Slate uses submission-rate limiting for forms to prevent abuse, particularly to prevent confirmation emails from being generated by bot submissions. This method catches most fraudulent submission attempts, but some may still be able to bypass those protections.

Spam bots often target Slate forms by submitting entries with URLs (containing http) or query strings (containing ?) in name fields—patterns that rarely appear in legitimate submissions. This article describes how to block these submissions and remove any spam records that get through.

Block spam with submission conditions

📝 Note

Completely eliminating spam submissions is difficult, as bad actors continuously adapt their methods. These filters reduce exposure, but may not catch every case.

Add a submission condition filter to your form to deny entries from anyone whose name contains "http" or "?".

1. On a form, select Edit Form > Edit Conditions.

2. Select Subquery Filter and configure the following settings:

   • Name: Not Like 'http' or Not Like '?'

   • Type: Dependent subquery

   • Aggregate: Formula

   • Formula: @first NOT LIKE '%http%' or @first NOT LIKE '%?%'

   • Export: Select the form's name field. Rename the export first.

3. Select Save.

4. In the Submission Denied field, enter a generic error message—for example, "You are not permitted to submit this form at this time." Avoid specific language that reveals your filter logic to bad actors.

5. Select Save.

Deleting spam records

If spam records make it through, use a retention policy to remove them in bulk.

Filter for known spam patterns—for example, records where the name contains ?, or where you've added a flag or interaction to mark the record as spam. Then configure a retention policy to delete matching records.

📖 Further reading: Retention Policy Editor