Spam still getting through

Hi All

I did a search regarding spam and I tried a block, but the spam is still getting through. Is there anything else I can do to help this?


Hi John,

This is a great solution, mentioned in other threads, that I implemented (with a slight code adjustment to suit my needs) and it currently blocks 100% of the dreaded 5xxxx spam bots. Who knows for how long till they adjust their attack script.


1 Like

Hi Alastair

Thanks for your response.
It does not work for me - The Landing Page is hosted inside of Infusionsoft. Could that be the reason I don’t see a value as well?


Hi John,

Have private messaged you an example of a live web form.

The way I modified the code from the example video is as follows. Instead of capturing a hidden email field I simply set a _Flag (custom Infusionsoft field) value to a default of “Yes”. Maybe capturing a hidden bot filled email field is a more robust solution as per the video solution?

<input name="inf_custom_Flag" id="_Flag" type="hidden" value="Yes" />

Created a _HiddenCheckbox form field (as per the video).

<input id="inf_option_HiddenCheckbox" name="inf_option_HiddenCheckbox" type="checkbox" value="" />

My modified JavaScript sets the _Flag value from the default “Yes” to “No” automatically if JavaScript is turned on and sets the _HiddenCheckbox value and property to checked. This checkbox value “123” is a unique number for every campaign form. Both of these value changes can happen ONLY if JavaScript is turned on in the web browser.

This is the essential spam bot filter as the 5xxx spam bot does not process the JavaScript on the form page apparently. Substitute your form name for the value #joinForm.

<script type="text/javascript">
	jQuery("#joinForm").submit(function() {
		if (jQuery("_Flag").val() == "Yes") {
			return false;
			jQuery("#inf_option_HiddenCheckbox").prop("checked", true);
			return true;

If the _Flag value is “No” and the _HiddenCheckbox is “123” & “Checked” then the form submits. Actually the only required field for form submission (that blocks the 5xxx spam bot) is the _HiddenCheckbox field.

  • The purpose of the _Flag is to test incoming contacts into the campaign. Then based on _Flag value, using a decision diamond,

  • If the _Flag value is “Yes” marking them as a potential spam bot.

  • I am dumping them out of the campaign sequence BEFORE sending them a confirmation (double opt-in email).

This isn’t a perfect spam bot test but I figured it was a useful fallback test if the _HiddenCheckbox filter failed. I don’t get many legitimate form submissions from people who have JavaScript turned off.
There are a few legitimate looking form submissions, with no JS turned on, and you can always manually enter them into the campaign.

I don’t see why you can’t implement these fields into a Infusionsoft hosted web form. The landing page being hosted on Infusionsoft should not effect the form submission filters being put in place, at least I don’t think so.

Hope this helps you, I know this spam bot was nasty, giving rise to many complaints from people whose legitimate emails had been high-jacked and to whom we were sending (unsolicited) confirmation emails. We had to stop it of suffer our deliverability and domain reputation being ruined.


For webforms, SpamKill works with 100% accuracy. Not available for landing pages yet.

Hi John,

You are quite right the solution offered won’t work with the new Infusionsoft Landing Pages if you are using these pages as a sign-up form (email, first & last name…) for you cannot add the necessary JavaScript behind the scenes.

You get a beautiful user interface but restriction on editing the form code. Sorry I had not looked at these landing pages in detail till today.


Well in that case I’ve got to move the Landing Page since I can’t find anything that works.
Is there a way to move the code over all at once to my website or do I have to rebuild the page ?


Hi John,

I have not used landing pages at all in our environment. Hopefully someone else more educated in this area will offer their advice.

Just thinking off the top of my head and this may be too simple of an answer, I’m not trying to be stupid here… If the landing page is hosted by Infusionsoft, the best way you can examine their code is to bring the landing page up in a web browser and view source.

Then check out the coding and scripts they are using, you may be able to replicate a lot of this code on a locally hosted web page. If you know code (or someone who does) you hopefully will be able to interpret what is going on.

Some of the functionality built-in to landing pages and how they interact within campaigns may be lost, I really don’t know without looking into it but I suspect you will lose connectivity and functionality when locally hosting.

That said you certainly can replicate a form to submit data without a problem.


Hi John,

Another layer of protection to protect against automated spam bot submission, is to set a session cookie on your web form and only allow form submission if a cookie is set.

This would require a person (or spam bot) to actually submit the form via the web page, rather than be able to bulk submit using an attack script, not using your web form page code.

The advantage is if they are submitting via your actual page then Google reCAPTCHA can come into play to cut down multiple form submissions. It can’t stop the first one or two but would put the brakes on multiples.

This is just another layer of protection, not one I’ve yet coded but the URL above is the source of the idea. Applying spam bot protection in layers seems to be the best approach.

Anyway just a thought, hope it helps you out moving forward.