Spammers accessing forms
T
Trevor Brown
We use Highlevel forms and surveys for lead gen for our clients. At some point each client will get these random spam form submissions. The submissions always come from the direct form link. With some testing, I have verified that the direct form link is reported as the submission URL only if it is accessed directly and not on a webpage. So some person or bot is accessing high level forms and making spam submissions. It would be great if high-level could be in some safe guards preventing this.
Log In
A
Andrew Pfund
Surprised this hasn't come up more. Going to repost here to hopefully rekindle this issue.
I recently tried switching to using GHL forms, we had to stop using them because we got swamped with fake form spam submissions from bots.
The GHL captcha option does not stop form spam submissions at all.
Adding to the urgency of this, bots will often use real contact info thats scraped from the web to submit through your GHL forms.
When you end up sending emails and or texts to these contacts, you get a super high complaint and opt out rate. Which causes your deliverability to tank, and can even cause your ability to send texts out turned off.
The chat widget seems to have better spambot protections that aren't present in the web forms. Could that same code be used in the web forms somehow?
Another alternative could be having Cloudflare turnstile be an integration option for all the forms? Where there's an option to disable the forms from being submitted until they pass the turnstile option.
This was also a big issue with Keap that I'm familiar with. Adding more on that issue with hopes that GHL can implement a fix for this as it's the same problem.
The spam bots cache and save your web form link, then they continuously submit spam contact info or real scraped contact info into your web forms. Even if you "unpublish" the form from your site, the spam bots can still access the form is live through the URL they have saved. The only solution once a form was compromised like that was to delete it fully.
The other part needed to stop the bots was to use a 3rd party tool like Spamkill to protect your web forms. This creates multiple fake honeypot fields not viewable on a human's screen. For example a fake "email" field that's 10,000px to the top right of your screen. It masks the real email / phone fields with a unique name. Only bots would fill out the fake email fields that aren't visible to a human visitor.
If any form is submitted with the fake fields, the submission gets blocked and that contact info isn't passed into the CRM since only a bot would do that. There is some other things they do to detect whether a form submission comes from a bot. This form spam has been getting worse for a lot of clients the past two months