not select unless you are a bot’. I then filter those out if the first option is selected (most bots and even people will select the first option).

Conditionally hide the submit button

Some third party form builders (i.e., Gravity Forms for WordPress) support using conditional logic to hide the submit button until a specified checkbox field or similar is selected. I’ve done this in the past. It may cause confusion for some users if the submit button is not visible, so I wouldn’t use this method unless you really need to.

The method or methods you choose to implement depend on how you want to approach the problem. You may wish to experiment with a method that is the least intrusive to affecting the customer experience, and if you are still having problems then try implementing additional methods.

Addressing form spam after form submission

Use CRM formulas to identify spam

If you are using Salesforce or a similar CRM you can also add a formula field to identify bad contacts that made their way to your CRM. The formula could check for things like:

• First name and last name are the same
• Phone contains 1111 or 1234
• Email contains test

Perform proper list hygiene

Make sure you use good hygiene to keep lists clean. If your lists are ‘dirty’ you risk receiving a ton of spam form submissions due to a spam bot email address in your database that may forward to a bunch of other bots that could then fill out your forms.

There are several third party email address validation services that can validate email addresses, whether those email addresses originated from a form submission or other sources. Though maybe not ideal since this method doesn’t block spammers but cleanses data after form submission, third party email address validation services can be used as a backup method to screen out spammers or to validate your email list if you are getting emails from sources other than web forms.

Pro tip: Ask us about our proprietary Form Journey which can prevent form autoresponders from being sent to any identified bad actors or competitors.

Your final defense: manual intervention

Your last line of defense is manual intervention. Add a ‘spam’ checkbox to the contact record so that you can review each form submission and check this for any spam form submissions, then filter these contacts out. That may be your final option for form spam from any bad actors willing to waste everyone’s time submitting form spam that has defeated all of your other spam avoidance measures.

Filter out all spam contacts from your databases

We’ve saved what are arguably the most important steps to take to defeat form spam for last. These steps are not to be overlooked.

Pro tip: Set up suppression lists and automations to mark specific records as spam and suppress them from any outbound marketing or sales efforts.

Once you’ve identified any spam contacts that have made their way into your database, set up suppression lists and automations to mark these records as spam and to suppress them from any outbound marketing or sales efforts.

Master your master suppression list

I recommend using a “master suppression” list that can catch and suppress some form spam, like phone contains 1111 or 1234, and maybe some keyword filtering on email address and form comments and that sort of thing. Apply the master suppression list to all journeys and outbound email campaigns so you aren’t sending emails or even autoresponders to known spammers.

Pro tip: I recommend also adding known competitors to your master suppression list.

You might even want to set up an automation to mark these contacts as Do Not Email and maybe Lifecycle Stage or similar as “ignore”. Confirm with other stakeholders before taking this action since it has the potential to incidentally affect records unintentionally.

The point here is you want to filter out all spam records from any marketing efforts, operational automations, reporting, and sales follow-up processes.

I generally don’t recommend deleting these spam contacts unless necessary. You might want to keep them in the system so you can identify them in case the same contact submits another form. Just be sure they are filtered out from any outbound efforts and from any usable lists and custom views.

Summary

Depending on how inflicted you are with spam, you may need multiple levels of spam protection. Some form spam methods like honeypots and ReCaptcha are decent bot protection but useless against human spammers. So try to understand what type of battle you are fighting, bots or human or both, then use the methods most effective against those types (i.e., this article mentions a few methods that are more effective against human spammers).

I would start with the least intrusive spam protection methods and incrementally add more measures only if needed so you don’t harm the user experience.

What struggles have you encountered? Let us know in the comments if this article helped you, and what worked and what didn’t work. If you’ve found another good solution we may update this article so everyone can benefit. Who doesn’t want to help defeat spammers? Let us know if you need some help setting up your web forms.