Anti-Spam Strategies for Web Forms

In order to reduce spam leads, it is highly recommended to use one, or a combination, of the following strategies on your web forms.

Jump to: Hidden Fields | reCAPTCHA | Spam Filter Services

Use a Hidden Field to Trick Spam Bots

Spam bots generally process HTML and not CSS or JS. Thus, we can add an extra form input and use CSS or JS to hide the input. In legitimate use cases, users should not see this hidden input, so the value should be empty. However, spam bots might fill up the input with junk data. When we detect a non-empty value for the hidden field, we can flag the web lead as a spam.

In the following example, in normal use cases, the 'comment' field should be empty. However, a spam bot might be tricked to fill it with spam message.

<meta charset=utf-8>
<title>Web Lead Form</title>
#comment { display: none; }
<label>Email address: <input name="email" type="text"></label>
<input id="comment" name="comment" type="text">
<input type=submit value=submit>
<script src=script.js></script>


reCAPTCHA from Google can help make sure it is actual a human that submits a web lead form and not a robot. There are different reCAPTCHA options you can apply to your site; we recommend the Invisible reCAPTCHA option which acts like a lock and a key. InTouch can enable a "lock" on your site that only "opens" (i.e. creates the new lead) when your web form sends the right key with the lead. You create the keys through Google and add their code to your webform.

To complete an Invisible reCAPTCHA setup, InTouch will need to enable reCAPTCHA on your InTouch site(s). After you have registered your domains and keys through Google, add the reCAPTCHA code to your webform and contact Support with the following:

  1. The InTouch sites to which you would like reCAPTCHA applied
  2. Your reCAPTCHA Site Key
  3. Your reCAPTCHA Secret Key
  4. Your website domain names (you can register multiple domains under the same key)

The following example uses Invisible reCAPTCHA

form id="web-lead-form">
<input name="g-recaptcha-response" type="hidden" id="g-recaptcha-response">
<script src=''></script>
<script type="text/javascript">
function onWebLeadFormSubmit(token) {
document.getElementById("g-recaptcha-response").setAttribute("value", token);

On the server (InTouch) end, we can then use g-recaptcha-response to verify with Google that the form submission actually passes a CAPTCHA challenge first.

Use a Spam Filter Service

Akismet is originally designed to help bloggers filter out comment spam. However, it is possible to use the service to detect web lead form spam as well.