Keep Spam Out of Your Contact Forms

trash phone

What is Contact Form Spam? 

Contact Form Spam: Unsolicited messages sent through website contact forms, ranging from advertisements to malicious attacks.

If you’ve had a contact form on your website for any amount of time, you’re probably already familiar with the cycle of excitement and frustration that comes with thinking you may have a new lead only to realize you’ve just received junk mail. 

Spam comes in many different flavors with different intentions. In this post, we’ll explain some of the most common types of spam, how to recognize them and what you can do to protect your contact form from spam. 


Common Types of Spam Messages

Product/Service Pitches

These are unsolicited advertisements for various products or services, often vaguely related (or completely unrelated) to your website’s content. Think offers for SEO services, web design, marketing agencies, or software solutions. The most common goal is to promote products or services to a potentially relevant audience (even if poorly targeted).

Malware/Phishing Attempts

Malware spam messages contain links or attachments that, if clicked, can install viruses or other malicious software on your computer.

Phishing messages aim to steal sensitive information like login credentials, financial details, or personal data. They might impersonate legitimate companies or warn of fake security issues.

  • Fake Support Requests: These might pretend to be customers with urgent issues, but their underlying goal could be to inject malicious code or gather information.
  • Legal Threats/Demands: While less common, some spam can take the form of fake legal notices or demands for payment related to non-existent infringements.
  • “Get Rich Quick” Schemes: These promise unrealistic financial gains through dubious methods like pyramid schemes, cryptocurrency scams, or fake investment opportunities. “Get rich quick” schemes and similar scams aim to trick recipients into sending money or providing financial information.

SEO Link Building Spam

These messages often request reciprocal link exchanges or offer to write guest posts with the sole intention of getting backlinks to their own (often low-quality) websites.

Even if the spam doesn’t have a malicious intent, it wastes your time and resources in reviewing and deleting it.

How to Recognize Spam

Spam tactics are continuously evolving and becoming more sophisticated. However, there are some telltale signs to help you identify them. 

Misuse of Contact Form

If you receive a message you’re unsure of, the first question to ask yourself is: “Does it make sense to send me this message via my contact form?”.
If the answer is “No.” then you’re probably looking at spam. 

Suspicious Addresses

Suspicious Links

There are many ways to disguise malicious links but here are a few rules of thumb to help keep yourself safe. 

  • Unknown Sender = Don’t Click: If you’ve received a link from someone you don’t know, it’s best not to click. 
  • Confirm with Known Sender: Even if you know the sender, the link might still be dangerous. Spammers sometimes impersonate people you know. If you receive a link you weren’t expecting from someone you know, contact that person via phone or another email address you know they’re using and make sure they intended to send you that link before opening it. 
  • Hover Over: Many browsers will allow you to see where the link is actually going before you click on it. Without clicking, hover your cursor over the link and an address will appear, usually in the bottom left corner of your browser window. If that address doesn’t look right to you, don’t click on the link. 
  • Manually Navigate: If the link is supposedly for a known website (like your bank), open a new browser tab and type the website address directly into the address bar.
  • Use a Link Checker: There are online tools (like VirusTotal, URLVoid, Sucuri SiteCheck) where you can paste a link to have it scanned for known threats.

Pro tip:
The most important part of a URL is part right before the “.com”, “.net”, “.org” …etc.
Be wary if a link has a subdomain that doesn’t seem to fit (e.g., chase.login.malicioussite.com – the core domain is malicioussite.com, not chase.com).

Suspicious Email Address: These days, it’s easy to generate alias emails to hide the true email address of the sender. Be wary of email addresses made up of random numbers and letters, generic sounding names and misspelling of well known domains. 

Examples
[email protected] (random letters & numbers)
[email protected] (generic name)
[email protected] (misspelling of familiar domain: Amazon.com)

Too Good to Be True

  • Overly Enthusiastic Claims: “Cutting-edge,” “guarantee,” “amazing” are often red flags.
  • Get Rich Quick Schemes: These promise unrealistic financial gains through dubious methods like pyramid schemes, cryptocurrency scams, or fake investment opportunities.

Overly Vague

  • Generic Greeting: “Dear website owner” instead of a personalized greeting.
  • Lacking Relevance: Doesn’t mention anything specific about your website or business.

Example: “Hi there, I came across your website and think your business could really benefit from our cutting-edge social media marketing services. We guarantee to increase your engagement and drive more traffic to your site. Visit our website at https://www.google.com/search?q=amazingmarketing.com for a free consultation!”

Pushy

  • Pushy Call to Action: “Act Before It’s Too Late!” is a common tactic.

Nonsensical Content

While it might not seem effective to send a message that’s largely unreadable gibberish, this tactic is used by spammers specifically to bypass spam detection systems.
In this kind of message, you’ll often see a few coherent phrases that seem either very praising of your business or alarming and urgent. 

Example:
URGENT! Discover the secret to making 10,000perweekworkingjustafewhoursfromhomeNoexperienceneeded.Clickheretolearnmorebeforeit′stoolate[suspiciouslink]

  • Random Characters and Letters: Strings of seemingly meaningless text.
  • Incoherent Sentences: Lack grammatical structure or logical flow.
  • Sometimes Mixed with Generic Praise: A short, positive comment followed by nonsense.

Something Just Doesn’t Seem Right

Sophisticated spammers are good at sending messages that seem plausible. Some spammers will actually cull data from LinkedIn profiles to identify people you may work with and pose as one of those individuals when they message you. 

