Form Spam Flooding: Causes and Countermeasures

It is an annoying aspect of website ownership that any website with a publicly accessible form experiences floods of spam submissions from time to time. The content of these submissions’ ranges from gibberish to coherent text. 

Is it a security breach? 
No. “Security breach” implies a malicious user has gained access to your website hosting account, code, or database, none of which are likely or necessary for creating form spam. Instead, the web hosting account, code, and database remain uncompromised while one or more malicious visitors are flooding your forms with submissions. This is like the way any public visitor can freely submit your forms. It is usually done with an automated “bot” pretending to be a website visitor so little recurring effort is required by an actual person. 

Possible Causes
Reasons for this type of form spam flooding include: 

Vandalism: It could simply be mischievous fun by a young hacker, a form of digital vandalism. 
Spam Filter Poisoning: It could be a form of “poisoning” of the Bayesian filtering mechanisms common in spam filters. In this line of thinking, hackers and spammers blanket millions of websites every day with floods of gibberish in hopes it decreases the effectiveness of spam filters worldwide. 
Website Security Weakness Probing: These submissions sometimes attempt to include additional form field keys or specially designed field data to probe for security weaknesses in the form validation or form saving logic. 
Spam Email Weakness Probing: These submissions sometimes attempt to submit specially designed form data in a way that allows the submitter to add extra recipients to form-driven notification emails. 
SEO Backlink Weakness Probing: It could be spammers who later search for the gibberish they submit to identify websites that directly post form-submitted data to the internet. These forms are then used to submit SEO backlinks and other content spam. 

Possible Countermeasures 
With a bit of effort, an experienced developer can reduce the chance of form spam submissions on your website. Let’s use Sitecore 9 Forms as an example.  Possible countermeasures against this type of form spam, which each decrease the rate of spam submissions, include: 

Honeypots: A honeypot is a very simple yet effective way of preventing form spam. Sitecore 9 Forms can have a custom form element built and add it to the Forms interface, so it can easily be added to any form by a content editor. Creating a view containing a hidden text field along with some validation then dropping that into a form will prevent most spam bots from submitting. 
CAPTCHAs: This method is a bit more reliable than using a honeypot. As with a honeypot, building out a custom form element with the necessary javascript and HTML is the ideal way to implement this in Sitecore 9 Forms. It will allow editors to easily drag-and-drop a Google reCAPTCHA onto any form. Google reCAPTCHA relies on visual tests to verify that the visitor is human and not some nefarious bot. Once the reCAPTCHA test is implemented on the webpage, a unique code is generated in the DOM, which can be sent to Google’s friendly API for verification. Keep in mind that one downside to CAPTCHAs is some of your visitors are forced to fill out an extra form field or challenge, so we recommend including them on forms only when necessary. 
Automated IP Blacklisting: You may implement a form “IP blacklist,” usually requiring you to sign up with a free IP blacklist service, which has the goal of analyzing the IP addresses of each visitor and automatically blocking those known to be associated with high amounts of spam submissions across the internet. False positives are possible with this type of system, but it is an effective shield against common spammer IPs and can be implemented with custom server-side logic in Sitecore. 
Manual IP Blacklisting: If you find in your web hosting or network security logs that one or more IP addresses are submitting the spam, you could block those IP addresses at the web hosting firewall or network security levels. 
Time Gating: You may implement time gating of submissions from the same IP through the same form so they can’t submit a lot of times in a short duration. If the timing is not well-tuned, this can sometimes annoy real human visitors, but it’s an effective buffer against flooding when tuned well. This is possible with custom server-side logic for Sitecore websites. 
Improved Validation: Always be sure to validate and encode submitted data safely before saving or using it, such as HTML encoding submitted data before rendering it into HTML output. 
Verify User-Submitted Recipients: Avoid using email addresses supplied by the form submitter as recipients for notification emails, since the submitter could enter anyone’s email address or possibly even a comma-separated or semicolon-separated list of 100 email addresses. Create double opt-in mechanisms that require the email address owner to verify they receive an opt-in email before sending any further email notifications to email addresses submitted through forms. 

We hope this helps you understand some of the causes and countermeasures for annoying form spam.  

Need help implementing countermeasures to attack form spam on your Sitecore site? Give us a shout! 


Keep in Touch and Stay Informed

Get updates, industry reports, white papers and more Hedgehog love.