Deterring Spam Bots

This article applies to:

What is a Spam Bot?

A Spam Bot is any submission to a database that is created autonomously from a third party. The more sophisticated the spam bot, the more difficult it is to identify. Typically,  spam bots occur in two varieties:

  1. The name of the contact is a string of numbers and letters, such as 58faf52f9e0f1
  2. The name of the contact doesn’t match the email address, such as Bob Smith with and email address of [email protected]

Spam bots ultimately serve to increase spam complaints and can damage sender reputation, as well as trigger Email Compliance flags, shutting down the ability to email.

How do you identify and remove Spam Bots from the database?

1.     A quick way to get rid of the 58faf52f9e0f1 spam bot is to do a simple CRM > Contact search for all contacts who have a first name beginning with 5.  Note: You may need to spot check the results for any valid contacts who could be included in this list whose email may legitimately start with a 5.

2.     The spam bots who have valid names and email addresses have to be identified other ways. 

  • Check for any identifying information on “real” contacts that spam bots would not have. This can include tags, opportunities, orders, or specific field data.
  • Try locating the invalid customers using the following methods: 
    • If you have set up double opt-in, the spam bots will be among the group of unconfirmed email addresses
    • Using the Email Status Search, identify contacts who have never engaged, this will often include the spam bots and contacts who are not interested (both are good to remove for list hygiene).
    • If the Spam Bots came from a web form that is no longer in use, you can use the web form tracking report to identify every contact who recently came through that form
    • You can send a broadcast email to your database with a specific call-to-action to click a link or fill out a form. Return to the list at a later date and remove all contacts who have not completed the call-to-action
    • Following the steps in the List Hygiene documentation to clean out un-engaged, uninterested, and spam contacts:

If these methods aren’t sufficient, you may need to manually sort through your contacts and remove invalid contacts, or wait until one of the above methods become feasible.

How do you prevent more Spam Bots from coming through?

Essentially, Spam Bots are pieces of software that scrape the code from web forms, save it externally, and submit data to it via HTTP Post. Luckily, because we can anticipate how the bot is working, you can deter current bots and prevent future bots using a few simple methods.

  1. If the web form is already being targeted by Spam Bots, 
    • You can make a copy of the form in Infusionsoft, delete the original, and replace it with the copy. 
    • This will prevent the Spam Bot from resubmitting to same form until it collects the new code from wherever the customer has posted it to. Note: This is a temporary fix until you deter Spam Bots using the following methods.
  2. Options for deterring Spam Bots:
    • In Infusionsoft, use the double opt-in or email confirmation process for all new contacts. Remove all contacts who do not double opt-in after filling out a form.
    • On all active web forms, from the Settings tab, ensure the box to opt-out of Google reCaptcha is unchecked
    • On active web forms, you could include a question that only a human could get correct, such as “What is the third word of this sentence”. This would allow them to identify everyone with the word “the” as a valid contact. 
    • On active web forms, set up a Spam Bot Honeypot (see below)

A quick note on Google reCaptcha:

Google doesn’t publicize what specifically triggers the reCaptcha, in an effort to make it difficult for bots to work around. However, customers who submit the same form multiple times from the same device will often get the reCaptcha on each submission. This does not mean the contacts of our customer will see the reCaptcha every time. Google has designed the reCaptcha to be very easy on humans.

The Honeypot Method

The Honeypot Method is simply including a field on all forms that a regular person would never fill out. This is done by using hidden fields, and leverages the fact that Spam Bots will often fill out every field on a form, including hidden ones.

To set up a Honeypot you need:

  • A completely unused field (often times a custom field)
  • A web form
  • A tag to identify spam submissions
  • An action set


  1. Decide on the unused field that will be used to identify spam submissions (we will refer to it as ‘FillThisIn’)

    1. Pay special attention to contacts already in the database to ensure that no contact has data in that field already

    2. Often times is is easier to create a new custom field for this purpose - in this case, use a text field

  2. Navigate to CRM > Settings > Action Sets and set up a new action set

    1. The action set should apply a tag that identifies the contact as spam (i.e. Customer -> Spam Contact)

    2. On the action to apply the tag, click the option to “Only run this action set when certain rules are met”

    3. Set up a rule with the following criteria

      1. Rule is true when NONE of the following criteria are met

      2. Based on data from the contact record (select the location of and the specific field we are using to identify spam contacts)

      3. When the contact’s field FillThisIn is empty

    4. Save the action set

  3. Navigate to the campaign builder

    1. On the web form, add a new hidden field for the FillThisIn field

    2. Immediately after the web form, add a sequence that begins with an action set and select the action set created above.

  4. Spam Contacts will now be tagged as soon as they fill out the form. We can use that tag to end campaign processes, omit contacts from lists, and generate lists to be deleted