Form Spam Protection

What Is Form Spam?

Form spam is the repeated abusive posting of web forms with unwanted content. In most cases form spamming is automated, but spam may also in some cases be submitted manually, when the expected outcome justifies the time investment. A frequent type of form spam targets the commenting facility of blogs (comment spam). Motivations for spammers include:

• Posting a URLs to a website to increase a third-party's website's search engine ranking
• Increasing the traffic on a targeted website
• In the case of email forms, sending an unsolicited message to the form results' recipient, while bypassing email spam filters¹
• Testing a form processor for security vulnerabilities

Stopping Form Spam

The first measure against form spam is appropriate form validation. Validation alone is often not sufficient, and specific measures have to be taken to avoid form spam. It is common practice to protect web forms against spam and abuse by challenging users with CAPTCHA systems.

Such systems are meant to ensure that forms are only submitted by humans, not by automated software agents. The systematic use of CAPTCHAs to prevent form spam however seriously affects form accessibility and usability. At a minimum, CAPTCHAs may disallow the visually impaired to use your forms, and increase form abandonment among other visitors.

For these reasons, we have developed a ‘smart’ form spam filter that limits our reliance on challenge techniques such as CAPTCHAs. FormSmarts only challenges users as a last resort, when evidences reveal a likely spamming attempt. As a result, most users will never be asked to complete a CAPTCHA test, because analysis of their behavior, message content, and network standing show their form submission is unlikely to be spam.

FormSmarts Form Spam Filter

FormSmarts form spam blocker relies on a combination of techniques and technologies. For each form posted, a number of tests are performed, and dozens of factors are considered and agreggated, to assess whether the request is closer to a legitimate form submissions or to a form spamming attempt.

• Submitted content analysis. As noted above, form spam and abuse may be motivated by diverse purposes. Each one reflects into the form content by the use of particular phrasing, terminology, and general message topic.
• User behavior evaluation. Robots (and even manual form posters) have different web navigation patterns than legitimate users.
• Network factors evaluation. Form spam is often posted repeatedly, and from third party machines (e.g. dynamic proxies.)

---

1. Similar to email spam. The difference is that most forms are poorly protected against form spam, compared with the sophistication and wide-spread use of email spam filters. Also, if form results are delivered by email, the sending address is likely to be whitelisted, irrespectively of the content of the form results.