Major spam issue — what's going on?

Major spam started last week on our Webflow forms—as in, every 4-6 hours a new spam message comes through.

What can be done on the Webflow support end, if anything beyond outreach and forwarding the spam? And does anyone know why an attack like this would be happening?

Mail endings are in “@mail.ru”, “@list.ru”, “@gmail.com”.

Note: We have a good developer who is helping us set something up to prevent this because inboxes are just getting stuffed unnecessarily right now and it’s a huge pain.

I have reached out to Webflow in the meantime. Spam has been forwarded to their spam specific email. No replies.

Since the fix for this is outside of my wheelhouse, I’m just trying to figure out what other recourse should be taken, e.g., with Webflow support, and to see if anyone else has seen something like this before either now or in the past. It seems unrelenting and abnormal; we’ve had the site for over a year and never anything like this before.

The following are just small screenshots of the past week.

Thanks!

Screenshot 2024-07-29 at 10.02.29 PM2096×1418 455 KB

Screenshot 2024-07-29 at 10.03.06 PM1960×862 93.3 KB

Screenshot 2024-07-29 at 10.02.55 PM2040×822 91.2 KB

Screenshot 2024-07-29 at 10.02.49 PM2044×738 88.2 KB

This has been an issue for quite a while.

Personally, I ended up removing the form from my own website.

But here are a couple of solutions you can try to gate keep the bots from submitting the form:

1) Add the reCaptcha
Webflow guide: Add a reCAPTCHA field - Webflow University Documentation
Downside is that it’s gonna weight on the site loading speed

2) Implement a custom validation field, something like “7+5=” and have a bit of custom JS perform the check before submitting

In my sites it was not possible to stop the spam with form changes, or even form deletion, because the attacks are directly against Webflow’s servers.

About a year ago I migrated 50 sites to Basin, and have not had a spam issue or unsubscribe issue since.

SA5 has a special form handler specifically for Basin so that you can use Webflow-build forms, complete with success and error messages, with Basin.

Thanks, Daniel. Did you find the custom validation field better for page speed over the reCaptcha?

Thanks, Michael. When you say form changes, do you mean solutions like the reCaptcha? I read your notes about Basin on other posts here. Fillout was another option we were told about—if you’re familiar, do you have any thoughts on that compared to Basin? Thanks again.

I can also confirm that there has definitely been a significant increase in spam across all of the sites we manage over the last 10 days (most of it Russian). This is with Captcha and Spam filtering also enabled.

I’m going to implement some Webflow logic to prevent spam email notifications using the honeypot method. It’s not ideal, but at least it won’t hit the client’s inbox.

I use Basin for at least half of my sites, which is a far superior form solution compared to Webflow. The forms functionality really lets Webflow down, especially when it’s considered a ‘premium’ CMS solution (with pricing to match).

reCaptcha, honeypots, Turing tests like 2+2. In Webflow there is no server-side programming support, so all of those essentially gate the submission at the site level using JS. ( some implementations of reCaptcha have better server-side checks ).

Most of the spam I’ve seen isn’t coming through the forms, so those are ineffective. Even if you delete the form, you’ll keep getting spam.

I’m not familiar with it. On a quick glance, it looks like it’s primarily a form builder, not a form submission handler, so it’s solving a different problem.