Home » Blog » Web Form Spam Protection

Web Form Spam Protection

The Fight Against Web Form Spam

In the early days of Advice, one of the most common trouble tickets we would receive went something like this: “Hi Support, I’m receiving hundreds of spam emails a day from our web forms – isn’t there anything we can do to stop this?”

For a developer, there are some seemingly easy answers to this, but I’ve found it’s more complicated than it seems. Today, I want to take some time to address my personal experience with web form spam protection, and share what I have found to be the most effective deterrent.

But first – what hasn’t worked:


Captcha- Web Form Spam ProtectionThis is a common ‘go to’ for web form spam protection. From making users decipher garbled text to making them solve math problems, it’s not exactly the most user friendly of solutions. In fact, users (and clients) typically hate it. It makes sense on say, a password recovery form, but when you’re trying to remove as many obstacles as possible to get a form submission, it’s just not ideal.

To compound this, designs that I have been given to build have not always allowed for sufficient space for a captcha to appear. And all of this ignores entirely the fact that spammers have created things like ‘captcha farms’ to help solve these ‘human tests’ in bulk.

Our mileage varied with captchas. It would sometimes dramatically reduce spam in the short term but it did not seem to be a total solution.

Which leads us to our next ‘fix’….


The theory behind honeypots is that bots ignore javascript (and sometimes even CSS) and therefore can be tricked into filling out form fields that are invisible to human visitors.

The implementation is simple: add a plausible field to your form (labeled something like ‘Country’ or some other common field you don’t intend to collect) and then hide it with CSS or javascript. If the field is filled out, you know that a bot that was ignoring these technologies filled out the form, and you can exit your form submission without firing off an email to the client.

Once again, honeypots sometimes exhibited some improvement for web form spam protection, but I think spam bots (and the people who write them) are getting savvy to this, and even this didn’t stop spam at the level we would have liked.

The Real Solution: IP Logging

A couple years ago, we moved to Wufoo for our forms. Wufoo offers powerful WYSIWYG tools to help non-technical staff build forms, but it also dramatically reduces the time we spend on validation routines and multi-page form building.

But beyond all this, Wufoo has proven to be very spam resistant, provided that we enable an option on our forms that only allows one submission per IP. If we don’t check this, the spam flows in as usual.

This of course doesn’t stop spam entirely, but it does stop it dramatically. Since moving to Wufoo, I almost never receive complaints about form spam. And as much as I love Wufoo, I know from experience that it is the IP logging that makes it so robust.

If you don’t want to pay for forms, you can always build a simple solution using a database table and the web programming language of your choice. It is, in my experience, preferable to honey potting and captchas (and even those two solutions combined!).


Like I said – at the end of the day, it’s dang near impossible to guarantee that your clients won’t get some offers for cheap Louis Vuitton or Cialis, but you can make sure it doesn’t take over their email.

Have a method for web form spam protection that you’ve found? Join the conversation below!