Started receiving a bunch of SPAM via form submissions

Hi! Starting yesterday we began receiving many spammy form submissions (on two separate websites that run on Netlify).

On our website, we collect things such as the “landing URL” in the local storage and submit it along with the form. However, these spam submissions don’t even include those params which makes me believe the submissions are being made from outside of the site. Is this a possibility and if so how can it be resolved? What other steps can we take to reduce the spam. Yes, many spam submissions are being caught in the Netlify spam box, but many are now coming through. Help is greatly appreciated!

Also, the spam form submissions contain this: mailed-by: smtp-out-md.netlify.com
whereas the REAL form submissions do not.

On our website, we asked that First name cannot be blank. However, the spam submissions contain a blank first name.

I am highly confident that this is an issue NOT with my website, but with netlify. These spam submissions are basically coming externally (not from my website), yet Netlify is failed to catch them, and I have to PAY for these spam submissions!!

Attached are screenshots of the spam submissions!

Screen Shot 2021-01-11 at 11.40.59 PM|485x500

Hi, @emediately. Enabling both reCAPTCHA and the honey-pot field would be my first two recommendations for form spam prevention.

I checked the form on your account that I think you are asking about and I do see the honey-pot in use. However, I’m not seeing reCAPTCHA configured correctly for that form. There is documentation about how to configure reCAPTCHA here:

Would you please test enabling reCAPTCHA for your forms? If you believe reCAPTCHA is already in use, please send us a link to the form and we will be happy to troubleshoot to find out what is happening. I’ve made sure private messages (PMs) are enabled for your forum login. If you don’t want to to post the form URL publicly, please feel free to PM it to one of our support team instead.

Likewise, if there are any questions about enabling reCAPTCHA we are happy to answer.

Hi Luke, thanks for your response. I just sent you a PM with the URL to the websites and more information about the issue.

Hi, @emediately. I want to point out that your site javascript has nothing to do with how our backend form handler processes form submissions. The form handler at Netlify is 100% defined by the pure HTML-only version of the form as covered in our documentation and support guides. Quoting the docs:

Netlify comes with built-in form handling that’s enabled by default. Our build bots do it by parsing your HTML files directly at deploy time, so there’s no need for you to make an API call or include extra JavaScript on your site.

You can use javascript submit forms but that isn’t what defines the form handler. Only the HTML (without any javascript being run) defines the form handler.

I did examine one of the forms you mentioned and I see two issues:

  • the fields are not required
  • reCAPTCHA is not used

For example, this is the HTML for the the “firstname” field:

<input type="hidden" name="firstname" />

There is no required attribute in that <input> definition.

The HTML includes another <input> with the same name and required="" later in the form but the first definition takes precedence when there are two identically named fields (inputs).

Again, the best way to prevent spam is to enable reCAPTCHA for that form.

You also mentioned that the spam source is probably external to your website. This is true for all form submissions, both those that are spam and those that are valid have an external source. They all originate from an external client (typically a web browser or other application), not the web server.

I think you are saying that the spam submissions are not being sent by a web browser as a result of the site javascript submitting the form. This I agree is almost certainly true. There is a solution to prevent that: reCAPTCHA. Besides reCAPTCHA, how else would the form handler authenticate the source of the submission?

If you believe there is a better way than reCAPTCHA, please let us know what solution you would prefer and I will enter a feature request for it.

Please note, I’m not trying to brush you off with the following. I do want to mention that you are not required to use our forms feature if you don’t like it. I just wanted to be clear that there is no “vendor lock-in” with our forms feature.

You can still host your site with Netlify and handle the form submission using a third-party service (like formget.com or formkeep.com). Obviously, this would be potential lost revenue for Netlify, but we certainly do not force anyone to use our forms feature. Hosting a site using Netlify and using third-party forms services is both allowed and will work. Nothing at Netlify will prevent you from using a different forms service.

If there are other questions about this, please let us know.