Webflow Forms Being Spammed - Ramping Up?!

Hi everyone

Is anyone else experiencing a sudden and ridiculous uplift in spammy form submissions on your Webflow sites?

I also note that it seems like the form itself is being bypassed in some way? Certain hidden attributes (such as the URL field you’ll see in the screenshots below) aren’t passed through with the rest of the form data for these submissions, almost like submissions are being made “directly” rather than from on the page, if that makes any sense whatsoever.

Here’s a couple of the types of submissions we’re seeing. One of our sites is receiving 10-15 of these per day. Very annoying! As with other people reporting this, reCAPTCHA seems to do nothing.

This was happening to lots of people earlier in the year. Webflow took some internal steps to combat it and it tapered off some. Maybe the spammers found a new vector. I will refer you and anyone else having this problem to an official post in the forum. See →

I migrated all my form processing off Webflow completely to usebasin.com and am free from this scourge.

1 Like

Thanks @webdev , I’ll take a look at that!

It’s definitely kicked up ten notches recently!!

Jeff has given me a lot of great recommendations and Basin is one of the best. I have 50 clients running in a single Basin account and they are all blissfully spam-free.

2 Likes

Big problem for us at the moment. Getting it everyday

@Ejay - Webflow has been unable or unwilling to fix this issue based on community feedback I have seen. Third-party solutions to this issue exist and can be found in the university under integrations.

Hey there!

You’re definitely not alone in this :grimacing:. We’ve seen this exact issue with dozens of our clients, and it’s been ramping up lately. It’s very annoying, I know.

There are actually several ways to tackle this problem, both free and paid. We’ve written a detailed article about it, but here’s a quick rundown:

  1. :lock: reCAPTCHA: This is usually the first line of defense. It works well for basic spam but might not catch more sophisticated attacks. In your case, I don’t think it will work.

  2. :gear: JavaScript validation: You can add custom JS to check for specific spam keywords. It’s free as it runs at the site level and you can customize it to ban certain specific words, but requires a bit of coding knowledge.

  3. :no_entry_sign: Gmail / Google Workspace filters: If you’re using Gmail or Google Workspace for receiving your form submissions, you can set up filters to catch spam. It’s surprisingly effective, free and easy to set up.

  4. :incoming_envelope: Third-party forms: Services like Basim or Formspark offer more advanced spam protection. They’re paid solutions but can be worth it if you’re getting annoyed with all the SPAM — We use them with some of our clients and they work well :+1:t2:.

The fact that you’re seeing submissions without all the form data suggests that bots might be bypassing your form entirely and submitting directly to your form handler. In this case, server-side solutions like Google Workspace / Gmail filters or third-party services (Basim, Formspark, etc) might be your best bet.

Good luck!

1 Like

Hi all,

The amount of spam being received went up since two days ago. reCAPTCHA used to work really well, but we’re back to square one.

Are there any free integrations we can access? Unfortunately most clients won’t include this on their budget

@Neblina - There are integrations that are free up to a certain amount of submissions. Check the WFU. Webflow Integration resources | Webflow University

Being inundated with spam messages the last 2 days, even with reCAPTCHA on my form. Can Webflow doing anything on their side to stop them? I’m forwarding the mails to their spam reports but have a feeling that’s not a manned/priority mailbox.

I was sick of the spam so I set up formspark & botpoison, however, after a while these spammers seem to be getting around formspark entirely, as the original post mentioned, seems like they are ‘bypassing’ the form action as their spam is submitting directly to webflow and passing through the hidden attributes (which are related to formspark), e.g _redirect, _subject, _from.

I’ve done a code export of our entire site and made sure every instance of every form has everything required for formspark / botpoison, I’ve also tested all of them on the front end and they all submit to formspark… yet, these spammers are still able to push spam through to webflow.

We also get regular enquiries from legitimate customers and they all come through formspark just fine.

Is anyone else experiencing this? Other than removing our emails from the webflow form notifications, I’m not sure what else to implement here.

That’s exactly what you’d need to do; you can’t block gateway attacks, because they do not pass through your site or forms.

You said that you’ve exported your code though, which means you’re no longer using Webflow’s form submission handler?

My approach is to use Basin as the form handler directly, and then unsubscribe from Webflow form notifications. I can still see spam coming in on those forms ( looking at the site settings forms tab ), but it doesn’t affect me or my customers, all of the legit leads are being captured by Basin instead.

Hey, someone else is getting spammed these days. Here’s a quick bandage script that should prevent some spams.

// Array of keywords to block
const blockedKeywords = [
	// Keywords related to spam services
	'speedyindexbot', 'service for indexing', '200 links for free',

	// Keywords related to drugs
	'Купить', 'Кокаин', 'Доставка', 'Киев', 'Закладки', 'Чистый', 'САЙТ',
	'Erectile dysfunction', 'TruePills', 'Viagra', 'Sildenafil', 'Cialis', 'Levitra',

	// Keywords related to gambling
	'free casino games', 'no download', 'no registration', 'real money', 'casino',
	'blackjack', 'gambling', 'slots',

	// Keywords related to unsolicited promotions
	'social ads visits', 'cyber-monkey', 'onion',

	// Keywords related to heating and fireplaces (specific spam)
	'Печи', 'камины', 'Москва', 'интернет магазин', 'отопления',

	// Common spam keywords
	'free', 'win', 'winner', 'claim', 'urgent', 'discount', 'deal', 'prize', 'credit',
	'loan', 'debt', 'insurance', 'money', 'cash', 'payout', 'cheap', 'buy', 'purchase',
	'order now', 'limited time', 'offer', 'sale', 'exclusive', 'click here', 'subscribe',
	'unsubscribe', 'newsletter', 'pills', 'medication', 'pharmacy', 'investment', 'profit',
	'earn', 'income', 'work from home', 'weight loss',

	// Keywords related to adult content
	'sex', 'porn', 'adult', 'xxx', 'nude', 'naked', 'hentai', 'escort', 'prostitution',

	// Keywords related to drugs
	'drug', 'cocaine', 'heroin', 'meth', 'weed', 'cannabis', 'marijuana', 'lsd',

	// Keywords related to cryptocurrencies
	'crypto', 'bitcoin', 'ethereum', 'blockchain', 'nft', 'ico', 'token'
];

const form = document.querySelectorAll('form');

for (let index = 0; index < form.length; index++) {
	const formEl = form[index];

	const messageInput = formEl.querySelectorAll('textarea');
	const submitBtn = formEl.querySelector('input[type="submit"]')

	// Create the error message div
	const errorMessage = document.createElement('div');
	errorMessage.className = 'error-message';
	errorMessage.style.display = 'none';
	errorMessage.style.color = 'red';
	formEl.insertBefore(errorMessage, submitBtn);

	/**
		* Check if the message contains any blocked keywords.
		* @param {string} message - The message to check.
		* @return {string|undefined} - The first blocked keyword found or undefined.
	*/
	function checkForBlockedKeywords(message) {
		return blockedKeywords.find(keyword => message.includes(keyword.toLowerCase()));
	}

	/**
		* Toggle the error message display and submit button state.
		* @param {boolean} containsBlockedKeyword - Whether the message contains a blocked keyword.
		* @param {string} [blockedKeyword=''] - The blocked keyword found.
	*/
	function toggleErrorDisplay(containsBlockedKeyword, blockedKeyword = '') {
		if (containsBlockedKeyword) {
			submitBtn.disabled = true;
			submitBtn.classList.add('disabled');
			submitBtn.style.opacity = '0.5';
			errorMessage.style.display = 'block';
			errorMessage.textContent = `The message contains a blocked keyword: ${blockedKeyword}`;
		} else {
			submitBtn.disabled = false;
			submitBtn.classList.remove('disabled');
			submitBtn.style.opacity = '1';
			errorMessage.style.display = 'none';
		}
	}

	// Add input event listener to each textarea
	for (let i = 0; i < messageInput.length; i++) {
		const element = messageInput[i];
		element.addEventListener('input', function() {
			const message = element.value.toLowerCase();
			const blockedKeyword = checkForBlockedKeywords(message);
			toggleErrorDisplay(!!blockedKeyword, blockedKeyword);
		});
	}

	// Add submit event listener to the form
	formEl.addEventListener('submit', function(event) {
		let blockedKeyword = false;
		for (let i = 0; i < messageInput.length; i++) {
			const element = messageInput[i];
			const message = element.value.toLowerCase();
			blockedKeyword = checkForBlockedKeywords(message);
		}
		if (blockedKeyword) {
			event.preventDefault();
			alert(`The message contains a blocked keyword: ${blockedKeyword}`);
		}
	});
}

Quick & Easy Solution - Alternative to Basin

Hi all, many of my clients have also seen a huge increase in spam form submissions which are being generated by bots and bypassing the usual methods such as ‘honey pots’, Recaptcha (which has a huge impact on FCP) etc by submitting directly to the Webflow endpoint.

Many of our clients form submissions are already processed in complex Make/Integromat scenarios triggered by a Webflow webhook and I was reluctant to have to change all of these by first routing via Basin to filter out the spam, as they would all need re-mapping (a huge amount of time!).

Other smaller clients just have the native Webflow email notifications for each form submission.

First thing to understand is that to stop the spam you are going to have to handle the form submissions - Make/Integromat is a great and cost effective way of doing it. Basin will also do it but I wanted a solution for all clients with the least pain.

So here’s how you do it:

First add an embed to each of your forms with the following code:

<input id="gotcha" type= "hidden" name = "gotcha" value = "">

Then on each page with a form add the following into the footer code:

<script>
$(document).ready(function () {
    setTimeout(function() {
    document.getElementById('gotcha').value = '123456';
    }, 2000);
});
</script>

You can change the ‘123456’ to anything you like.

So now you have a hidden field in the form that will be dynamically populated with 123456 once the page has loaded (I added a delay to ensure the form has loaded before the script runs).

Now you create a Make/Integromat scenario that is triggered when a form submission is received, add a filter that only permits the data bundle to flow if the field called “gotcha” has text that matches “123456” and then email the form submission (or handle it however you like).

This solution has worked perfectly without incurring additional expense or significant time.

Below is an example of a simple Make scenario to handle the form submission, filter out any spam, tidy up the data so you’re only sending fields with responses (useful if you have very complex lead gen forms) and then email it.



Screenshot 2024-08-14 at 10.26.40
Screenshot 2024-08-14 at 10.26.49

Dom, this is Make method is almost the exact solution that I’ve been using…

However, due to the sheer volume of spam I am getting (seemingly from one culprit), I am now incurring charges over Make’s 10,000 operations per month limit!!

I mean would you believe it.

I’ve checked the records and I am getting a submission roughly every minute or two. 24/7.

This is not sustainable and I am concerned that it is going to scale up and lead to me needing to increase the operations limit for the account over and over.

Any suggestions? All of the submissions come from a first/last/company name containing “Raw”. They are bypassing the form as I am getting no URL data through with the submission.

Any help would be greatly appreciated.

Jude there aren’t many good options here.
You can add a honeypot and spam check to your automation, however that means running your automation which will still incur usage fees.

That approach involves putting a hidden field in your form that you expect to be blank. Spam programs will often fill it in anyway. You check for values there and you know it’s spam if you receive data in that field.

I will occasionally put a serverless function or other custom API between my form and the automation to check the honeypot before the automation is good. Netflify serverless functions and Cloudflare workers work well for this.

You could also do a check in your form with client-side script before submitting the form to your webhook, and it may catch some of the spam.

1 Like

Just dropping in to say I also have problems with almost all of my Webflow websites with forms. This is only increasing and ReCaptcha indeed does not block 98% anymore. We’re getting around 3-10 spam mails per form, per site, per day - with and without ReCaptcha.

Can we still sell “forms” on websites or should we start removing them all?