Deterring Spam Bots

Table of Contents:

What is a spam bot?

A Spam Bot is a computer program designed to assist in the sending of spam. It is often a submission to a database that is created autonomously from a third party. The more sophisticated the spam bot, the more difficult it is to identify. Typically, spam bots occur in two varieties:

  1. The name of the contact is a string of numbers and letters, such as 58faf52f9e0f1
  2. The name of the contact doesn’t match the email address, such as Bob Smith with and email address of

Spam bots ultimately serve to increase spam complaints, damage sender reputation, and trigger Email Compliance flags which can shut down the ability to send email.

How do you identify and remove spam bots from the database?

A quick way to get rid of the 58faf52f9e0f1 spam bot is to navigate to CRM > Contact search and search for all contacts who have a first name beginning with 5.  You may need to spot check the results for any valid contacts who could be included in this list.

To remove spam bots with valid names and email addresses, do the following: 

  • To rule out contacts as spam bots, view contact records to see if they contain any identifying information that spam bots would not have, such as tags, opportunities, orders, or specific field data.
  • If you have set up double opt-in, the spam bots will be among the group of unconfirmed email addresses.
  • Use the Email Status Search to identify contacts who have never engaged. This often includes the spam bots and contacts who are not interested (both are good to remove for list hygiene).
  • If the spam bots came from a web form that is no longer in use, use the web form tracking report to identify contacts who recently came through that form.
  • Send a broadcast email to your contacts with a call-to-action to click a link or fill out a form. Return to the list at a later date and remove all contacts who have not completed the call-to-action.
  • Follow the List Hygiene documentation to clean out unengaged, uninterested, and spam contacts.

If these methods aren’t sufficient, you can manually sort through your contacts and remove invalid contacts, or wait until one of the above methods become feasible.

How do you prevent spam bots?

Spam bots scrape code from web forms, save it externally, and submit data to it via HTTP Post. We can anticipate how bots work and deter them using a few simple methods.

If the web form is already being targeted by Spam Bots:

  • Make a copy of the form in Infusionsoft, delete the original, and replace it with the copy. This prevents the spam bot from resubmitting to the same form until it collects the new code from wherever the customer has posted it. This is a temporary fix. See Detering Spam Bots below.

Deterring Spam Bots:

  • In Infusionsoft, use the double opt-in or email confirmation process for all new contacts. Remove all contacts who do not double opt-in after filling out a form.
  • On active web forms, from the Settings tab, ensure the box to opt-out of Google reCaptcha is unchecked.
  • On active web forms, include a question that only a human could answer such as “What is the third word of this sentence”. This would allow them to identify everyone who answers with “the” as a valid contact. 
  • On active web forms, set up a Spam Bot Honeypot (see below)

The Honeypot Method

The Honeypot Method is simply including a field on all forms that a regular person would never fill out. This is done by using hidden fields, and leverages the fact that Spam Bots will often fill out every field on a form, including hidden ones.

To set up a Honeypot you need:

  • A completely unused field (often times a custom field)
  • A web form
  • A tag to identify spam submissions
  • An action set


  1. Decide on the unused field that will be used to identify spam submissions (we will refer to it as ‘FillThisIn’)

    1. Pay special attention to contacts already in the database to ensure that no contact has data in that field already

    2. Often times is is easier to create a new custom field for this purpose - in this case, use a text field

  2. Navigate to CRM > Settings > Action Sets and set up a new action set

    1. The action set should apply a tag that identifies the contact as spam (i.e. Customer -> Spam Contact)

    2. On the action to apply the tag, click the option to “Only run this action set when certain rules are met”

    3. Set up a rule with the following criteria

      1. Rule is true when NONE of the following criteria are met

      2. Based on data from the contact record (select the location of and the specific field we are using to identify spam contacts)

      3. When the contact’s field FillThisIn is empty

    4. Save the action set

  3. Navigate to the campaign builder

    1. On the web form, add a new hidden field for the FillThisIn field

    2. Immediately after the web form, add a sequence that begins with an action set and select the action set created above.

  4. Spam Contacts will now be tagged as soon as they fill out the form. We can use that tag to end campaign processes, omit contacts from lists, and generate lists to be deleted


Was this article helpful?
Thank you for your feedback!