Avoiding Form Spam Submissions

Slate uses submission-rate limiting for forms to prevent abuse, particularly to prevent confirmation emails from being generated by bot submissions. This method catches most fraudulent submission attempts, but some attempts can still bypass those protections.

Spam bots often target Slate forms by submitting entries with URLs that contain http or query strings that contain ? in name fields. These patterns rarely appear in legitimate submissions. Use submission conditions to block these submissions, and use retention policies to remove spam records that get through.

Blocking spam with submission conditions

📝 Note

Completely eliminating spam submissions is difficult because bad actors continuously adapt their methods. These filters reduce exposure, but might not catch every case.

Add a submission condition filter to your form to deny entries from anyone whose name contains http or ?.

1. On a form, select Edit Form → Edit Conditions.

2. Select Subquery Filter and configure the following settings:

   • Name: Not Like 'http' or Not Like '?'

   • Type: Dependent subquery

   • Aggregate: Formula

   • Formula: @first NOT LIKE '%http%' or @first NOT LIKE '%?%'

   • Export: Select the form's name field. Rename the export first.

3. Select Save.

4. In the Submission Denied field, enter a generic error message, such as "You are not permitted to submit this form at this time." Avoid specific language that reveals your filter logic to bad actors.

5. Select Save.

Deleting spam records

If spam records make it through, use a retention policy to remove them in bulk.

Filter for known spam patterns, such as records where the name contains ?, or records where you added a flag or interaction to mark the record as spam. Then configure a retention policy to delete matching records.

📖 Retention Policy Editor