Re: Best way to handle spam that comes in from embedded forms?

Shereen_Adel1 · ‎Jan 02, 2023

Does anyone have a recommended way to handle spam that comes in through publicly share/embedded Airtable forms? We've had forms published for over a year that never got spam before and then between Dec 20, 2022 and Dec 23, 2022 we got 49,245 spam submissions. It disrupted our workflow and prompted messages that we are over our limit. It generally feels invasive and pretty horrible. Any tips are welcome!

Bill_French · ‎Jan 02, 2023

My thoughts: read on...

Andres_at_Conne · ‎Jan 04, 2023

Having a question bots can't answer? Or a hidden field that bots will fill out?

Bill_French · ‎Jan 06, 2023

Bots now use AI to answer questions, and they're really getting good at it. They can also ferret out hidden fields using headless browsers - it's an arms race; you cannot win that war in this way. If you have so many bot entries in a database that it reaches the limits of the data table itself, the vendor is the problem, not your form or the bots.

Shereen_Adel1 · ‎Jan 10, 2023

Thank you!!

Ro_ · ‎Aug 09, 2023

I am experiencing the same currently. They keep coming every 5 seconds it's stressful. How do I stop it?

Bill_French · ‎Aug 09, 2023

As I said earlier, Airtable is the problem. It has no defenses against a bot army that has could your form and determined to gain access to your system through relentless probes.

Your only out is to use a third party forms provider who has features that defend against bots.

onar · ‎Oct 11, 2023

If you are using Zapier + Airtable then you could add OOPSpam app in your flow.

An example flow:
New Record Airtable -> OOPSpam -> Insert Record Airtable (or Send Outbound Email).

https://zapier.com/apps/airtable/integrations/email/1208750/spam-check-new-airtable-records-with-oop...

Note: I work at OOPSpam 🙂

Bill_French · ‎Oct 11, 2023

Yep - so, with this approach, if a form attracted ten million bot posts and only one legitimate post, the Airtable instance would have to process ten million and one new records to capture one legitimate record? Wouldn't that pretty much kill the Airtable service?

Furthermore, given a scenario where 100 posts were made to the form and 80 of them were spam. By adding the Zapier process, please tell me how many Airtable API requests would be required to capture the 20 legitimate records?

onar · ‎Oct 11, 2023

So the flow is triggered for each submitted form. In the example flow I linked above, there is only one Airtable API call (New Record) for each submission.

It is true that if you go with New Record -> OOPSpam -> Insert then it will call the Airtable API twice. Now looking back at this, it doesn't make sense to trigger the flow for a new record and then insert it back to Airtable because the record already exists in Airtable. Unless we want to insert/update with some new information like spam score.

We also use Airtable for our contact form. Our flow looks like this (simplified)

Webhook -> OOPSpam (check for spam) -> Only Continue If -> Insert Airtable (1 call for a legitimate record)

So it all depends on the workflow. If there is only one Airtable trigger then it will take 100 calls for 100 submissions. if there is another call (to update/insert a record) then it would take extra 20.

In hypothetical situation where you get 1M bot requests then there should be other measures to prevent this attack like DNS/hosting level security and rate limiting. For most cases this flow will work just fine, considering Airtable API rate limit is 5 requests per second per base.