What to do with form spam

If you have a form on your website, you’ve almost certainly received meaningless form submissions that contain links to site that sell medication, cheap stocks, pyramid schemes, and other unwanted material. This “form spam” is often automatically generated by software that can quickly fill out thousands of forms. Sometimes real people fill them out quickly with copy and paste.

There are various ways to discourage form spam, but the question we want to address is what to do when it is detected. Should you respond to the spammer? Should you display a warming message? Should you ignore them?

Unless your form is getting so many spam submissions that your server is getting bogged down, the answer is to simply ignore the submission and don’t send the email or perform database actions that you would for real submissions. The reason is simple: the spammers won’t know if your form is working, and thus they expend resources with no benefit. The cumulative result of many sites doing this is to reduce the effectiveness of spamming techniques. Warning messages won’t typically work on motivated spammers who will just change their tactics until they’re no longer caught by your spam filters. Without such feedback as a warning, they won’t know there’s a problem and thus may continue to waste their own time. Even if the spamming is automated, there are still limits to what is feasible / profitable.

In the very rare case that your form is receiving so much spam that the requests for the form are slowing the server, it’s time for more drastic measures. Often the offenders will only use a single or small set of IP addresses which can then be blocked before the form is even sent. If this is not the case, it’s time to consult your ISP about techniques for detecting DNS attacks.

One technique used by form spammers that is often overlooked by those securing their forms is that the spammer sends the GET or POST directly to the form handler without filling out the form. This requires less processing on their end. Detecting such direct submissions is as easy as ensuring that the HTTP referer is valid.

Happy spam-killing.

Bookmark and Share