You built a contact form, published it on your website, and started waiting for enquiries. Then one day, your inbox delivers something unexpected: a wall of foreign text, a string of suspicious links, and a name that does not match any real person you have ever heard of.
This is contact form spam, and if you have a public-facing form on the internet, it is only a matter of time before it finds you.
In this post, we will explain exactly what contact form spam is, how bots find your form in the first place, what the real-world consequences of ignoring it are, and most importantly, how to stop it completely using Formgrid's built-in security tools.
What Is Contact Form Spam?
Contact form spam is the practice of using automated software, commonly referred to as bots, to submit unsolicited and irrelevant content through web-based contact forms. Unlike email spam, which arrives directly in your inbox from an external mail server, contact form spam is generated by a bot that visits your website, locates your form, fills it out programmatically, and submits it just like a real user would.
The content of these submissions varies widely. Some are promotional, some are gibberish, and some are loaded with links pointing to external websites. What they all have in common is that they are not genuine enquiries from real people. There is no human on the other end waiting for your reply.
Here is a real example of a contact form spam submission received by a contact form:
Name: DannyNef
Email: guerfupe@mail.ru
Message: Автоматы газированной воды серии «АТЛАНТИКА» АП-60, АП-100 https://vendavtomat.ru/... Автоматы газированной воды «АТЛАНТИКА»: А-150 Эконом https://vendavtomat.ru/... Редуктор углекислотный https://vendavtomat.ru/...
At first glance, this might look confusing or even alarming. But once you understand what is happening, it becomes much easier to deal with.
Let us break it down:
The name "DannyNef" is not a real person. It is a randomly generated or recycled name used by the bot to fill in the required name field. It bears no relation to the actual operator behind the spam campaign.
The email "guerfupe@mail.ru" is a throwaway address. The .ru domain indicates it is a Russian email service, and the random string of characters before the @ symbol is a strong indicator that this address was generated automatically. No real business or individual would use an address like this for professional correspondence.
The message itself is a block of Russian promotional text interspersed with URLs pointing to a vending machine supplier website. The text talks about carbonated water machines, product dimensions, and the history of the company. None of it is directed at you or your business. It was not written for you. It was assembled by a bot and blasted across thousands of contact forms automatically.
The phone number "88254351266" follows a Russian phone number format and is almost certainly fake or belongs to an unrelated party.
This type of submission is entirely harmless in terms of your website's security. The bot has not hacked you, stolen your data, or compromised your system in any way. But it is a sign that your form has no protection in place, and that will have consequences over time.
How Do Bots Find Your Form in the First Place?
This is one of the most common questions people ask when they receive their first spam submission. You may not have shared your form widely. Your website may be relatively new. So how did a bot find it?
The answer is that bots do not need to be directed to your website specifically. They operate at scale across the entire internet, and they use several methods to discover unprotected forms automatically.
Search engine indexing:
Search engines like Google and Bing constantly crawl the web, following links from page to page and indexing content. When your website appears in search results, even for very obscure or low-traffic queries, it becomes discoverable. Bots can use the same public search infrastructure to find pages that contain contact forms, often by searching for common form-related HTML elements or keywords.
Web crawling:
Many spam bots run their own crawlers that systematically visit websites and scan the page source code for form elements. They do not need to read your content or understand what your business does. They are simply looking for form fields and a submit button. Once found, the form is added to a queue and submitted automatically.
Link harvesting:
If your website is linked to from another website, a directory, a social media profile, or any other publicly accessible page, a bot that crawls those sources can follow the link to your site and discover your form.
Data brokers and leaked lists:
Some spammers purchase or obtain lists of URLs known to contain contact forms. These lists are compiled over time and shared or sold within spam networks. Once your URL ends up on one of these lists, it can be repeatedly submitted to by multiple different bots.
Form endpoint scanning:
More sophisticated bots do not even visit your website visually. They scan for exposed form submission endpoints directly and submit data to them programmatically, bypassing your frontend entirely. This is why domain restrictions, which we will cover later, are an important layer of protection.
The key takeaway is that no website is too small, too new, or too obscure to be targeted. Bots are not selective. They are automated, indiscriminate, and operating at a scale that means your form will eventually be discovered, regardless of how little traffic your website receives.
What Happens If You Ignore Contact Form Spam?
Receiving one or two spam submissions a month might feel like a minor annoyance, and in isolation, it is. But ignoring contact form spam entirely and taking no steps to protect your forms can lead to a range of problems that compound over time.
Inbox clutter and missed enquiries:
The most immediate consequence is practical. As spam volume increases, your inbox becomes harder to manage. Real enquiries from genuine customers or clients get buried among spam submissions. In a busy period, it is entirely possible to overlook a legitimate message because it was sandwiched between bot submissions. For a small business, a single missed enquiry could represent a lost client or a missed opportunity.
Wasted time:
Even if you never miss a real message, reviewing and deleting spam submissions takes time. If you receive dozens per week, that time adds up. It is time that could be spent on actual work.
Skewed analytics and data:
If you use your form submissions to inform decisions, for example, tracking how many enquiries you receive per week or what topics people are asking about, spam submissions will distort that data. Your numbers will be inflated with junk, making it harder to draw accurate conclusions.
Reputational risk from scraped email addresses:
When a bot submits your form, it often also scrapes any publicly visible email addresses on the same page. If your contact email is visible on your website, it may be harvested and added to spam lists, leading to an increase in email spam in your inbox as well.
