Koalati is developed for recent browsers, so we highly recommend you use Google Chrome, Firefox, Safari, Opera or Microsoft Edge for an optimal and bug-free experience.

Preventing spam from polluting your online forms

Security and privacy
Published on May 9th, 2020
Preventing spam from polluting your online forms

Automation is at the root of many of the technological improvements that have occurred in the past few years. It has changed most of our lives for the better, by providing us with better tools that are easier to use than ever before. However, automation has also become a great source of pain for many. When used with malicious intent, automation can make our lives a nightmare. If you have a contact form on your website(s), you have most likely experienced some sort of spam because of it.

Every second, there are thousands of robots crawling the Internet and submitting phony and malicious links, files and messages on every online form they can find. Over time, as our defense system against those bots got better, so did their techniques. That leads me to both good news and bad news.

The good news is that there are some very effective form spam prevention techniques out there that you can implement on your websites fairly easily. The bad news is that with all the changes that have happened over the years, it can be quite difficult to find which techniques still work and which ones don't. But don't worry: we're here to help!

In this article, we'll cover 4 of the most popular form spam prevention techniques that are still effective in 2020. Then, we'll tell you how you can easily prevent spam in your forms by using Vermin.js, which is the solution we use here at Koalati. Let's get started.


The idea behind honeypots is simply to add a hidden field to your forms, and to prevent the submission if that field has been filled. Seeing as the field is not visible, your visitors won't input anything into that field. However, most robots will see your honeypot field and fill it automatically with junk like they do with the rest of the form. That should allow you to easily filter those phony submissions.


Almost everyone today knows what a captcha is. Although the first image that comes to mind is those distorted words and numbers that you have to type, Google's ReCaptcha has modernized this to make it smoother on your visitors. Instead, they automatically check all of the browsing data that they have for that visitor and try to detect if it's a robot or a real human. When it can't figure it out, it asks the user to select the images that match certain criteria. Very few bots are clever enough to get past that verification.

Google's ReCaptcha is effective, but it also requires some effort to set up. Additionnally, it takes up space in your interfaces, and often hurts your user's experience - unless they really like finding which parts of an image contain crosswalks or traffic lights.

Submission delay

A submission delay is just what it sounds like. The concept is to add a delay before your visitors can submit a form. It might seem like a terrible idea for your user's experience, but think about it: how often do you load a web page, scroll to a form, fill it and submit it within a single second of the page opening? The answer is most likely zero. Humans don't do that: robots do.

Most spam bots simply load a web page and submit the forms on that page instantly. Adding a delay on page load before the visitors can submit the form prevents those phony submissions from reaching your inbox.

Action switching

This one is the most interesting spam prevention technique in my opinion. The way it works is that you set the action attribute of your forms to a bogus URL. Then, you update the attribute to the real URL once the user starts interacting with the form's inputs (ex.: when the focus event is triggered). This can easily be done in Javascript, and it works in two different ways:

  • The spam bots who don't execute Javascript will submit the form to the wrong URL;
  • The bots that execute Javascript will likely not trigger the events that regular human interactions do, and will therefore submit the form to the wrong URL as well.

Which technique should you use?

Although they are all effective techniques, it's important to note that today's spam bots are much more clever than they used to be. What I mean by that is that there is not a single form spam prevention technique that will work for every bot. What you should do instead is combine multiple techniques in order to cover your bases as much as possible.

Obviously, doing this manually can be a daunting task, especially if you are just starting in the spam prevention field. That's why there are solutions out there that can help you implement most of these techniques without having to do everything yourself.


Vermin.js is an open-source Javascript library that you can add to your websites to eliminate form submission spam in just a few minutes. Right out of the box, it adds the honeypot and submission delay techniques to all of your website's forms. Make a few minor changes to your forms, and it will handle the action switching as well. 

The effectiveness and simplicity of this solution is the reason we decided to use it for Koalati's website. It also has the added bonus of being non-intrusive for your visitors, along with a few other positive aspects that made it the best pick for good user experience.

[Edit] Although our implementation of Vermin.js prevented multiple spam submissions on its own for a long time, we now use it in addition with Google ReCaptcha as we have been the subject of targeted attacks that circumvented Vermin.js' security checks.

Over all, there are tons of possibilities when it comes to spam prevention for online forms. Based on our experience, the number one trick is to use multiple methods in order to defend against as many types of spam bots as possible.

Now that you are equipped with the right techniques and resources, you are all set to get rid of form spam for once and for all. Enjoy your clean inboxes!