Form spam refers to unsolicited, automated submissions sent through web forms by bots, typically containing advertisements, phishing links, or gibberish text.
Form spam is one of the most persistent problems for any website with a publicly accessible form. Spam bots crawl the internet searching for form elements, then submit junk data — SEO backlink requests, pharmaceutical ads, phishing URLs, or randomly generated text.
The volume can be significant. An unprotected contact form on a moderately trafficked website can receive dozens to hundreds of spam submissions per day. This buries legitimate submissions, wastes time on manual review, and can pollute analytics data.
Spam prevention works in layers. The first layer is client-side deterrence: honeypot fields catch basic bots, and CAPTCHAs challenge suspicious users. The second layer is server-side filtering: rate limiting prevents rapid-fire submissions, and content analysis flags messages containing known spam patterns (certain URLs, excessive links, specific keywords). The third layer is AI-based scoring: machine learning models evaluate submission content, sender behavior, and metadata to assign a spam probability score.
FormsList implements all three layers. Every submission passes through honeypot detection, optional CAPTCHA verification, and AI-powered spam scoring. Suspected spam is quarantined but accessible in case of false positives.
Bots submit forms with messages containing dozens of URLs to gambling or pharmaceutical sites, hoping the form data will be published somewhere and create backlinks.
Automated submissions containing links to fake login pages, trying to trick form reviewers into clicking malicious URLs.
A bot submits the same form hundreds of times per hour, overwhelming the inbox and potentially causing the email server to rate-limit legitimate notifications.
Set up your form backend in under a minute. No server required, no complex configuration — just a simple endpoint for your forms.