Slate uses submission-rate limiting for forms to prevent abuse, particularly to prevent confirmation emails from being generated by bot submissions.

Emails triggered by the submission of a form are based upon the Form Communications in Slate, and they depend on the values submitted as part of the HTTP POST request from the browser.

Nulling (blanking out) the form values as part of the request results in no email being sent by Slate, because the {sys-email} merge field is blank.

Avoiding Spam Submissions

Completely avoiding these types of form submissions is difficult, since bad actors are constantly adjusting their attacks and developing workarounds to foil existing mitigation features.

However, these simple approaches can help:

Submission condition filter

Place a Submission Condition filter on the form to look for NOT [name like "http" or "?"]

That is: only those with a name that does not look like http or ? can submit the form.

Use generic error messages

The less insight you provide about your countermeasure to the bad actor, the better.

Provide only generic message errors to those caught by this filter. For example, "You are not permitted to submit this form at this time."

Example

On a form, select Edit Form > Edit Conditions.

Select Subquery Filter. Configure the following settings:

• Name: Not Like 'http' or Not Like '?'.

• Type: Dependent subquery

• Aggregate: Formula

• Formula: @first NOT LIKE '%http%' or @first NOT LIKE '%?%'

• Export: Select the form’s name field. Rename the export first.

Select Save.

In the Submission Denied field, enter a generic error message.

Select Save.

Deleting spam records

Assuming that you can filter for known spam person records, you can remove them with a retention policy.

For example, filtering on the name like ?, or on a flag or interaction you’ve added to denote spam records.

📖 Further reading

Retention Policy Editor