9 Best Methods to Stop Bots From Submitting Forms to Prevent Spam, Fake Users

Bots can cause all sorts of headaches targeting registration forms and contact forms. Let's explore the best ways to prevent bots from submitting form spam with fake user data and invalid email addresses.

Form spam submitted by bots is at an all time high, and solutions like captchas are unable to keep up with the latest threats. Bots are everywhere online in 2021, with over 40% of web traffic originating from an automated bot request and an estimated $7 billion of damages caused by bots to companies each year. While it can be an everyday challenge for most companies to prevent bot traffic, many solutions do exist to stop bots from submitting forms and only accept real human data. Let's explore the best methods for mitigating form spam.

Why Are Bots Attacking My Forms?

Prevent web form spam with this quick guide on the best techniques to stop bot attacks. It's always good to understand your enemy so let's first understand why bots would target an online form while submitting fake user data and invalid email addresses. Most bots submitting contact form spam are looking to advertise a company and will typically submit a promotional message and the company's URL. Other types of bot spam may submit lead generation forms or registration forms. This could be to gain free accounts, access trials, or even to gain affiliate program incentives such as cost per lead performance marketing. And some attacks are just completely malicious in nature and could originate from competitors or frustrated users.

How to stop spam bots on my website? Deploying a real-time bot detection API to check form submissions or creating your own quality filters can stop bots from filling out forms.

You may not be 100% sure if bots are submitting contact forms on your website. We recommend checking the IP address against our IP bot detection tool to quickly analyze if the contact form was submitted by a bot.

Can Bots Be Prevented From Submitting Forms?

Prevent Bot Form Spam

Yes absolutely. While bots continue to evolve and become more human-like in their behavior, many methods do exist to automatically prevent bots. As a fraud detection company, IPQS gains great insight by working with the internet's top companies to best mitigate bots and other forms of abuse. The following strategies are the best methods working in 2021 for detecting bots that we expect to be effective well into 2021 and beyond.

9 Quick Ways to Stop Bots From Submitting Forms

Are you wondering how to stop bots from submitting forms? These are the best techniques for stopping bots on your website:

  • Filter Proxies and VPNs. Scoring the IP address can tell a lot about the user. Bots for example, will typically not use residential IPs but will favor data centers and hosting providers such as Amazon and Digital Ocean servers. Using an IP Reputation API it is incredibly easy to integrate real-time blocking of proxies, VPNs, and TOR addresses. High risk IP addresses in these categories would indicate a bot or fraudulent activity.
  • Enforce Geolocation and Filter By Country. If you are only concerned with clients in the US or Canada, then it is very easy to restrict submissions to IP addresses located in your accepted regions. Similarly, you can also exclude certain regions such as if you are receiving high amounts of form spam from China, Russia, Brazil, India, etc.
  • Check For IFrames. Based on our experience, forms and registrations submitted through an iframe are fraudulent over 97% of the time. If your site does not use iframes then that confidence increases even further. Iframes can load your site into another site, usually with a much smaller height and width than the full site. Using JavaScript, it is possible to check if the user has an iframe loaded while submitting the form data:
    function inIframe () {
        try {
            return window.self !== window.top;
        } catch (e) {
            return true;
  • Validate Email Addresses. Prevent bots from registering or submitting forms with email address fraud detention through the IPQS email address validation API, which can quickly determine if the email submitted is valid, has a working inbox, or has any recent abusive history across the IPQS threat network. As we track hundreds of millions of email addresses per day from logins, payments, & registrations, our algorithms can quickly detect new addresses which are engaging in abusive behavior. Over 95% of the time, bot submissions will use invalid email addresses. IPQS improves those numbers even further by also factoring in reputation scoring so malicious email addresses can be blocked in real-time. Beyond IP scoring, verifying email addresses during form submission is the next best layer of protection.
  • Verify Phone Numbers. Taking this protection a step further, IPQS can also validate phone numbers to analyze risk and determine if they are VOIP or digital line typically used for malicious behavior. Phone numbers with an abusive history, such as those that have submitted fake forms in the past, can also be identified using this API service. While not all forms collect the phone number, it can be a very useful data points for qualifying users.
  • Ask Custom Questions. Text input fields which require a user to share feedback or details can be very useful in identifying bots. Most bot spam will not provide real responses in these fields, often filling them with gibberish. Advanced bots and fraudsters will certainly defeat this check but it is a great way to filter out less intelligent abuse.
  • Device Fingerprinting. Protect html forms by tracking devices even as they switch IP addresses and browsers. Setting your system to only accept 1 submission per device ID can quickly eliminate fraud as most bots originate from the same device. Using device spoofing, they are able to emulate hundreds or thousands of alternate devices. Device Fingerprinting provides protection against even the most sophisticated fraudsters and can be applied for both desktop and mobile devices.
  • Use Cookies. Users switching their IP addresses typically forget about leaving cookies enabled. If you assign a cookie to a user upon a successful form submission, you can block future submission attempts when that cookie is present. Here is a quick example for PHP forms:
    // set when form submitted
    setcookie('form', 'submitted', time()+60*60*24*365, '/', 'www.example.com');
    // validation before the form is shown to user
    	// hide form from user or block submission
  • Replace Captchas. Captchas can significantly hurt your user experience, pushing good quality users away from your site. IPQS solutions are great at identifying bots without displaying any challenge or obstruction to the user. Explore our guide for captcha alternatives for bots to learn more.

Invalid Emails and Bad Submissions Can Ruin Your Data

If you plan on marketing to lists captured by your forms then fake emails can hurt your sender reputation. Invalid emails will bounce and penalize your IP address and domain reputation with popular mail service providers. Fake registration and client data can also distract your marketing teams with disconnected phone numbers and contact information. Performing user validation at the time of submission is the best way to prevent abusive users and invalid data at the same time.

Protect your forms from bots with minimal setup time. The methods above can mostly be integrated with simple API requests and example documentation code. Get started with a free IPQS account and grab your API key to start integrating. If you are not a developer, don't worry! We have tools that you can quickly embed on your site without any coding required.

Contact Our Support Anytime

API Lookup Access

Easy API Lookups

Threat & Abuse Network

Largest Threat & Abuse Network

Fraud Prevention Detection

Industry Leading Fraud Prevention

Ready to eliminate fraud?

Start fighting fraud in minutes!

Questions? Call us at (800) 713-2618

Schedule a Demo Sign Up »

Get Started with 5,000 Free Lookups Per Month!