As of Monday January 23rd, we have received reports of customers experiencing increased spam and ransomware emails arising from form submissions.
Our team is aware and have implemented solutions to drastically decrease the frequency of spam coming through. As a result of these new solutions, we have seen a sustained decrease of spam affecting customers.
To control spam volume, we’ve updated our rate limiting system to detect specific networks and request behaviors that indicate use of bots. In addition to volume mitigations, we have worked to tighten our content mitigation controls such as spam filtering, and spoofed form detection. During implementation, some form submissions may have been temporarily disrupted — which could have resulted in a temporary block on form submissions for some site visitors.
We understand that receiving spam of any kind can cause concern — however, we assure you that the spam emails in question have not compromised your site. We encourage you to avoid engaging with any suspicious content.
As the team continues to push added measures and prevention tactics, we recommend enabling Google reCAPTCHA on your site forms for an additional level of prevention. You can learn more about how to configure this here: Add a reCAPTCHA field | Webflow University
In efforts to track and improve our spam filtering system, we encourage you to forward any suspicious activity to form-spam-reports@support.webflow.com and avoid clicking any links contained within these emails.
For any customers who may be worried about extra charges due to an increase in form submissions, we have voided all charges for any form submissions at this time. If you or your client have already been charged, you can contact us through support.webflow.com and we will immediately refund any overages.
I have seen a resurgence in spam submissions (mostly with Latin text). We have implemented all the recommendations, but we seem to get even more after that.
Spam has started to again come through in the past two weeks, the Spam submissions coming through fire a submit request and the message copy field registers as a new field after they submit. Just the difference in the submissions from spam should be triggering something no?
Examples of just the past day but it looks like it started two weeks ago.
This is a very real problem. The few customer sites I host with Webflow are continually seeing spam. Every day. It’s incessant even with Google reCaptcha V2 enabled. Please Webflow, how can we harden these forms?
Hi there, our team is aware of ongoing reports of spam and continuing to actively implement new ways to improve spam filters and submissions. However we always recommend implementing additional ways to deter spam using your own filters or methods.
i.e.
Enabling ReCAPTCHA (which it seems you’re doing)
Adding honeypots (i.e. adding hidden fields that only bots would be able to fill out)
Adding skill questions or user authentication
Or for additional protections, enabling anti-spam plug-ins & services
This is still a problem. I’ve been struggling for probably a year trying to stop spam messages and nothing seems to help. Here’s an example of a spam submission which is somehow circumventing all of my measures. Please help!
@Estec - You might not like to hear it but using an alternative form processor like Basin is the solution to this problem. Webflow has not figured out how to handle spam and this has been going on for ages.
Any news around this? I’ve installed a few forms on my client’s website (general form, news letter, classic car specific) and the general one is flooded with spam, even though all forms have reCAPTCHA 2…
Also seeing a huge uptick in spam submissions on all forms across our own and all of our client sites. We’re telling them to hold tight right now and that it’s something Webflow is aware of and trying to resolve, rather than integrating a third-party solution. A huge part of the appeal/sell of Webflow for clients is that they reduce the need for third-party software or plugins, and can do everything they need within Webflow, so we do not want to have to resort to this.
I just integrated Basin and it does work well and adds a few other safety measures, apart from being able to use reCAPTCHA V3. I was able to implement a honeypot very easily for instance. Also it has great functionality on response features, so the client filling out a form can get an email with his or her message, or other content, something I was missing in the Webflow form features.
I do strongly agree with @mazecreative that it completely gets me out of the Webflow mindset of having everything under one umbrella, and I was/am also not pleased to communicate the extra costs of either $3,33 or $10,00 (depending if we can decrease the amount of forms from 4 to 3) per month to my client.
So really hope this is a temporary measure for me and once reCAPTCHA V3 or another better captcha then V2 is supported we can come back to standard Webflow.
The reality though is that this is modern state of SaaS-based web development. With Wordpress it’s the plugin store, Wix, etc. have similar. Webflow’s infrastructure works the same way but is only beginning to offer more seamless integration options in the form of apps.
In general emailed form responses only work well for small businesses, for others you may want to try a lead management system like Hubspot, or a Make automation that pushes your form submissions into Airtable.
If you’re managing the lead delivery yourself, one approach is to setup a Basin account just for your agency, and then create a Basin Project for each of your clients. Using a single Basin account makes it much more affordable, and you can easily build that $10 into your hosting fees overall, split across many clients.
It would be nice to hear from Weflow in regards to what’s going on.
I’m still in the process of placating my customer in regards to the hosting fee increases. Each time something goes amiss it seems it’s up to the developers or a third party app to fix any issues.
@MattBott - Webflow has said they have been working on the problem since it was first reported. It has been going on for some time and users really started to notice back in October of 23.
@webdev Thanks Jeff, Yup, I’m aware. The spam had eased up since Oct but it seems to be back again. I’d love to know how spammers are circumventing ReCAPTCHA on WF as I dont have spam issues on websites hosted anywhere else.
@MattBott - Well, it is obvious that some spammers have figured out a hole to exploit in Webflow’s form processing architecture, and as such, I doubt they would discuss it publicly. They discuss little about issues as it is.
Solution is what I and others have outlined. Ditch the broken form processing for something that meets your requirements and budget. I have.
