If you operate a website which contains a contact form, at some point, you may likely receive web form spam.
What is Web Form Spam?
Web form spam is the submission of unwanted and/or nefarious information from “Spammers” using a website’s form (i.e. contact form, sign up form, etc.). Web form spam can generated in one of two ways. The first method can be implemented through a “spambot”, which is a program that automatically searches for web forms, fills them out and submits them. These spam bots not only attempt to send you spam, they also may try to exploit your contact form as a means to spam others. Web form spam can also be manually submitted by people whose job is to find web forms, complete and submit them. Human generated web form submissions are particularly difficult to prevent because they can defeat CAPTCHA and other anti-spam measures.
Why do Website Forms get Spammed?
The short answer: It’s how Spammers make money. What may appear to you to be useless gibberish or strange links, can be a way for spammers to make money if they can somehow infiltrate your server and secretly install malicious software on it. Alternatively, web form spam may also contain advertisements, links to malicious websites, etc. Once the form spam is received, if the links within it are clicked, the spammer is able to generate traffic, ad revenue or redirect them to malicious or phishing websites to steal personal information.
How to Prevent Web Form Spam
If you have a WordPress website, you can use popular contact form plugins such as Gravity Forms or Contact Form 7. These web form plugins can let you to implement CAPTCHA functionality.
This is an inherent spamming vulnerability when used with web forms. Simply disable it to mitigate this risk.
To prevent spam from further exploiting your web forms, disable the ability to use links within your web forms.
Implement a Hidden Field (Honeypot)
By implementing a “hidden” field (hidden from human eyes) that is designed to remain blank, should a spambot automatically fill it out, the form will not be submitted. Unfortunately, this anti-spam measure will not prevent human generated web form spam.
Spambots can be stopped in their tracks by requiring that a question, simple math equation (Simple math CAPTCHA), or a traditional CAPTCHA be added to the contact form. In such cases, the user has to answer in order to prove they are human. Unfortunately, this anti-spam measure will not prevent human generated web form spam.
Prevent Manual Spammers for WordPress Websites
Use a powerful anti-spam WP plugin called Akismet. Akismet enables you to mark incoming form submissions as spam as soon as they are submitted.