Bot detection for form spam

After seeing multiple devs lose hundreds to voice AI form spam, here's a breakdown of effective mitigations by use case: For authenticated users: ‣ Rate-limit per session and implement temporary account suspension for abuse ‣ Escalate unusual activity patterns to manual review/support contact ‣ This works because you have persistent identity to enforce consequences For anonymous public forms (the harder problem): ‣ Use systems that generate single-use verification tokens confirming human interaction ‣ Modern reCAPTCHA operates invisibly across pages, analysing comprehensive behavioural profiles: mouse trajectories, keystroke timing, Canvas/WebGL fingerprints, scrolling patterns, device characteristics, and Google account signals ‣ When it determines you're human, it issues a time-limited verification token (valid for 2 minutes, single use only) ‣ Your API validates this token server-side with Google before processing the request ‣ This creates per-request proof-of-humanity without requiring traditional session management Universal protections: ‣ Hard spending caps and call duration limits ‣ IP-based rate limiting and geographic restrictions by country/area code ‣ Integration with fraud detection services Advanced verification: ‣ SMS confirmation to validate phone ownership before calling ‣ ⚠️ Critical: This creates SMS bombing attack vectors: apply rate limiting and CAPTCHA protection to SMS endpoints too The fundamental vulnerability: Many voice AI implementations expose API credentials directly in browser dev tools. It makes ALL other protections worthless since attackers can bypass your frontend entirely and call APIs directly. The endpoint that triggers the call is the one that must be protected. The uncomfortable truth: perfect security for truly open services doesn't exist. You can only make abuse expensive and annoying enough to deter most attackers. #VoiceAI #WebSecurity #BotProtection

Spammy form submissions spiked to 4,530 PER DAY for our nonprofit clients. Here’s how we cut it by 99.8%, giving them back some time (and sanity). We’ve always had anti-spam tools in place. But the bots were getting better at slipping through the cracks. So we added two new fields to website forms. Both are hidden from visitors, so they don’t impact the form submission process. 1. Honeypot A honeypot is a hidden field that’s designed solely to bait spam bots into filling it out. Since visitors can’t see it, they’ll never complete it. That way, if this custom honeypot is filled out, we know it was a bot and we can flag it as spam. 2. Time Trap This field checks how much time passed from when the form was loaded to when it was submitted. Spam bots are fast. Humans aren’t. If a form’s submitted in under two seconds, it’s probably not from a real person. If someone somehow does trigger this system, they’ll see a message telling them they were flagged as spam. When a submission makes it through these first two checks, it gets routed into the anti-spam systems we previously had in place to make sure it’s clean before hitting our clients’ inboxes. Spam wasn’t impacting all of our clients equally. But some were getting hit in waves. Thanks to the technical wizardry of the one and only Jonathan Goldford, we're down from 4,530 spammy messages per day to a much more manageable 11! Which means more time for nonprofits to focus on work that moves their mission forward.

From 100+ Spam Submissions to Zero We were getting 100+ spam form submissions a day. Then zero. Our forms like contact, demo requests, and newsletter signups were getting buried under bot noise. The default reaction is to add CAPTCHA, but we tried something simpler first. A honeypot. It is just a hidden field in the form. Bots see it because they parse the HTML. Humans do not because it is hidden with CSS. Bots fill it. Humans never do. If that field has a value, we treat it as a bot and drop the submission silently. That is it. Around 15 lines of code, no third party dependency, no extra step for the user. Spam went to zero overnight and has stayed there. What I like about this approach is that it does not tax real users. No puzzles, no friction, no prove you are human moment. CAPTCHA makes every user pay the price. A honeypot puts the cost on bots. For any public form, this should be the first thing to try. CAPTCHA is the fallback, not the default.

🚨 We got hit with over 25,000 fake user signups. In just over an hour. Last week, mentor.sh experienced a massive wave of bot-driven fake registrations. Turkish-language spam, phishing URLs in usernames, disposable emails - the works. It wasn’t fun. But it was a wake-up call. What happened: - 25k+ fake accounts created in a short burst - Most used throwaway emails like "mail7 . io" - Many had phishing links in names, likely for SEO or abuse - Our signup route was public, and bots found it What saved us (surprisingly): We had just hit our Mailtrap email quota — so no spam emails were actually delivered. A surprising fail-safe. What we did: - Purged 24k+ accounts - Added Cloudflare Turnstile CAPTCHA - Blocked disposable domains - Rate-limited suspicious traffic - Upgraded email infra & alerting What we’re doing now: - Hardening all auth routes - Monitoring spikes in real time - Adding anomaly detection - Introducing friction for suspicious signups Lesson: bots don’t care how big your platform is — just that you have a form exposed. If you’re building something — protect it from day one. Read the full postmortem here → https://lnkd.in/dTS78ZSE

