ShieldSquare is now Radware Bot Manager
ShieldSquare is now Radware Bot Manager
Form spam is the filling out and submission of web forms with irrelevant or fake information, including abusive language, ads, spam links to malware-laden sides and phishing websites set up by scammers. Most form spam is created by bots which are programmed to find web forms and fill them out. When a form is filled on a website, it is often considered a ‘lead’ from an interested customer or sales prospect. Form fills are generally sent to group email IDs at marketing or sales departments, hence form spam ends up being a waste of time and effort for those teams. When a person clicks on these spam links, they may be susceptible to malware downloads or loss of confidential information. Spam links are also posted by bots to generate traffic to shady sites that generate ad revenue through them.
Programming bots to search for web forms to abuse is quite trivial compared to some of the more malicious activities that fraudsters and cybercriminals program bots to carry out. There exists a whole ecosystem of sites that sell bot programs that can execute a activities ranging from the unethical (scraping and spamming) to outright criminal (such as account takeover, carding and ad fraud). Some of these bot vendors even offer customer support or add-on features to provide specific capabilities for their users to leverage.
Of course, form spam by humans is as old as the Web itself. Spammers have manually targeted websites and submitted forms through them for decades now. It is virtually impossible to block human spammers who can easily solve CAPTCHAs and use other common methods to spam websites.
Millions of Web users log into online forums and discussion boards where virtually any topic imaginable is talked about. When bots post spam comments on these forums, they interfere with real conversations and upset users with unsolicited messages and advertisements. Naturally, this spoils the user experience and leads to lower engagement and traffic on sites with high volumes of spam.
Websites that host classified ads, property listings and job openings are among the biggest targets of form spam. Competitors use bots to regularly spam contact forms on such sites to generate fake leads, which end up irritating advertisers as well as the site’s sales teams who then must comb through all the spam to find real leads. This directly impacts the site’s users who may decide that it’s not worth the expense to advertise listings on the site in question.
Bots that are engaged in spamming also slow down targeted websites and applications, which leads to a frustrating experience for users and lower search engine rankings (since faster loading sites are generally ranked higher by search engine algorithms). Due to high volumes of unchecked bot traffic, webmasters may need to spend money on upgrading infrastructure and bandwidth. Conversely, being able to block spam bots can allow sites to operate efficiently with existing infrastructure.
Another outcome of spam bot traffic is that it skews website analytics and prevents marketers and website managers from getting a clear picture of real traffic to base their strategies on. The fake leads from spam bots end up being a total waste of time and effort for marketing and sales teams.
Web technology has made a few small steps towards cutting down on form spam, but bot developers have also made their bots more human-like to evade detection by conventional security systems. Some web forms have built-in field validation that can help control fake submissions to some extent. This helps automatically reject invalid email IDs and those known to carry out form spam. Google CAPTCHA is increasingly being deployed to validate genuine users during form fills. However, CAPTCHAs can also be solved or bypassed with the help of software tools and browser extensions, and by outsourced teams of remote workers who are paid based on the number of CAPTCHAs they solve. The growing sophistication of bots that are programmed to behave in a human-like manner also makes them harder to detect with conventional validation methodologies.
Currently there is no substitute for a specialized bot management solution when it comes to preventing form spam. Conventional security systems such as WAFs lack the capability to analyze every visitor’s behavior, and are not designed to reliably detect advanced bots that are programmed to exhibit human-like behavior.