Spam Bots have been a major problem for email marketers on many different platforms lately, including Infusionsoft, MailChimp, Ontraport, and others.
Spam Bots are computers running automated scripts that submit junk information into your lead capture forms on your website.
The problem is, often-times the email addresses are real email addresses. So, contacts end up in your automated funnels where you’re sending them follow ups they never asked for. Real people get those emails, they unsubscribe, or mark your emails as spam, or just ignore them. Those things hurt your deliverability.
So it’s essential these bots get stopped.
We tried a lot of different things. This method is currently working great for us. A video and detailed written instructions are below:
HERE ARE THE STEPS TO STOPPING THE SPAM BOTS FROM SUBMITTING YOUR INFUSIONSOFT FORMS:
- ADD A CHECKBOX TO YOUR WEBFORM
Log into the Campaign Builder where your web form was created. Add a checkbox to the form. Call the checkbox whatever you want. I call mine “Spam Trap”. Make the checkbox a “required” field.
- PUBLISH YOUR CAMPAIGN
Publish your campaign again and the go back to “Edit” mode.
- GET YOUR NEW FORM CODE
Double-click on the form and navigate to the “Code” tab.
Select the “HTML Code Unstyled” radio button.
Click the button to copy the code.
- PASTE THE CODE INTO YOUR SITE AND WRAP IN JAVASCRIPT
Paste the copied web form code into your site.
Then use JavaScript document.write statements to write the webform code to the page when it loads. Use the <noscript> tag to show the bots something other than the form code. Be sure and remove all line breaks (returns) from the code.
Change your checkbox field from type=”checkbox” to type=”hidden”.
Your code should look like this:
<script type=”text/javascript”>
document.write(‘<form accept-charset=”UTF-8″ ‘);
document.write(‘ action=”https://appname.infusionsoft.com/app/form/process/bsdfa5asd2544dasd2164b450e8d8cc0a79asd4″ class=”infusion-form” id=”inf_form_bsdfa5asd2544dasd2164b450e8d8cc0a79asd4″ method=”POST”><p><input name=”inf_form_xid” type=”hidden” value=”bsdfa5asd2544dasd2164b450e8d8cc0a79asd4″ /><input name=”inf_form_name” type=”hidden” value=”Lead Capture Form” /><input name=”infusionsoft_version” type=”hidden” value=”1.70.0.101490″ /><input name=”inf_option_SpamTrap” type=”hidden” value=”4992″ /><div class=”infusion-field”><label for=”inf_field_FirstName”>First Name *</label><input class=”infusion-field-input” id=”inf_field_FirstName” name=”inf_field_FirstName” placeholder=”First Name *” type=”text” /></div><div class=”infusion-field”><label for=”inf_field_Email”>Email *</label><input class=”infusion-field-input” id=”inf_field_Email” name=”inf_field_Email” placeholder=”Email *” type=”text” /></div><div class=”infusion-submit”><button type=”submit”>Submit</button></div></form>’);
</script><noscript><h3>You must have JavaScript enabled to use this form</h3></noscript>
<script type=”text/javascript” src=”https://chunk.infusionsoft.app/app/webTracking/getTrackingCode”></script>
<script type=”text/javascript” src=”https://chunk.infusionsoft.com/app/timezone/timezoneInputJs?xid=asdfsfeqfwqefqe”></script>
That should do it!
This is really great, and not too techie. I’ve had a reverse problem lately with some of my client websites – there are bots out there looking for contact-us forms, but not acting on them. Instead, the bots create a list of urls that are handed off to live peeps that get onto the form and spam the site with “we can fix your SEO issues” letters. Nicely written, attempting to be very personal. But spam nonetheless. This only works if there’s a message field; essentially an input textbox with no input restrictions. So, if you make an analysis of what the client really needs, oft times you can get rid of the general message box and replace with drop-downs and check-boxes with canned answers. Bam, no more SEO-Spam bots because they have something to say, but nowhere to say it. 🙂
Well done, Tyler. Thank you for sharing your creative solution to a very annoying issue.
This is a bit hard to follow – I’m a little bit technical with html and a hack, but my IS html form code doesn’t look like yours – I don’t have anywhere like in your second document.write…https://appname.infusionsoft…where did that come from? My form basically has the same fields as yours does actually…if I just wanted to copy and paste this code, what do I need to replace in yours so it’s related to my IS form…I can then just drop it in from there.
I’m not tech savvy enough to see how a required field, that is hidden, will work for a live person. If the box must be checked in order to submit the form… wouldn’t they need to see it on the form in order to comply with the requirement?
Daren, by changing the field type from “checkbox” to “hidden”, the value is automatically passed into the form. So, Infusionsoft sees it as if the checkbox were checked. Make sense?
That’s confusing me as well. If it’s pre-checked, and hidden, then why add it? What does that change? I assume the bit that you think is confusing the bots is adding the form with a Javascript document.write? Why do you not use the reCaptcha in InfusionSoft/Keap? Thanks
Martin, when you change the type of input to “hidden”, the value still gets passed. Since it’s a required field, the value must be passed or else Infusionsoft won’t let it through. Hiding it makes it so the user doesn’t get confused by a checkbox that’s not meant for them.
Hi Tyler, I get that. So if the checkbox is already clicked and hidden, how will that stop the spam bot? My assumption is that the spam bot basically fills in the fields and clicks the submit button, but maybe my assumption is wrong. Thanks.
Martin, there are two things happening here. Using JavaScript helps prevent new bots from reading the code. But old bots may have already read the code and have stored it. That means they can submit to your form without visiting your site again. If that’s the case, their old code does not have the checkbox. So, the hidden checkbox prevents those bots from submitting remotely. Make sense?
Yes, this makes sense! Tyler using hidden filed if we are using this trick on old forms and where maybe bots saved the form code already. As this field is needed to submit the form so form not able to submit without this field.
OK. That makes sense. We have multiple forms on our website getting spammed constantly. I’ll try your method and let you know. Thanks for your time.
Hi Tyler, Me again! Just thought I’d let you know what worked for me. We were getting an IS/Keap contact form filled in 10-20 forms per day by bots. I found this to build a contact form with reCaptcha
https://bootstrapious.com/p/bootstrap-recaptcha
There is PHP behind this form which I then modified, using the IS/Keap SDK, to create a contact in IS/Keap. Surprisingly, just using this form we have had no spam for the last week! But the idea is, if we do get spam, I can use PHP code to filter it out before I create the IS/Keap record. The annoying thing about the spam we get is that it is very obviously spam and some simple filters would get rid of it. A bit more technical than your approach, but it’s working for us. Cheers.
Thanks for sharing Martin! Great stuff!
Thanks Tyler! I was looking for a solution for this problem and glad I found this post. I implemented it tonight on a form that was being attacked, so I am very hopeful it will work like it is working for you!
It’s working great so far on my site. The only change I had to make was to split up the URL in the form= parameter because the bots were just going to the URL and spamming from there.
Thanks for sharing your solution!
No problem Joyce
What if you use a plug in like Gravity Forms? Is there a way to implement this hack??
Hmmm. I don’t think you could easily implement something like this with Gravity Forms.
I’m using a variation on this theme in my plugin, except I encoded the form content in the JavaScript document.write() so that it can’t be trivially decoded or casually scanned for URL’s.
That’s awesome David. I didn’t know you had a plugin for this. Can you share the link here?
This page lets you obfuscate your code: https://obfuscator.io/
Awesome. Thanks Mark!
This helped me out today! Thanks for the great solution and clear instructions.
Pingback: How To Block The Spam Bots – I Love Keap