8 Best Methods to Stop Bots From Submitting Forms to Prevent Spam, Fake Users

Bots can cause all sorts of headaches targeting registration forms and contact forms. Let's explore the best ways to prevent bots from submitting form spam with fake user data and invalid email addresses.

Form spam submitted by bots is at an all time high, and solutions like captchas are unable to keep up with the latest threats. Bots are everywhere online in 2020, with over 40% of web traffic originating from an automated bot request and an estimated $7 billion of damages caused by bots to companies each year. While it can be an everyday challenge for most companies to prevent bot traffic, many solutions do exist to stop bots from submitting forms and only accept real human data. Let's explore the best methods for mitigating form spam.

Why Are Bots Attacking My Forms?

It's always good to understand your enemy so let's first understand why bots would target an online form while submitting fake user data and invalid email addresses. Most bots submitting contact form spam are looking to advertise a company and will typically submit a promotional message and the company's URL. Other types of bot spam may submit lead generation forms or registration forms. This could be to gain free accounts, access trials, or even to gain affiliate program incentives such as cost per lead performance marketing. And some attacks are just completely malicious in nature and could originate from competitors or frustrated users.

Can Bots Be Prevented From Submitting Forms?

Prevent Bot Form Spam

Yes absolutely. While bots continue to evolve and become more human-like in their behavior, many methods do exist to automatically prevent bots. As a fraud detection company, IPQS gains great insight by working with the internet's top companies to best mitigate bots and other forms of abuse. The following strategies are the best methods working in 2020 for detecting bots that we expect to be effective well into 2021 and beyond.

8 Quick Ways to Stop Bots From Submitting Forms

  • Filter Proxies and VPNs. Scoring the IP address can tell a lot about the user. Bots for example, will typically not use residential IPs but will favor data centers and hosting providers such as Amazon and Digital Ocean servers. Using an IP Reputation API it is incredibly easy to integrate real-time blocking of proxies, VPNs, and TOR addresses. High risk IP addresses in these categories would indicate a bot or fraudulent activity.
  • Enforce Geolocation and Filter By Country. If you are only concerned with clients in the US or Canada, then it is very easy to restrict submissions to IP addresses located in your accepted regions. Similarly, you can also exclude certain regions such as if you are receiving high amounts of form spam from China, Russia, Brazil, India, etc.
  • Check For IFrames. Based on our experience, forms and registrations submitted through an iframe are fraudulent over 97% of the time. If your site does not use iframes then that confidence increases even further. Iframes can load your site into another site, usually with a much smaller height and width than the full site. Using JavaScript, it is possible to check if the user has an iframe loaded while submitting the form data:

    
    function inIframe () {
        try {
            return window.self !== window.top;
        } catch (e) {
            return true;
        }
    }
  • Validate Email Addresses. Using an email address validation API you can quickly determine if the email submitted is valid, has a working inbox, and has any recent abusive history across the IPQS network. As we track hundreds of millions of email addresses per day from logins, payments, & registrations, our algorithms can quickly detect new addresses which are engaging in abusive behavior. Over 95% of the time, bot submissions will use invalid email addresses. IPQS improves those numbers even further by also factoring in reputation scoring so malicious email addresses can be blocked in real-time. Beyond IP scoring, verifying email addresses during form submission is the next best layer of protection.
  • Verify Phone Numbers. Taking this protection a step further, IPQS can also validate phone numbers to analyze risk and determine if they are VOIP or digital line typically used for malicious behavior. Phone numbers with an abusive history, such as those that have submitted fake forms in the past, can also be identified using this API service. While not all forms collect the phone number, it can be a very useful data points for qualifying users.
  • Ask Custom Questions. Text input fields which require a user to share feedback or details can be very useful in identifying bots. Most bot spam will not provide real responses in these fields, often filling them with gibberish. Advanced bots and fraudsters will certainly defeat this check but it is a great way to filter out less intelligent abuse.
  • Device Fingerprinting. This tool can track devices even as they switch IP addresses and browsers. Setting your system to only accept 1 submission per device ID can quickly eliminate fraud as most bots originate from the same device. Using device spoofing, they are able to emulate hundreds or thousands of alternate devices. Device Fingerprinting provides protection against even the most sophisticated fraudsters and can be applied for both desktop and mobile devices.
  • Use Cookies. Users switching their IP addresses typically forget about leaving cookies enabled. If you assign a cookie to a user upon a successful form submission, you can block future submission attempts when that cookie is present. Here is a quick example for PHP forms:

    
    // set when form submitted
    setcookie('form', 'submitted', time()+60*60*24*365, '/', 'www.example.com');
    // validation before the form is shown to user
    if(isset($_COOKIE['form'])){
    	// hide form from user or block submission
    }
    

Invalid Emails and Bad Submissions Can Ruin Your Data

If you plan on marketing to lists captured by your forms then fake emails can hurt your sender reputation. Invalid emails will bounce and penalize your IP address and domain reputation with popular mail service providers. Fake registration and client data can also distract your marketing teams with disconnected phone numbers and contact information. Performing user validation at the time of submission is the best way to prevent abusive users and invalid data at the same time.

Protect your forms from bots with minimal setup time. The methods above can mostly be integrated with simple API requests and example documentation code. Get started with a free IPQS account and grab your API key to start integrating. If you are not a developer, don't worry! We have tools that you can quickly embed on your site without any coding required.

Contact Our Support Anytime

API Access

Full API Access

Detailed Reports & Stats

Detailed Reports & Stats

Mass Check Records

Export Data & Process CSVs

Ready to eliminate fraud?

Start fighting fraud in minutes!

Questions? Call us at (800) 713-2618

Schedule a Demo Sign Up »

Get Started with 5,000 Free Lookups Per Month!