How do you block users who are using forms to verify email addresses?

For several weeks, someone is using our InfusionSoft form that we have posted on our web site to signup with email addresses of other people. They always enter the first name as a sequence of numbers that begin with 59a, 59b, or 59c. I have reported this to support and they say there isn’t anything they can do and suggest I go in every few days and deleted these entries. The problem with this is people who have not signed up for our newsletter are getting emails and some are reporting them as spam. Is there no way to block these submissions? Is there a way to put a verification on the First Name field to make sure it doesn’t start with a number?

1 Like

This is actually perfect, when they are using numbers like this. Usually the numbers have a similar commonality, like you listed above.

If you head over to your Admin>Settings>Application section, there is a ‘Form Security’ section, where you can put words/numbers that will trigger a block, when they appear on a form submission. Here is a quick visual of me adding the examples you provided, in my Form Security section. 2017-09-21_1017


Thanks, James. I appreciate your help.


I’ve tried this and I’m still getting spam.

1 Like

I have the new Google spam filter activated on all of my forms. It is not filtering out the person who keeps filling out forms using names that begin with 59a, 59b, 59c, and 59d. Since what you advised before only works for email addresses, we need to find a way to filter out these submissions. They use real email addresses, but bogus names. Some of these people get our welcome email and report it as spam.

1 Like

I’ve added.
And the spam keeps getting through even with the new Captcha forms and all.

1 Like

I’m reaching out to a couple people that are looking into this, to see what I can find out. We have been receiving other matching reports through a couple other channels. I will let you all know what I find out.


Any word on this? The spam is really frustrating.

I have a campaign that I’ve built for my clients that I’ve pushed to the Marketplace (awaiting approval as of 10/13/17). It uses PlusThis, as Infusionsoft core doesn’t allow one of the features we have to use. You can email me if you want me to push to your system, or go to the marketplace and search for “spam” and one the campaign is approved you will see it there (by 4SpotMarketing).


James, any update on this?

Hi Chris,

So I found that our development team is still working on some extended features to try to combat this. The problem is the fact that spam bot technology is a bit relentless, and has figured out ways to circumvent Google’s bot detection, which our forms utilize.

Our teams have been working on ways to add to form security to add to the Google detection we have implemented.

Some of our community members have been coming up with ways to track these via automation. One example that was shared with me was to create a form with a hidden field on it, and then in a campaign, create a sequence that contains a legacy Action Set to run with a conditional rule to apply a tag if the hidden field is empty. This tag would be the goal to get the contact out of vetting sequence and into a followup campaign sequence. This idea would leave any bots in the vetting sequence, due to the fact that the spambot fills out the hidden field, meaning the action set would not be able to run, based on the conditional rule.

Again, we are continuing to try to create some additional layers of security to work with the Google Bot Detection (reCAPTCHA) that we have in place.


Can you block users by IP address instead? This just started happening to us and we notice it has the same 4 IP addresses.

At the moment, you can only white list ip’s. However, if you do then they are the ONLY ip’s that will be allowed.

We’re getting the same troll completing our forms. Maybe someone has already thought about this but - can’t you just secure the name field (first and last) of a form so that ONLY letters can be entered and that IS rejects a form with numbers in the name field?

Only certain fields have specific validation on the form level. Names are treated as general text fields. You may be able to add an html snippet and use javascript to check for validation though.

Formlift’s spam protection is fairly robust if you have a WordPress site. Check out the video tutorial on spam protection.