Help
/
Forms

How to Prevent Bots From Spamming Your Email Signup Forms

When adding public signup forms to any website, one of the main problems you'll encounter is bot attacks.

This is when an automated script (bot) fills out your form with fraudulent or fake emails and false information. Over time, this has the potential to degrade the integrity of your email list and hurt deliverability. Bots don't open emails, and Google Postmaster and Gmail's inbox algorithm will assume you have poor sending practices if you're hitting bad email addresses.

Why is this happening and why am I being targeted?

TL;DR: It probably isn't targeted at you specifically.

Just like the Google Search or OpenAI bot will crawl your website eventually if you are getting traffic and backlinks, so will one of these signup bots. Especially if your website contains certain properties deemed desirable by whomever is conducting the attack.

Spambots are used for a variety of reasons, the most nefarious being "list bombing" attacks. This is where an identity thief or hacker attempts to overwhelm a victims email inbox with thousands of email newsletters so they miss an important email from their financial institution notifying them of a password change.

Ok, so how do I stop spam bots from submitting bad emails on signup forms?

By default, many form builders and email marketing platforms (like Audienceful) will block activity from certain spam email addresses/IPs. However, if you're building custom coded forms or getting hit by a particularly sophisticated attack, you may need extra protection. Bot scripts are constantly evolving to evade common detection methods.

Luckily, this problem is almost as old as the internet, so there's many solutions. Here's what we recommend:

1. Use our Form Builder (Free)

Our Embed form builder and Popup form builder both come with enterprise grade bot protection included for free. You don't even need a paid account to take advantage.

When implementing forms using our form builder, you'll automatically be asked to add some javascript to your website (Audienceful.js) which blocks bots from accessing your forms by default.

2. Add a honeypot field

A honeypot is a form field that is invisible to humans, but not to bots. So if any data is added to the honeypot, you know a it was added by a bot and the signup is rejected. If you're using our Form builder, we include a honeypot by default.

However, if you're coding your own HTML forms (or integrating Webflow or Framer native forms), you can still take advantage of our honeypot.

Make sure this field is included in your forms, here's guides for adding it to custom Webflow forms or hand-coded HTML forms. We absolutely recommend doing this even if you've never been targeted by a bot attack since it has zero effect on user experience.

3. Add a CAPTCHA/reCAPTCHA

A honeypot and our passive filtering will solve the most common forms of bots. However, in the case of a particularly nasty one, the next step is to implement a CAPTCHA on your forms. This reveals if the visitor to your website is an actual human using either passive signals or active methods like a puzzle. Here's the best options:

  • Google reCAPTCHA can be integrated into your site for free, and has two options. ReCAPTCHA v2 presents a checkbox and additionally a puzzle if needed. ReCAPTCHA v3 uses entirely passive or "invisible" signals to prevents bots and doesn't interrupt the user at all if determined to be low risk.
  • Cloudflare Turnstile is another free option, similar to Google's ReCAPTCHA v2 but with more generous free tier limits.
  • HCaptcha offers the physical checkbox for free and additionally has a "99.9% Passive" option like ReCAPTCHA v3 for monthly pricing. It is also GDPR compliant.

While this can slightly degrade user-experience (in the case of an active puzzle), you can be sure your signups are authentic this way.

4. Add Cloudflare to your website

If you'd prefer not adding a CAPTCHA to your forms, you can prevent bad bots from crawling your site altogether by adding a free service like Cloudflare. This significantly cuts down on the ability for hackers to visit your website via automated methods, and thus will provide similar cover for all of your forms like a CAPTCHA would.

5. Use an email list verifier

One way to identify bad emails on your list without sending to them is through Email Verification. This can help clean an email list that's already been hit by a bot attack, and also can help your deliverability overall.

Audienceful is one of the few Email Marketing Platforms that comes with email verification built-in (instead of requiring an additional paid service). It's turned on by default with any paid plan and does the following checks on your email signups:

  • MX records: Ensures the email address can actually receive mail
  • Regex / Syntax: Ensures the email address does not follow certain known suspicious patterns.
  • Disposable domains: blocks the email if it's from a disposable email generator tool.
  • Spamtraps: runs the email against a list of known spamtraps.

That said, if you are really concerned about the integrity of your email list (say you've gotten a lot of suspicious signups from public gmail accounts — which Google does not allow verification on), you can take it a step further.

While expensive, certain B2B sales and Anti-Fraud tools go beyond email verification to tie 3rd party data sources together (eg. like the presence of social accounts associated with the email) to ensure it belongs to a real person. For this, we'd recommend Hunter.io and their Bulk Verifier service, also Apollo or RocketReach are options.

6. Enable Double Opt-in (but not by itself)

Double opt-in requires new signups to click a link in an email before they are subscribed to your list. This is a strong deterrent against bots, since most bots aren't sophisticated enough to do this (...but some are!).

It's also a great way to ensure only high quality emails are entering your list, as it helps prevent typos, bounces, invalid emails, and low engagement subscribers. Here's how to enable double opt-in on your forms.

However, beware of using double opt-in by itself without another protection method as a first line of defense. If your form is successfully hit by a bot, the double opt-in emails themselves can harm deliverability if sent to thousands of fake email addresses.

How to tell if your forms have been hit by bots

If you implement some of the methods above, you'll be all set for the future.

However, still worried you may have been hit in the past? Here's a few of the common tells that some signups aren't legitimate:

  • A large volume of signups in a short period (up to thousands per minute!) with no idea where they are coming from (eg. you didn't go viral).
  • Gibberish info being added to non-email fields often these bots will automatically add data into any field in case it is required for submission.
  • Suspicious syntax email addresses that seem to be coming in random clusters. Note: not all of these might be bots, as many mail privacy services from big tech companies (like Apple) auto-generate random addresses these days.
  • Sudden increase in bounce rates or decreased opens. If you've noticed a dramatic difference in your metrics recently, make sure that a bot attack is not the culprit

If you're still unsure, feel free to hit up support@audienceful.com and we can do some investigating for you.


Updated:
January 2, 2025
Published via Audienceful