I recently noticed we had almost 10,000 leads submitted on our company website contact form in the last month. That would have been great news, if they were real! Unfortunately, most were junk as we were hit hard with form spam. Thankfully, all were blocked before entering our CRM (more on that later). When your job is to generate quality marketing or sales leads, it is always frustrating to receive a bunch of junk. If this has happened to you, some of those leads were certainly form spam. While the word “spam” typically refers to unwanted email solicitations, spam now takes many forms (besides the famous canned meat product). Spamming has invaded every form of electronic communication including email, text/SMS, blog comments, forums, and social media (e.g., Instagram comments“). For marketers that are responsible for online lead generation, the type of spam we find the most annoying is “form spam.”

What is form spam?

Form spam happens when automated bot programs or human spammers submit junk leads to online contact forms on a large scale.

Why does form spam exist?

To understand why form spam exists, we must first ask: who benefits? Using bots to submit data is essentially free, so any incremental benefit may justify the practice by its perpetrators. Below are a couple of ways spammers benefit.


Form spam often takes the form of an advertisement or marketing solicitation, where they are advertising to the company that owns the form. For example, I’ve seen many ads for SEO services on our company contact forms. Many times, bots submit links hoping that someone clicks on them. Bots also look for comment forms for blogs to post links back to their sites.

Masking click fraud

While the motivation for free advertising or link distribution is pretty obvious, often form spam doesn’t contain any form of advertisement or link. Form spam can look like real lead data or more obviously be just pure junk (random text or even excerpts from books). Why would someone bother to create a bot to submit garbage on forms? My hypothesis is that this type of form spam is directly related to click fraud, as it assists the source of fraudulent clicks to look like real site traffic. To do this, some of the visitors must convert on the site as a submitted lead. By using bots to submit leads on your site, it appears you are getting conversions from this traffic source. When this fraudulent traffic source comes through a network like Google Adwords, it becomes challenging to detect as the fraudulent traffic is triggering Google conversions. (Note: this is one of many reasons you never want to trigger a conversion with a junk lead, a topic I plan to address in more detail in a coming post)

How do you stop form spam?

There are a number of ways to block form spam on your sites.    

Fraud detection services

There are a number of products (Forensiq, Fraudlogix, Anura, etc.) that focus on detecting and blocking fraudulent traffic to your website. Since this is their specialty, they are the best at it. These are sophisticated services that are typically utilized by large advertisers. If you really want to address the problem, these services are worth review.


Many sites deal with form spam through Captcha tools, requiring visitors to identify text or check a box prior to submitting a form. While this method effectively blocks form spam, unfortunately it also hurts conversion rates and frustrates users. Search and conversion experts like Moz and PageWiz explain the issue in more detail. For these reasons, you rarely see this method used on lead generation forms.


At the beginning of this post I mentioned that we blocked the thousands of form spam leads from ever entering our CRM. We did this using our LeadConduit and TrustedForm products.  TrustedForm is our lead certification service that verifies the origin and authenticity of internet leads. Many companies use it to document proof of prior express written consent for TCPA and CASL compliance. It is invisible to the site visitor since it is a script pasted in the HTML of the form page. A helpful by-product of TrustedForm is that it also helps block form spam (even though this isn’t its primary purpose).  

In normal web sessions, human users interact with web forms through javascript-enabled web browsers (Chrome, Safari, Firefox, etc.), while most bots do not. TrustedForm issues a digital Certificate of Authenticity for each authentic form submission and that Certificate URL is delivered, as a hidden field, along with the lead data. When a bot fills out a form, TrustedForm typically does not issue a Certificate (unless it is a sophisticated bot posing as a person using a javascript-enabled web browser). For our company’s marketing stack, all of our internet leads pass through LeadConduit before they are delivered to Salesforce. We have a filter in our LeadConduit flow to block any leads without a TrustedForm Certificate. As a result, we automatically blocked the 10K fake form spam leads and they never hit our Salesforce account. We automatically separate the wheat from the chaff without sacrificing conversions. Furthermore, these junk leads don’t trigger conversions by our tracking pixels and they don’t receive auto-responder emails.

Our TrustedForm script is publicly accessible, so you can use it to assist blocking form spam for free without sacrificing conversion rates, as you would by using some form of Captcha. Simply grab the TrustedForm script, paste it on your web form, and block any leads that don’t include a TrustedForm Certificate. Note that when it comes to blocking fraudulent traffic, the best solution is a service specifically built for that. While it won’t block all form spam, TrustedForm will certainly help and you can use the script for free.