If you have a form, any form at all, you’re going to get some SPAM.
How to Identify, and Eliminate Virtually All SPAM from your Website
Let’s start with a few simple rules that we can all agree on
RULE #1:
The simpler the form, the greater the response.
The harder the form, the less response.
This simple / harder concept applies to not just the actions for the submit but to everything about the form itself. As an example, take two different CMA Request forms. FORM “A” asks them for the answer to every single thing you need to properly prepare a CMA. This form might have the usual name , address and contact, but also has mandatory questions like square footage, age of the bathrooms, kitchen, and so on. Fair enough, right?
While FORM “B” just asks for their name, address and basic contact information. Which do you think is going to be completed more often? Yes, you know that you are going to need way more information but you have now started the conversation and you are miles ahead of someone who walked away from the more complex form.
The same goes for the SUBMIT action. The simpler it is to submit, the more apt it will be submitted. That means that if you make me jump through 10 hoops just to submit – I’m walking away. If it’s a simple push of the button, I’m in!
RULE #2:
Spammers aren’t people, they are BOTS written by people to do malicious things but they are NOT People.
In all of this, there’s an emotional response that we all feel. I love it when someone submits a form. I look at each one as if I’m about to meet a new person, a new friend. Spammers know this. That’s why they write the bots to sound like real people. It’s ok to be skeptical of new submissions – you aren’t going to hurt anyone’s feelings. It’s ok to block the bad guys – remember that they are BOTS.
The idea in all of this is that we want to weed out the bad and make sure we don’t miss the real people. That’s our struggle in a nutshell.
SPAM REDUCTION IS LIKE A SEE SAW

We’ve all been there. You start to fill out a form and the longer it is or the more hoops they have you jump through the less likely you are to fill it out – right? This goes for us, it goes for our valuable clients, and it goes for the spammers too. As we look at all of these spam reduction techniques just keep that thought in mind.
The first question we need to ask is “Where is this coming from?”
While that might seem a silly question, it isn’t. I use Gravity Forms in all the sites that I build. When a form submission comes into my inbox via a Gravity Form here’s what it might look like. (this is my Contact form)

But in a lot of the websites I build there are other ways that forms are submitted. If you have a real estate site you might have IDX. While the IDX is built into your site it’s a different system, different form. You might also have a landing page system like LeadPages in your site. It’s the same as IDX. – hence my question – “Where did this spam come from?“

Once we’ve identified the source of the form it’s easy to apply measures that will reduce / eliminate the spam entries. Ready?
6 WAYS TO ELIMINATE SPAM
WORDPRESS:
Let’s start with Homebase – your WordPress built website. Your site starts with a good base from WP. In that base there’s a simple form that you can use to put on any page.
If you are using the stock form in WordPress the simple fix is called Akismet. It’s inside the Jetpack Plugin or even by itself. https://wordpress.org/plugins/akismet/

Akismet works by having each comment submission run through their servers. The other websites that are running Akismet do the same. Remember that spammers are not just spamming your site, they are spamming millions of sites. When SPAM comes into the Akismet servers and enough people mark it as such, they simply deny the Spam from getting to you. It’s incredibly effective. Of course in this scenario, someone needs to be first, but it’s rarely going to be you. I wrote about Akismet way back in 2013!
NOTE: If you have comments enabled on your site guess what? That’s a form! Akismet was originally built for comment spam.
3RD Party Form Builders
There’s a myriad of free, or premium form builders available. Some of them can tap into the Akismet database to protect you while others can not. Like I mentioned, I use a premium form builder that does amazing things called Gravity Forms. In their settings is a simple radio button to add Akismet protection to any form. Pretty cool, eh?

But wait! There’s more! or so goes the infomercials.
The Honeypot:
Gravity Forms has the ability to add what is called a Honeypot. Don’t worry, I’ll explain.

