Close
Get support
In this section

FAQ: Spam form submissions

April 28, 2025

Spam form submissions by automated AI bots are becoming a growing challenge for businesses online — and WebMD Ignite is actively monitoring this trend. To keep you informed, we’ve created this FAQ with answers to common questions and the protective measures we're putting in place.

Overview

What is happening?

  • Recent reports show that up to 80-90% of form submissions on some websites are spam, driven by a surge in automated bot activity. (Note: This rise is affecting all internet forms, not just those WebMD Ignite engages with.)
  • Businesses are facing increased costs from spam, including server strain, manual review time, and degraded user experience, with estimated annual global losses in the millions.

Why is it happening?

  • Modern spam bots are sophisticated, using advanced techniques that make detection harder. These include headless browsers, IP rotation, and AI inputs that mimic human behavior.
  • Bots are targeting web forms to carry out attacks like phishing, data theft, or injecting malicious links. These exploit vulnerabilities in poorly secured forms.
  • Bots evolve and adapt to countermeasures like CAPTCHA, using machine learning or human workers to solve security challenges. 

How is it happening?

Spam bots are automated programs designed to interact with web forms at scale. Here’s how they typically operate:

  • Discovery: Bots crawl websites or use custom scripts to identify forms, targeting those with weak or no anti-spam measures.
  • Execution: Bots simulate human interactions by filling fields with randomized or stolen data. They may also rotate IPs to avoid detection.
  • Input: Bots generate realistic-looking entries — names, emails, or comments — using databases or AI models. Some inject malicious content, like phishing links.
  • Bypassing defenses: Advanced bots solve CAPTCHAs using image recognition, or by mimicking mouse movements and typing patterns.
  • Submission and scaling: Bots submit forms en masse, often across thousands of sites at once, using distributed networks or cloud services to amplify reach.

Impact

How can I tell if my Ignite Growth Platform forms are affected by this?

  • Unusual spike in lead volume: If you’ve noticed a sudden uptick in leads generated by your campaign — without any major changes like introducing a new marketing channel —  spam  bots may be the culprit.
  • Issues after submission: If the individuals you follow up with say they didn’t fill out a form, their data may have been used by the  bot for a fake submission. 

What is the impact on Ignite Growth Platform itself?

  • Increase in lead counts: The counts may be higher than expected, but ROI  will remain accurate since bots cannot generate downstream revenue within your system.
  • Increase in audience sizes: If you build audiences using basic criteria, you may see a jump in size. This is due to spam submissions being mastered into Ignite Growth Platform, as they are treated as net new leads. 

Actions

Can WebMD Ignite delete these spam leads from my submission list or Ignite Growth Platform?

Unfortunately, no. Since the submitted demographic data looks like a real person’s information, we can’t distinguish which leads are real vs. spam. Rest assured, though, we're working to put measures in place to stop the bots from submitting form data and entering your platform. See the next question for more details.

What should be done to prevent spam submissions?

  • Client-owned forms: Please work with your IT or form vendor to use their spam protections.
  • WebMD Ignite-managed forms (e.g., DXE landing pages): We’ll be implementing two key protective measures:
    • Honeypots: A hidden field on the form that humans can’t populate, but bots might because they only look at the code. If that field gets populated, we can definitively say it was a bot submission.
    • Time validations: Delaying the time it takes to submit a form; if bots can't submit quickly, they'll move on to the next site.

Note: These solutions are in testing and expected to be available by early May. Your Account Manager will notify you once they’re ready.

Can we use technologies like reCAPTCHA?

It depends on your organization's compliance standards. reCAPTCHA is owned by Google, and in the validation process, they may receive PHI/PII if reCAPTCHA is used. This can be an issue due to recent HHS guidance that non-covered entities should not be receiving PHI/PII. Currently, there is no data governance available for this tool. 

What if I have additional questions? 

Just reach out to your Account Manager or submit a support ticket via the Help Center. We’ll also continue to update this page with more information, so be sure to bookmark and check back.