Set up DMARC and see who's sending email using your brand's domain.

When Spambots Attack: Protecting Your Forms From Abuse

Like a mosquito to the exposed skin of your forearm, spammers are drawn to an unprotected web form. That's right, the simple sign up form you use on your website to collect your customer's information is at risk of being abused to send spam.

Spammers use spambots, computer programs designed to execute repetitive tasks, and they love to target unprotected web forms. A spambot may submit invalid (or even valid!) email addresses to a form, causing a great influx of hard bounces and spam complaints in your Postmark account that will quickly start to negatively impact your sending reputation. A spammer can even use your form's automated responses to adjust the message's content. No wonder you don't remember sending that "Read this email to score some FREE VIAGRA!!!" message. 😬

There are many reasons why a spammer might spam and in most cases, it's nothing personal. Using their legion of spambots they simply found your unprotected form and set to work. It's up to you to ensure you're protecting your web forms and that you are making it as hard as possible for such abuse to take place.

To help keep your forms safe, we've put together some of our favorite tips that you can use to make sure you're reducing the possibilities of abuse. It's important to note that there is no single, perfect solution when it comes to protecting your forms. We recommend implementing a combination of some of the below suggestions and always keeping a close eye on new submissions.

Preventing Spam #

Just like how you wouldn't drive without a seat belt, you shouldn't leave your web forms unprotected. It leaves the door wide open for spambot abuse. We've put together some of our favorite ways to proactively protect your forms.

Don't Accidentally Send Spam #

Don't send emails that automatically include content from places like comments on a message board or comments on public-facing forms. This is an easy way for an unprotected form to get "weaponized" to send spam.

For example, if you have a comment section on your form, don't send the comment the user inputted in your automated email response to someone. This can get dastardly if your form sends a copy to the submitter — The spambot will add an unsuspecting victim's email address as the submitter and all of a sudden your form is sending spam to hundreds of people.

Here's an example where a bot filled in the "name" field on a form with some spam content and a spammy URL, attempting to message a victim:

An example of a from abused by a spambot

Most spambots want to send spam to random people. The bot will fill in the comment section with something like, "Try Viagra free!" and then you end up sending "Try Viagra free!" in your email. Sending such messages is a quick way to hurt your domain reputation.


Using a CAPTCHA solution is one of the more easier and common ways to protect your forms. Using some simple script, a CAPTCHA solution can effectively block a spambot from abusing your form.

You may think that your customers will get annoyed having to select all the pictures containing crosswalks to use your form, but such security measures are now industry standard and commonplace. And the good news is that most CAPTCHA solutions provide an audible version when completing the form, ensuring that blind users can complete the action. The audible version is also a great backup solution for a frustrated user who can't seem to figure out which letter that wavy line is.

Google's ReCAPTCHA is a free CAPTCHA solution that can be quickly added to your forms and it boasts "adaptive challenges" based on how the user is interacting with your site, which means you can minimize or eliminate CAPTCHA friction for detected "real people". 🤯


A honeypot field is a wonderfully delicious supplement to your form's protection. In a nutshell, a honeypot field is a field in your form that users don't see because it is hidden by some simple CSS or JavaScript. While legitimate users can't see the honeypot field when they fill out your form, those automated spambots will! Spambots will search the form for comment elements, like a label, and input a value for each. This includes the hidden honeypot field.

So anytime your form is submitted with a value in that honeypot field then you'll know that you can disregard that submission since it's most likely spam. Could it 🐝 any easier?! 

If you're worried about accessibility with a honeypot field, you can ask a question someone would know but a bot might get tripped up on like "What's 1+1?".

You can find a great example of how you'd set this up here!

Use Filtering on your Form Submissions #

Another alternative is setting some validation on your forms. You could set-up your form to reject submissions that use keywords like "Bitcoin", "Passive Income", or "Viagra" in the message field.

This also works great for the submission email address to block domains you wouldn't expect someone to sign up with like or This option is great if you have a very specific form. For instance, if you are Jordan's Pancake Shop in Nebraska, you're probably not expecting someone with the Russian domain contacting you about a passive income. The caveat with this solution being if you get too aggressive with your filtering real users might get blocked from submitting forms.

We also see a lot of instances where the spambot has provided a spammy URL in the form's Name/Username field. Setting up those fields on your form to reject submissions that don't match the expected criteria (the Name field should not include a domain and shouldn't be more than 20 characters or so) can help reduce abuse.

Detecting Spam #

While we're more about a proactive approach for stopping spam abuse, you'll never be able to successfully stop 100% of it. It's always good to set-up guardrails to detect if spam gets through.

Monitor Submission IPs #

You can collect the IP address of your form submissions. This way you can detect if there have been multiple submissions from the same IP address in a short period of time and stop additional submissions from that IP address going forward.

While spammers can easily change their IPs, such a solution will still be able to stop mass sign ups from a single IP.

Employ Webhooks #

When a sign up form is being abused, there'll be an influx of submissions which will result in a large increase of messages being sent through your Postmark account, and likely an increase in hard bounces and spam complaints.

Using our webhooks you can keep a pulse on your account's sending and whether there's a spike in these events.

This can serve as a warning signal that something is amiss so you can take necessary action, like disabling your website forms, to avoid additional abuse. This solution should be coupled with a few of the more proactive approaches listed above.

Set-up Emergency Contacts in your Postmark Account #

If we detect abuse happening from your Postmark Account, we'll reach out and let you know. We also might need to pause sending on your account. To help with these alerts when this happens, within your Account settings of your Postmark Account, you can add Emergency Contacts so our support team knows who to reach out.


That is definitely a lot of information and the idea of your form being attacked by a spambot can be an overwhelming thought. Just remember that it happens to the best of us and by following some simple proactive measures we've listed above you can greatly reduce the chances of such attacks occurring in the future. And of course, if you have any questions don't hesitate to get in touch with our dedicated support team!

Jordan Dibb

Jordan Dibb

Really likes 🍩 and 🍦. And 🥧. And food. Watches Breaking Bad when not watching Arrested Development. 🐝?! Minnesotan dontcha know.