Example:

[email protected]

“Hi Mica,
I’m locked out of the ____ account. Can you email me the login and password?” 

Red Flags Recap

  • Why The Contact Form? Professionals shouldn’t be using your contact form to reach you. There are more reliable ways to reach you and that’s a misuse of your form.
  • Right Person, Unfamiliar Email Address: If you recognize the name of the sender but you don’t recognize the email address, there’s a good chance it’s spam. 
  • Suspicious links: If you weren’t expecting a link or the link looks suspicious, don’t click it.
  • Too Good to Be True: Never trust a get-rich-quick scheme.
  • Overly Vague: They want to collaborate but don’t seem to know who you are and what your business is.
  • Pushy: “Act Before It’s Too Late!” is often another way of saying “Act Before You Have Time to Recognize This As A Scam!”. Good actors want you to take action after careful consideration, not on impulse. 
  • Inappropriate Requests: Even if the sender is who they claim to be, email is not a secure way to share your passwords or sensitive information. These messages can be intercepted by third parties or your email could eventually be hacked. 
  • Unusual Behavior: You may receive a message from someone you know but something about the writing style or tone of the message seems out-of-character for the sender. Trust your gut when this happens. A spammer may be impersonating someone you know. 

How to Respond 

Ignore

Sometimes you’ll receive a message that just doesn’t seem right, even if you can’t put your finger on any specific reason why. It’s completely valid to trust your gut in these situations and ignore the message. 

Validate & Advise

Use an email or phone number you know is valid to try and reach the sender of the email and confirm it’s really from them. 

If they did send the message, advise them to contact you directly at your email address instead of the contact form. If they asked for sensitive information via email, advise them of the preferred method to share that information. 

How Not to Respond

Don’t Engage

Any interaction will only encourage more messages and additional risk of downloading malware or exposing your data. The best response is no response.

Unless Certain, Don’t Mark As Spam

If you can’t quite pinpoint what’s making you unsure about the message, don’t mark it as spam. Doing so will block any further communication from that sender and, if it turns out to not be spam after all, you may miss important messages. 

Only use “mark as spam” if you’re 100% sure that the message is spam. 


How to Protect Your Contact Form from Spam

Protecting your contact forms from spam is an ongoing effort, but there are several effective strategies you can implement. Here’s a breakdown of common and useful techniques:

Protection Via Your Contact Form

1. CAPTCHA or reCAPTCHA:

  • How it works: These tools require users to prove they are human before submitting the form. Traditional CAPTCHA presents distorted text or images that users must decipher. reCAPTCHA (especially v3) often works invisibly in the background, analyzing user behavior to determine if they are likely human or a bot.
  • Pros: Highly effective at blocking many types of automated spam bots. reCAPTCHA v3 offers a less intrusive user experience.
  • Cons: Traditional CAPTCHA can be frustrating for users. Even advanced CAPTCHAs can sometimes be bypassed by sophisticated bots or human click farms.

2. Honeypot:

  • How it works: A honeypot field is a form field that is hidden from regular users (using CSS). Bots, however, may still fill it out. If this hidden field has a value upon submission, it’s highly likely to be a bot.
  • Pros: Invisible to users, providing a seamless experience. Can be very effective against simpler bots.
  • Cons: More sophisticated bots might be programmed to ignore hidden fields. Requires careful implementation.

3. Form Validation:

  • How it works: Implement server-side and client-side validation to check if the submitted data meets certain criteria (e.g., valid email format, minimum/maximum field lengths). You can also block submissions with suspicious keywords or patterns common in spam.
  • Pros: Helps filter out poorly formed or obviously spammy submissions. Improves data quality.
  • Cons: Can be bypassed by bots that are programmed to fill out forms correctly. Requires ongoing maintenance to update blocked keywords.

4. Disable or Limit File Uploads:

  • How it works: If your contact form allows file uploads and you don’t strictly need them, consider disabling this feature. If necessary, implement strict file type and size restrictions, as malicious files can sometimes be submitted through forms.
  • Pros: Reduces a potential avenue for malware or malicious content.
  • Cons: Limits functionality if file uploads are a legitimate requirement.

Protection Via Your Hosting

5. Rate Limiting:

  • How it works: Limit the number of submissions that can be made from a specific IP address within a certain timeframe.
  • Pros: Can prevent bots from flooding your form with a large number of spam messages in a short period.
  • Cons: May temporarily block legitimate users who try to submit the form multiple times due to errors or technical issues. Requires careful configuration of limits.

6. Block Known Spammer IPs and Domains:

  • How it works: Maintain a blacklist of IP addresses and email domains known for sending spam. You can manually add these or use third-party services that maintain such lists.
  • Pros: Can block persistent spammers.
  • Cons: Spammers can easily change their IP addresses and use new domains, so this requires constant updating.

7. Use a Web Application Firewall (WAF):

  • How it works: A WAF sits between your website and incoming traffic, analyzing requests and blocking malicious ones, including those trying to exploit vulnerabilities in your contact form or submit spam.
  • Pros: Provides a broader layer of security against various threats, including spam.
  • Cons: Can be more complex to set up and may require ongoing management.

Combining Strategies is Key:

Often, the most effective approach involves using a combination of these techniques. For example, implementing reCAPTCHA along with a honeypot field and server-side validation can significantly reduce the amount of spam you receive.