All Collections
How to prevent bots from spamming your sign up forms
How to prevent bots from spamming your sign up forms

Here are some ways you can prevent bots from spamming your forms or signing up with fake emails.

Support Team avatar
Written by Support Team
Updated over a week ago

Unfortunately, if you send or receive email, gather email addresses or have anything to do with email at all, then you know about spam. Spam is a consistently frustrating issue, particularly for business owners and email marketers.

Likely you're interested in consistently gaining more subscribers or contacts to help your business grow and one way to do this effectively is to have a signup form on your website. If you don't have a form you should definitely make sure you add one for gathering information about people interested in your product or service. What you'll need to plan for however is that you're going to also get fake or spam signups as well, possibly lots of them and these can really complicate your marketing campaigns.

Part of the challenge is keeping your forms protected in a way that doesn't get too complicated so that regular users can still enter their information with relative ease. Here are some ways you can prevent bots or other spam sign ups and keep your forms working properly for legitimate new contacts.

What is a spambot? How do I stop them?

Just to clear this up,  a spambot is a malicious program designed to gathered email addresses and information from online sources like forms, chat rooms and websites. This information is usually gathered in order to build lists for sending an unsolicited email - spam.


You've almost certainly already encountered a CAPTCHA. If you've had to try and interpret some distorted letters or numbers and submit them then you've filled out a CAPTCHA. You'll still find some forms that require this, but fortunately, this step has been simplified a lot to make it easier on humans. Basically, you're putting intelligent programming in place to allow people to check a box that confirms they are a living breathing person. This is easy for humans, but difficult for bots to do. You can implement this protective step for free, as this service is provided by reCAPTCHA.

Use a double opt-in form

Along with your CAPTCHA, or certainly, if you have no other means for protecting your form, and as a generally good way to build a solid list of quality email, you'll want to be using a double opt-in process for confirming sign-ups. This means that when someone enters an email address into your form, you're sending an automatic confirmation link to that email address. The user needs to go to their inbox, open the email and click the link to verify that their email is real and so are they. A bot is very unlikely to do this step and any signups that don't complete this should not be added to your list.

Add a test question to your form

Elastic Email provides you with a double opt-in web form you can easily add to your website or landing pages for gathering new sign-ups. You have an option to customize this form in a variety of ways and this includes adding additional HTML which you'll copy and paste into your website page.

You may consider adding a simple question to the form that all humans will know the answer to but that will be difficult for bots.  Here is an example:

Email address: <input id=email><br>
A panda is black and <br>
<input type=submit>

This way you know it's a bot if the input is not the word "white" and can delete the submission. Of course, you need to consider carefully the question you use, it needs to be something everyone will know the answer to in order to avoid any frustration for your potential subscribers.

Add an unseen extra field or honey-pot

A honey-pot in terms of form submissions means that you're setting up an extra field that bots will see and fill out, but that your real human users won't. It's basically a behind the scenes filtering step that protects your forms without adding any additional steps for the real people trying to join your lists.

You can implement this by adding HTML and specifically styling it out using CSS. It's true that some sophisticated bots can now read CSS and Javascript, but this is still an effective method and worth considering if you've got some basic programming skills. Here is a simple example:


.dispnon{display: none}


<input class="dispnon" name="field_name" type="text">

This gives you the basic idea - you'll want to make sure whatever field you've implemented as a honey-pot is not displayed on your actual form. If you get data that includes hidden information, you know it's a bot sign up. There are a variety of ways to do this and the code can be simple or more complex, an internet search can provide more examples if it's something you want to explore further.

Block Comment Spam

There are a few ways to specifically block comment spam and they can include changing the file names of standard URLs or moving your form pages from time to time. Another easy service to implement is Akismet. This service is designed to filter out comment spam and is implemented by using an API to activate their plugin.

Spam signups can mess up your lists

If you're not currently convinced that it's important to prevent spambot signups or you're worried that adding an extra step to your form will stop people from adding their email to your contact lists, let's consider the alternative.

If you don't prevent (at least the majority) of spam signups then you've compromised the integrity of your entire email marketing program. If your list is comprised of a mix of legitimate and invalid or fake email addresses then you're setting yourself up for a frustrating outcome the next time you go to send an email campaign.

Not only will you potentially damage your sender reputation by racking up a high invalid email count, but you'll make it harder for mail to reach the real people who actually wanted to get your messages. Recipient servers start to filter or reject mail from domains that send too many emails to bad addresses.

Protect your forms

Spam (sadly) is not going anywhere anytime soon, so take the time to implement one or more of these ideas and you'll save time and effort in the long run. A combination of different methods will be the most powerful, but even a single reCAPTACHA checkbox can help you prevent spambots without complicating your sign up process.

Did this answer your question?