Server load and rate abuse:
High-volume bot attacks can submit your form hundreds or thousands of times in a short period. Depending on your hosting setup, this can put unnecessary load on your server, slow down your website, or, in extreme cases, trigger resource limits that affect your site's availability.
Data pollution in your CRM or connected tools:
If your Formgrid forms are connected to a CRM, email marketing tool, or internal database via integrations or webhooks, spam submissions may be passed through to those systems as well. This can pollute your contact lists with fake entries, trigger automated email sequences to non-existent addresses, and harm your email sender reputation over time.
None of these outcomes is inevitable if you act early. The good news is that Formgrid gives you everything you need to protect your forms before any of these problems take hold.
How to Protect Your Formgrid Forms: A Step-by-Step Guide
Formgrid.dev includes a dedicated Security Settings section for every form, available on all plans, including the free plan. Enabling protection takes less than two minutes and requires no technical knowledge.
Here is exactly how to do it.
Step 1: Log In to Your Formgrid Account
Navigate to Formgrid.dev and log in with your credentials. You will land on your dashboard, where all your forms are listed.
Step 2: Open the Form You Want to Protect
Click on the form you want to secure. This will take you to the Form Details page, where you can manage everything related to that specific form.
Step 3: Navigate to the Settings Tab
At the top of the Form Details page, you will see a row of tabs. Click on the Settings tab to open the form's configuration options.
Step 4: Scroll Down to the Security Settings Section
Within the Settings tab, scroll down until you reach the Security Settings section. This is where all of Formgrid's spam and abuse protection tools are located.
You will see the following options:
Enable CAPTCHA:
Adds a Google reCAPTCHA "I'm not a robot" verification step to your form. When enabled, anyone submitting your form will need to complete the CAPTCHA challenge before their submission goes through. Real human users can do this easily. Automated bots typically cannot, which stops the majority of spam submissions before they ever reach your inbox.
Enable Honeypot:
Adds a hidden field to your form that is completely invisible to real users but visible to bots. When a bot fills in the form, it fills in every field it can detect, including the hidden honeypot field. Formgrid detects this and automatically discards the submission as spam. Legitimate users never see or interact with this field, so it has no impact on the experience of real visitors filling in your form.
Allowed Domains (CORS):
Allows you to specify which domains are permitted to submit data to your form. If your form is embedded on a specific website, you can enter that domain here. Any submission coming from a different domain will be rejected. This is particularly effective against bots that submit directly to your form endpoint without visiting your website at all.
Rate Limiting:
Sets a maximum number of submissions allowed per IP address per minute. This prevents any single source from flooding your form with repeated submissions in a short period. If you expect normal users to submit your form occasionally, a limit of 3 to 5 submissions per minute per IP is a reasonable starting point.
Step 5: Enable Your Preferred Protections and Save
Toggle on the settings you want to activate. For most public contact forms, enabling both CAPTCHA and Honeypot together provides strong protection against the vast majority of spam bots.
Once you have made your selections, click Save to apply the changes.
Your form is now protected.
Which Security Settings Should You Use?
You do not have to choose just one option. The settings are designed to work together, and combining them gives you layered protection that is significantly harder for bots to bypass.
Here is a practical guide based on your situation:
For a standard public contact form:
Enable both CAPTCHA and Honeypot. This combination stops bots at two different points in the submission process and covers both sophisticated and unsophisticated bot behaviour.
For a high-traffic form receiving frequent spam:
Enable CAPTCHA, Honeypot, and Rate Limiting together. Set your rate limit conservatively. If a single user should never need to submit your form more than once or twice per minute, set the limit accordingly.
For a form embedded on a single known website:
Add your domain to the Allowed Domains field in addition to enabling CAPTCHA and Honeypot. This prevents bots from submitting directly to your form endpoint, bypassing your website's frontend entirely.
For a form used internally or by a known audience:
If your form is not intended for the general public, consider using Allowed Domains to whitelist only the specific domains that should have access. This adds a strong access control layer on top of the spam protection tools.
A Summary of Security Best Practices
Formgrid's Security Settings section reflects industry-standard guidance for protecting web forms. Here is a summary of the recommended approach:
Enable CAPTCHA for all public-facing forms:
Any form that can be accessed and submitted by anyone on the internet should have CAPTCHA enabled. This is the single most impactful step you can take to reduce spam volume immediately.
Set rate limits appropriate to your expected traffic:
Think about how often a real user would realistically need to submit your form. Set your rate limit to reflect that. A rate limit that is too high offers little protection; one that is too low may frustrate legitimate users.
Configure CORS to restrict access to your domains:
If you know exactly where your form will be used, lock it down to those domains. This eliminates an entire category of bot attacks that never even visit your website.
Use the Honeypot as a passive, frictionless layer:
Unlike CAPTCHA, the Honeypot requires nothing from your users. It works silently in the background and catches bots that might find ways around other protections. There is no reason not to have it enabled at all times.
Final Thoughts
Contact form spam is a universal experience for anyone running a public-facing website. It is automated, indiscriminate, and growing in volume as bots become more sophisticated. But it is also entirely preventable with the right tools in place.
Formgrid gives every user, including those on the free plan, access to a full suite of security settings designed specifically to address this problem. Enabling CAPTCHA and the Honeypot takes under two minutes and will stop the overwhelming majority of spam submissions before they ever reach your inbox.
Do not wait until your inbox is overwhelmed to take action. Open your form settings today, enable your protections, and get back to focusing on the messages that actually matter.
If you have any questions about configuring security settings on your Formgrid forms, the support team is always available to help.
Top comments (0)