Webflow announced some new anti-SPAM features in development as part of the 2024 Webflow Conf.
Since early 2023, the Webflow platform has been the target of several SPAM-bots, which found a way to bypass sites entirely and go directly to the Webflow form submission handler.
Besides the SPAM, this attack factor comes with some interesting downsides for the community;
- From what we've seen, reCAPTCHA can't help much here, since the site is bypassed
- SPAM will continue even if you delete the form entirely
- Clients receiving the SPAM notifications are more likely to click unsubscribe, which means they no longer get any of their form notifications
- The only way to stop SPAM notifications is to stop all notifications by removing the notification email addresses from the site's form settings entirely
Webflow has been working on this problem since, however it's lead to
- Less spam, but certainly not gone
- Unreliability in the form's handler, sometimes it appears to stop capturing results- perhaps false positive detections
Solutions
Webflow Bot Protection
In Oct-2024, Webflow added some additional protection in the form of bot protection via a client-side Turnstile integration. This is still settling in, and facing some teething problems.
https://help.webflow.com/hc/en-us/articles/34277758554771-Prevent-spam-in-form-submissions
Use a 3rd party form handler
In a Webflow form, when you change the action setting, Webflow disables its in-built form handler and the form content can be posted to your own handler destination.
When you use this in combination with javascript or SA5's Form Webhook Handler library, you get;
- Neatly JSON packaged form contents for submission to a webhook
- Support for the Webflow form success and error messages
- The ability to return data from your webhook, such as order confirmation numbers, or error messages, and display them
The Basin Form Handler
Sygnal exclusively uses Basin for our form handlers, it's incredibly reliable, easy to implement, customizable, and has phenomenal SPAM handling.
If you want to use it, Sygnal has a full Basin integration guide.
Besides the general "custom form handler" benefits above, here's what our Basin setup provides;
- Replaces the Webflow default form handler with our own custom one
- Submissions go to Basin directly
- Basin does best-of-class SPAM detection and when it identifies SPAM, it puts that message in a special folder you can review - rather than deleting it. While we've never once seen a false-positive detection, the peace of mind knowing that it's not deleting submissions is excellent.
Basin's email notifications;
- Can be styled, branded, and customized
- Can be sent to the form submitter as well, for GDPR compliance
- Do not have an unsubscribe link, which means no more unsubscribe problems
Robert Simmons offers more detail and discussion of the spam problem here, plus
https://www.reddit.com/r/webflow/comments/12dpo0h/avoid_webflows_default_forms_at_all_costs_a/
Formspark + Botpoison
Mike Pecha has an excellent video tutorial here-
https://www.youtube.com/watch?v=C80hhcwPX3o&ab_channel=MikePecha
Cookie Consent + Form Submission
David Proler recommended a cookie consent approach using Termageddon. I haven't investigated how it works, but my guess is that the cookie consent must be accepted before a form can be submitted. Since bots don't do that, they can't submit forms.
It's not clear to me how that helps with a gateway attack, but David's walkthrough is here;
https://www.facebook.com/groups/webflowdesigners/posts/1913625682483429/
Postmark
Also in relation to email spam solutions, Nicolás Ordaz recommends Postmark.
...consider using https://postmarkapp.com. This service allows you to create your own domain for all customer forms and assign them an email account. Alternatively, you can set up a domain for each client with their email account. For example, you can purchase .email domains, which are very cheap. Postmark is secure, fast and easy to use, and you can set up DMARC