A Honeypot is simply an invisible field that users can’t see, but the spambots can. The Bots fill in the field and BINGO! Now we know they are spammers. Check to see if your form builder can use a honeypot.
The good news is that this technique stops a lot of spam bots in their tracks. The bad news is that spambots have gotten smarter. 🙁
SPAM FROM YOUR IDX:
Since most of my sites use IDXBroker I’m going to use them for examples. Any other 3rd Party IDX solution is going to be similar. Most every IDX has forms. Those forms might be for “registration”, or a CMA Request, or just a “show me this home”. That means that the spambots are going to be attracted to the IDX forms you have. The good news is that there are things you can do about it.
IDXBroker’s support site has a whole article on Spam Prevention where they show you how to set up Lead Registration, CAPTCHAs, Reverse CAPTCHAs, and…
Oh but hey, you might want to check this out first.
CAPTCHA / I AM NOT A ROBOT:
Yes I know that they are still out there. I know you’ve also had to deal with “check all boxes that have ______ in them” but for a while now the smart people have been saying that “CAPTCHA IS DEAD” and they are right.
Take a moment and watch this video from Tom Scott explaining CAPTCHA and what’s been going on behind the scenes.
Oh great! Now that I know that BOTS are smarter than most CAPTCHA systems what do you suggest now?
While the Bots are getting smarter, remember that it’s always been a tug of war struggle. What we do to stop them works for a while and then we have to come up with newer and better plans. There is no perfect solution.
BACK TO THE IDX SPAM:
The help article I linked to (https://support.idxbroker.com/support/s/article/spam-prevention) is great in that it shows how to set up CAPTCHA, it also talks about what they call Reverse CAPTCHA and now you know that’s what is called a honeypot! Look how smart you are! 🙂
They also refer to setting up Google CAPTCHA and now that you’ve watched the Tom Scott video you know that version 2 isn’t enough. Sadly though, a sharp eye will see that version 3 isn’t supported (yet).

BLOCKING AT THE IP LEVEL:
Spambots all come from some computer somewhere. That computer has an IP address. If we can identify that IP, we can block that IP. Simple enough, right? The problem is that there are so many computers out there doing the malicious spambots work that it’s nearly impossible to stop them all.
Blocking at the IP level can be done on your own website and you can also submit IPs to the IDX and have them block from their servers as well. Like I said, the problem is identifying them and creating that list to begin with.
BETTER IDX SETTINGS:
If you are an IDXBroker client I can give you a direct link to where we want to go. It’s https://middleware.idxbroker.com/mgmt/leadregpref.php but before you get all clicky clicky stop for a second.
The first thing you’ll see is an easy peasy slider. You can use it if you like but do yourself a favor and click on that ADVANCED tab instead.

On the ADVANCED Tab, you’ll have options for all of your form based interactions. At the top of email I suggest you go with this:

OUTSIDE NORTH AMERICA: Of course everyone is going to be different but unless your clients are foreign this option will eliminate a bulk of the bots.
SOCIAL MEDIA LOGIN: While this is a nice option (i.e. sign in with Facebook), it’s also an easy opening for the bots. Russia and the 2016 Election – enough said.
CAPTCHA: Yeah, it’s only Version 2 but it’s better than nothing, right?
THE THANK YOU PAGE:
Moving across the list of TABS, let’s talk about the Thank You Page.

I’ll just say this. Have you walked the path in your client’s shoes? Don’t leave your Thank You page ‘stock’. Just don’t.
EMAIL SETTINGS:

Once again, everyone is going to be different so go through these and adjust each and every one of them to your liking.
FORCE REGISTRATION or REQUEST REGISTRATION?
That is the question. It’s not part of the Spambot issue but since you are here, let’s touch on that. Click on one of these boxes and there’s a popup with a lot more options for you to decide on. Don’t forget to scroll down, there’s a bunch of settings to adjust there.

There is no right answer on this one. Use what works best for you.
THE CREDENTIAL EMAIL:
Once again, not part of eliminating Spam but it does send the right message when done right. This last tab allows you to craft the outgoing success email that goes out to the new registration. Seriously, take the time to make this outgoing email your own. Add your personality to it. You only have to do this once and it’s one of those first impression things, right?
CONCLUSION:
This post is dated. It’s a moment in time and it’s correct for that moment in time but everything changes and changes at a rapid rate so what is true today is not going to be true tomorrow. We’re all on a See Saw. The spammers and malware peeps came around and caused trouble, so the technology peeps came up with answers to stop them. Spammers improved or changed tactics and the tech community responds. It’s a never ending battle and it’s all part of the game. Stay safe out there, stay smart. 🙂
Photo by Markus Winkler on Unsplash
- The Ultimate Guide to Writing the Perfect Blog Post - March 14, 2023
- 8 Questions Your Web Developer Should Have Asked - April 27, 2021
- Slack, Chat or Discord? - April 6, 2021