What Is Form Spam?


Form SpamForm spam is the filling out and submission of web forms with irrelevant or fake information, including abusive language, ads, spam links to malware-laden sides and phishing websites set up by scammers. Most form spam is created by bots which are programmed to find web forms and fill them out. When a form is filled on a website, it is often considered a ‘lead’ from an interested customer or sales prospect. Form fills are generally sent to group email IDs at marketing or sales departments, hence form spam ends up being a waste of time and effort for those teams. When a person clicks on these spam links, they may be susceptible to malware downloads or loss of confidential information. Spam links are also posted by bots to generate traffic to shady sites that generate ad revenue through them.

Form Spam ─ How is it done?

Programming bots to search for web forms to abuse is quite trivial compared to some of the more malicious activities that fraudsters and cybercriminals program bots to carry out. There exists a whole ecosystem of sites that sell bot programs that can execute a activities ranging from the unethical (scraping and spamming) to outright criminal (such as account takeover, carding and ad fraud). Some of these bot vendors even offer customer support or add-on features to provide specific capabilities for their users to leverage

Of course, form spam by humans is as old as the Web itself. Spammers have manually targeted websites and submitted forms through them for decades now. It is virtually impossible to block human spammers who can easily solve CAPTCHAs and use other common methods to spam websites.

The Impact of Form Spam

Millions of Web users log into online forums and discussion boards where virtually any topic imaginable is talked about. When bots post spam comments on these forums, they interfere with real conversations and upset users with unsolicited messages and advertisements. Naturally, this spoils the user experience and leads to lower engagement and traffic on sites with high volumes of spam.

Websites that host classified ads, property listings and job openings are among the biggest targets of form spam. Competitors use bots to regularly spam contact forms on such sites to generate fake leads, which end up irritating advertisers as well as the site’s sales teams who then must comb through all the spam to find real leads. This directly impacts the site’s users who may decide that it’s not worth the expense to advertise listings on the site in question.

Bots that are engaged in spamming also slow down targeted websites and applications, which leads to a frustrating experience for users and lower search engine rankings (since faster loading sites are generally ranked higher by search engine algorithms). Due to high volumes of unchecked bot traffic, webmasters may need to spend money on upgrading infrastructure and bandwidth. Conversely, being able to block spam bots can allow sites to operate efficiently with existing infrastructure.

Another outcome of spam bot traffic is that it skews website analytics and prevents marketers and website managers from getting a clear picture of real traffic to base their strategies on. The fake leads from spam bots end up being a total waste of time and effort for marketing and sales teams.

How to Stop Form Spam

Web technology has made a few small steps towards cutting down on form spam, but bot developers have also made their bots more human-like to evade detection by conventional security systems. Here are some ways to stop Form Spam:

  1. Field Validations

    Some web forms have built-in field validation that can help control fake submissions to some extent. This helps automatically reject invalid email IDs and those known to carry out form spam.

  2. CAPTCHA

    Google CAPTCHA/reCAPTCHA is increasingly being deployed to validate genuine users during form fills. However, CAPTCHAs can also be solved or bypassed with the help of software tools and browser extensions, and by outsourced teams of remote workers who are paid based on the number of CAPTCHAs they solve. The growing sophistication of bots that are programmed to behave in a human-like manner also makes them harder to detect with conventional validation methodologies.

  3. WAFs

    WAFs succeed in stopping Gen 1 and 2 bots that are more programmatic in their function and can be detected easily. However, WAFs lack the capability to analyze every visitor’s behavior and are not designed to reliably detect advanced bots that are programmed to exhibit human-like behavior.

  4. Bot Management

    Currently there is no substitute for a specialized bot management solution when it comes to preventing form spam. Bot Management can detect and block even the most sophisticated bots from entering the network. Equipped with ML, AI, intent and behavior analysis, a bot manager solution has a better chance at protecting resources and assets from spammer bots.

Radware’s Bad Bot Vulnerability Scanner

Is Your Website Secure Against Spam Bots? Find Out Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia