How to Detect Bot Form Spam on Your Website
Bots are always trying to abuse your website.
If you have unprotected forms or inputs, odds are bots are trying to submit fake data.
The good news is, there are many ways to prevent bot spam in the first place. The bad news, you have to do a little bit of work to protect yourself.
I'm going to cover 3 different strategies I use to identify bot form submissions on any website.
How to Detect Bot Form Submissions
You can easily tell if you are receiving spam from bots by analyzing the data your forms are collecting.
1. Unexpected or Inconsistent Email Addresses
The most common email provider is Gmail.
You should expect most of your email lists to consist of either Gmail addresses or custom domains. If 80% of your email list is made up of @yahoo.com
email addresses, there's probably an issue.
This was how I first discovered that my website was vulnerable to spam.
Check your data and see if anything stands out. I'm betting something will.
2. Similar or Repeat Content
Another clear indicator of spam can be duplicate content or similar repeated submissions.
Bots are programmed to fill out forms. They aren't people, and the programmers behind them aren't going to be able to code up a unique response every time they run a bot against your website. The result of this means as a bot runs against your form repeatedly, it's probably going to submit the same or at least very similar content each time it runs.
Look at your form submissions for similarities or patterns.
If you find any, this is a good indication of bot submissions instead of genuine website visitors.
3. Measure Page Interaction
You should consider setting up an analytics tool to measure how users interact with your website.
BOUNCE RATES
At the very least consider something like Google Analytics. It can measure bounce rates and session durations which are key indicators of how visitors are interacting with your webiste.
You can cross reference this data with the form submissions you are getting. If your site got 100 submissions last month, but the average session duration was 0 seconds and your bounce rate was 98%...
I hate to break it to you, but bots definitely submitted those forms.
Bots won't interact with your website the same way users do.
They will skip to your form and immediately fill it out. No scrolling around or clicking through multiple pages as a normal user would. You will see this impact your bounce rate, since bots will always bounce and normal users might not.
SESSION DURATIONS
Your session duration will be the clearest indicator though.
A regular user will likely take at least a few seconds to read the page and understand if it has the content they are looking for. But a bot will programmatically scan the page for the input form, fill it out, and leave in a fraction of a second.
If you suspect you are getting bot submissions, you can take a look at your session durations to easily confirm this.
TRAFFIC SPIKES BY COUNTRY
Last but not least, one of the clearest indicators of bots using your website is the resulting spike in traffic.
A number of bots visit my websites every day and these visits are sometimes counted in my traffic metrics. The good thing is, most of the time my traffic is pretty stable. Every so often there will be a massive spike where I get 2x or more traffic for an unknown reason.
This seems like a good thing but when you dig into your analytics you might find that it's less than ideal.
My websites are all in English, so when I get massive spikes in traffic from Russia, China, or other non-English speaking countries, it is intriguing.
Though there definitely are valid reasons for unexpected traffic, if you suddenly get a surge from a country that typically provides very little traffic, it might be artificial. A surge in traffic in combination with any of the other indicators would be a good reason to conclude that you are dealing with bots and not genuine people.