Minimizing Form Submission SPAM

Since early 2023, the Webflow platform has been the target of several SPAM-bots, which found a way to bypass sites entirely and go directly to the Webflow form submission handler.

Besides the SPAM, this attack factor comes with some interesting downsides for the community;

• From what we've seen, reCAPTCHA can't help much here, since the site is bypassed
• SPAM will continue even if you delete the form entirely
• Clients receiving the SPAM notifications are more likely to click unsubscribe, which means they no longer get any of their form notifications
• The only way to stop SPAM notifications is to stop all notifications by removing the notification email addresses from the site's form settings entirely

Webflow has been working on this problem since, however it's lead to

• Less spam, but certainly not gone
• Unreliability in the form's handler, sometimes it appears to stop capturing results- perhaps false positive detections

Solutions

Use a 3rd party form handler

In a Webflow form, when you change the action setting, Webflow disables its in-built form handler and the form content can be posted to your own handler destination.

When you use this in combination with javascript or SA5's Form Webhook Handler library, you get;

• Neatly JSON packaged form contents for submission to a webhook
• Support for the Webflow form success and error messages
• The ability to return data from your webhook, such as order confirmation numbers, or error messages, and display them

The Basin Form Handler

Sygnal exclusively uses Basin for our form handlers, it's incredibly reliable, easy to implement, customizable, and has phenomenal SPAM handling.
If you want to use it, Sygnal has a full Basin integration guide.

Besides the general "custom form handler" benefits above, here's what our Basin setup provides;

• Replaces the Webflow default form handler with our own custom one
• Submissions go to Basin directly
• Basin does best-of-class SPAM detection and when it identifies SPAM, it puts that message in a special folder you can review - rather than deleting it. While we've never once seen a false-positive detection, the peace of mind knowing that it's not deleting submissions is excellent.

Basin's email notifications;

• Can be styled, branded, and customized
• Can be sent to the form submitter as well, for GDPR compliance
• Do not have an unsubscribe link, which means no more unsubscribe problems

Robert Simmons offers more detail and discussion of the spam problem here, plus

https://www.reddit.com/r/webflow/comments/12dpo0h/avoid_webflows_default_forms_at_all_costs_a/

Cookie Consent + Form Submission

David Proler recommended a cookie consent approach using Termageddon. I haven't investigated how it works, but my guess is that the cookie consent must be accepted before a form can be submitted. Since bots don't do that, they can't submit forms.

It's not clear to me how that helps with a gateway attack, but David's walkthrough is here;

https://www.facebook.com/groups/webflowdesigners/posts/1913625682483429/

Postmark

Also in relation to email spam solutions, Nicolás Ordaz recommends Postmark.

...consider using https://postmarkapp.com. This service allows you to create your own domain for all customer forms and assign them an email account. Alternatively, you can set up a domain for each client with their email account. For example, you can purchase .email domains, which are very cheap. Postmark is secure, fast and easy to use, and you can set up DMARC

‍