Preventing form spam and bot submissions

Home / Everything About / Everything About Forms / Preventing form spam and bot submissions

Check the submissions to any unprotected form and you will find the same thing: dozens of spam entries, fake leads, malicious links, and nonsense. This is not from people manually filling out your form. It is automated scripts controlled by attackers and spammers. Preventing form spam and bot submissions stops these attacks before they waste your time or harm your data.

Spam is more than an annoyance. It clutters your database, skews your analytics, fills your email inbox, and can mask real security threats. Effective bot prevention protects your form and keeps your data clean.

What you'll learn: How automated bots attack forms, why simple protections are not enough, which bot prevention methods work best, and how to implement them without annoying legitimate visitors.

How bot attacks on forms work

A bot (short for robot) is an automated program that performs repetitive tasks. Bots that attack forms do things like:

  • Automatically fill every field with random text
  • Submit the form thousands of times per day
  • Inject links or advertisements into form fields
  • Test for security vulnerabilities by probing the form
  • Harvest email addresses to add to spam mailing lists

Unlike a hacker who might target one specific form, bots attack thousands of forms at scale. They scan the internet looking for forms, and when they find one, they automatically submit spam. You could wake up with 10,000 fake submissions in your inbox.

Why forms are vulnerable to bots

Forms accept input from anyone

By design, forms are open to the internet. Anyone can find your form and submit it. There is no initial verification that the person submitting it is a real human.

Forms are predictable

If a bot can see your form in the HTML of a web page, it can extract the form structure and understand what fields need to be filled. This makes forms easy targets for automation.

Most forms have no protection

Many websites publish forms without any bot detection. Bots quickly learn to exploit these undefended targets.

Why basic protections do not work

Obfuscating form field names

Some people think hiding the form field names will confuse bots. But bots can reverse-engineer field names from the HTML or by analyzing the form submission. This does not work.

Honeypot fields (fake fields)

A honeypot field is a hidden form field that legitimate visitors never see. Bots, which do not understand CSS or hidden attributes, fill it in anyway. You can reject submissions where the honeypot is filled.

This works against very simple bots, but sophisticated bots have learned about honeypot fields and know not to fill them in. It is now a weak defense on its own.

Simple math problems or questions

"What is 2 + 2?" seems like a bot cannot answer this. But modern AI and OCR (optical character recognition) tools can read and solve simple math problems. This defense is outdated.

Effective bot prevention methods

CAPTCHA

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is the most common bot prevention method. There are several types:

Text-based CAPTCHA: Users solve a distorted text puzzle. Older and less effective now because AI can read distorted text.

Image-based CAPTCHA (reCAPTCHA v2): Users click checkboxes or identify objects in images. More reliable than text-based but still not perfect. This is what you see on many websites.

Invisible CAPTCHA (reCAPTCHA v3): The user does not see anything. The system analyzes their behavior (how they move their mouse, how fast they fill out the form) to determine if they are human. No friction for real users, but requires more sophisticated backend.

Rate limiting

Rate limiting restricts how many times the same IP address or user account can submit a form in a specific time period. If an attacker tries to submit 1,000 forms in 10 minutes from the same IP, rate limiting blocks them after the first 5 submissions in 10 minutes.

Rate limiting is invisible to real users (most people do not submit the same form 20 times in an hour) but effective against bots (which submit repeatedly and at superhuman speed).

Email verification

Require visitors to verify their email address by clicking a link in a confirmation email. Bots usually cannot access email inboxes (or use fake email addresses that are not real). This eliminates many bot submissions.

Downside: it creates extra friction for legitimate visitors. Use this for high-value forms (signups, account creation) where you are willing to add an extra step.

Behavioral analysis

Analyze how visitors interact with the form:

  • Did they fill out the form at superhuman speed (all fields in 0.5 seconds)? Probably a bot.
  • Did they never focus on any field (just tabbed through without typing)? Probably a bot.
  • Did they fill out a field, delete it, fill it again, delete it again? Probably a human.

This requires JavaScript on the form to track user interactions. It is invisible to real users and effective against simple bots.

Device fingerprinting

Analyze characteristics of the device submitting the form (browser type, operating system, screen resolution, timezone, etc.). Bots often have unusual or inconsistent device fingerprints. Legitimate devices have patterns that look human.

This is sophisticated and requires third-party services, but it is very effective.

When to use each method

For a basic contact form

Use rate limiting (invisible) plus a CAPTCHA if you get a lot of spam. Email verification is optional.

For a newsletter signup form

Use rate limiting plus email verification. This confirms the email is real and prevents bulk signups of fake addresses.

For a high-value form (account creation, payment, etc.)

Use multiple layers: rate limiting, CAPTCHA, email verification. Consider behavioral analysis for extra confidence.

For an API endpoint or programmatic access

Use API authentication (tokens or API keys) instead of CAPTCHA. CAPTCHA does not work for APIs. Rate limiting is essential.

The user experience impact of bot prevention

Strong bot prevention can create friction for real users. Balance security with usability:

CAPTCHA: Adds a few seconds and one extra step. Visible and slightly annoying, but widely accepted by users. Many people expect it.

Email verification: Requires the user to check their email and click a link. Higher friction, but necessary for high-value actions.

Behavioral analysis or rate limiting: Invisible. No friction for real users at all.

Best practice: Use invisible methods first (rate limiting, behavioral analysis). Only show a CAPTCHA if the form submission looks suspicious. This way, 95% of real users never see a CAPTCHA, but bots almost always do.

Monitoring form submissions for spam

Even with bot prevention in place, some spam may slip through. Monitor your submissions:

  • Review new submissions regularly for obvious spam patterns
  • Look for submissions with gibberish text or links
  • Track the submission rate (if it suddenly spikes, you might be under attack)
  • Check which countries submissions are coming from (if you only serve the US, submissions from certain countries might be suspicious)

Most forms allow you to mark submissions as spam. Use this to train any machine learning models that may help prevent future spam.

What WEMASY does for spam prevention

WEMASY forms include bot prevention by default. Every form includes rate limiting (multiple submissions from the same IP are throttled) and optional CAPTCHA protection (reCAPTCHA v3). You can enable email verification for forms that require it. WEMASY also monitors submissions for spam patterns and flags suspicious entries.

All forms come with spam protection. More advanced protections are available in higher plans. See your plan details on the pricing page.

Frequently asked questions

Will CAPTCHA prevent all spam?

With WEMASY's <a href="/website-builder" target="_blank">website builder</a>, you can set this up directly on your website.

Is reCAPTCHA v3 better than v2?

Can I use honeypot fields instead of CAPTCHA?

What if legitimate users cannot solve the CAPTCHA?

How do I know if my form is under spam attack?