It’s fascinating how many lead-generation businesses are still struggling with spam or bot leads ruining their marketing analytics and ad optimization. Here’s how we solve it at SegmentStream: 1. Direct CRM Integration: All tracked leads flow straight into Salesforce or HubSpot. 2. Automatic Pull into SegmentStream: Our platform ingests those leads into the Lead Scoring Engine. 3. First Layer – LLM Filtering: We use a large language model to automatically filter out test, spam, or bot leads and detect non-existing emails. 4. Second Layer – Data Enrichment: ZoomInfo/Apollo enrich each lead with company details such as name, industry, and size. 5. LLM Classifier for Free Text: Our built-in classifier categorizes “free text” fields like Job Title into meaningful, structured categories. 6. ML-Based Lead Value Prediction: A machine-learning model trained on 1–2 years of CRM conversion and value data predicts both the conversion rate and the expected conversion value for every single lead. 7. Conversion API Export: Finally, we send these leads—with their predicted value—back to Google Ads and Meta Ads using advanced matching parameters. 8. Smart Campaign Optimization: All campaigns are set to Maximize Conversion Value or Target ROAS and consolidated across regions, because the predicted value already accounts for lead-quality differences by region. This entire workflow is fully automated and runs in under 10 minutes. Still bothered by spam or bot leads and lead quality? You might simply be missing the critical piece of software that lets you forget those problems once and for all.

Bot traffic can devastate your WooCommerce store's performance, skew analytics, and drain server resources, but the right detection strategies can protect your business. Malicious bots account for a significant portion of ecommerce traffic, creating fake accounts, scraping product data, and overwhelming your infrastructure while legitimate customers struggle with slow load times. Essential bot protection strategies for WooCommerce: • Traffic pattern analysis - Monitor unusual browsing behaviors, rapid page requests, and suspicious user agent strings • CAPTCHA implementation - Deploy smart verification systems at critical touchpoints like checkout and account creation • Rate limiting controls - Set request frequency limits to prevent overwhelming your server resources • Geolocation filtering - Block traffic from high-risk regions where your business doesn't operate • Real-time monitoring - Use analytics tools to identify sudden traffic spikes and automated behaviors • IP reputation screening - Automatically block known malicious IP addresses and bot networks Protecting your WooCommerce store from bots isn't just about security; it's about ensuring genuine customers have the smooth shopping experience they expect. Read more about comprehensive bot detection and blocking techniques: https://lnkd.in/ehWwyGwA #WooCommerce #EcommerceSecurity #BotProtection #WebSecurity #OnlineRetail

🤖 What’s a better way to start 2026 than digging into how bot detection actually works? Back in October, I published a 2-part Castle series on rolling your own bot detection, without relying on a vendor. The goal was to show the mechanics and tradeoffs, not to sell an off-the-shelf solution. Here’s the full series: 👉 Part 1: Fingerprinting and JavaScript signals https://lnkd.in/ea6gtVYK Collect browser signals, obfuscate and encrypt them, and attach them to login requests. 👉 Part 2: Server-side detection and fingerprint-based rate limiting https://lnkd.in/eupmCdyg Apply basic heuristics, catch obvious automation, and rate-limit by fingerprint instead of IP. This is a proof of concept. Signals can be spoofed. Heuristics need tuning. Real systems need more depth. But if you want to understand what bot detection looks like under the hood, or you’re thinking about build vs buy, this is a solid starting point. #botdetection #fraudprevention #infosec #websecurity #fingerprinting

In the digital arena, the battle against bot traffic is constant. Bots, automated programs designed to perform tasks online, pose a significant threat to website integrity and security. However, various technologies are now available to identify and combat this menace. Let's explore some of these essential tools: Machine Learning Algorithms: These algorithms analyze data patterns to identify anomalies indicative of bot activity, continuously adapting to new tactics. Behavioral Analysis: By scrutinizing user interactions, behavioral analysis detects deviations that betray bot behavior, such as unusual navigation or mouse movements. CAPTCHA Challenges: CAPTCHA tests present puzzles that bots struggle to solve, effectively filtering out non-human traffic. Device Fingerprinting: Every device leaves a unique digital fingerprint, allowing websites to differentiate between legitimate users and bots based on attributes like IP address and browser type. IP Address Filtering: Websites maintain lists of known bot IP addresses and block access from these sources, bolstered by geolocation data to identify suspicious regions. Honeypots and Trap URLs: Decoy pages attract bots, providing insights into their behavior and helping to refine detection methods. Browser Validation Techniques: By examining HTTP headers and browser attributes, validation techniques identify inconsistencies that may indicate bot activity. Real-Time Monitoring and Alerts: Systems continuously analyze traffic for suspicious patterns, issuing alerts for immediate action against potential bot attacks. Integration with Threat Intelligence Feeds: Websites leverage up-to-date information about known bot networks and emerging threats to enhance their defenses. API Security Solutions: Specialized security measures protect API endpoints from bot-driven attacks, including rate limiting and authentication mechanisms. With these advanced technologies, website administrators can effectively identify and mitigate bot traffic, safeguarding their platforms and ensuring a secure online experience for users. #BotDetectionTech #DigitalSecurity #AIinCybersecurity #WebsiteDefense