Skip to main content
Form spam — fake or automated submissions from bots — wastes CRM space, inflates submission counts, and can trigger unwanted automated workflows. HoopAI provides several layers of protection to keep your submission data clean.

Platform-level protection

HoopAI includes baseline spam protection for all forms by default: Cloudflare DDoS protection All form endpoints are served through Cloudflare’s network, which detects and blocks volumetric bot attacks before they reach the form processing layer. This helps prevent high-volume automated submission floods. IP and geographic signals The platform uses multiple security signals — including IP addresses and geographic patterns — to identify submissions that match known bot behavior. Submissions that trigger these signals may be automatically flagged or dropped.

CAPTCHA

Adding a CAPTCHA field is the most direct way to block automated submissions from bots that bypass passive detection. Adding CAPTCHA to a form:
  1. Open the form in the builder.
  2. In the left panel, locate the CAPTCHA field type.
  3. Drag it onto the canvas, typically just above the submit button.
  4. Save the form.
The CAPTCHA displays as a checkbox challenge (“I’m not a robot”) powered by Google reCAPTCHA. Contacts must complete the challenge before the submit button becomes active. For sites with significant bot traffic, CAPTCHA provides a strong barrier because it requires a response that automated scripts cannot easily generate. Note that CAPTCHA challenges may add minor friction for real users, so weigh the trade-off based on your form’s context and audience.

Email and phone validation

Even when a submission passes the CAPTCHA, the submitted email or phone number might be invalid, temporary, or fraudulent. HoopAI allows you to enable validation at the field level: Email validation When enabled, the email field checks that the submitted address matches a valid email format and is not from a known temporary or disposable email service. Submissions with invalid email addresses are rejected and the contact is prompted to enter a valid one. Phone validation Verifies that the submitted phone number is a valid, real number in an acceptable format. This helps filter out placeholder values like “1234567890” that bots often submit. To enable validation, open the field settings for the email or phone field and toggle the validation option.

Geographic and SMS restrictions

HoopAI allows you to restrict which countries can receive SMS messages triggered by form submissions. Certain high-risk countries are restricted by default. For forms where geographic targeting is important — for example, a local service business that should not receive submissions from outside their region — use conditional logic to disqualify submissions from contacts who indicate they are outside your service area.

Honeypot fields

A honeypot is a hidden form field that real users cannot see but bots often fill in. HoopAI’s built-in spam protection includes passive honeypot-style signals as part of its detection layer. Third-party spam protection tools can also be added via custom HTML elements in the form if you need more aggressive honeypot logic.

Rate limiting

HoopAI’s infrastructure limits how many submissions can be processed from a single IP address or session within a short period. This rate limiting is applied at the platform level and does not require any configuration on your part. It is particularly effective against simple looping scripts that attempt the same form repeatedly.

Multi-step forms as a deterrent

Multi-step forms, which require the submitter to navigate through multiple pages before completing a submission, are more resistant to automated submissions than single-page forms. Most simple bots submit directly to the form endpoint without executing the JavaScript required to navigate through pages. If spam is a persistent problem on a short single-page form, consider converting it to a two-step form.

Handling spam that gets through

If spam submissions reach your CRM despite these protections:
  • Review your submissions tab regularly and delete obvious spam contacts
  • Add filters to your workflow trigger — for example, require that the submitted email contains an ”@” symbol and a valid domain, and block the workflow from proceeding if those conditions are not met
  • Use the disqualify lead conditional logic rule to block submissions that match known spam patterns, such as submissions with a phone number containing all zeros or submissions where the message field contains specific keywords
The most effective spam protection combines multiple layers: platform-level Cloudflare protection for volume attacks, CAPTCHA for bot traffic, and field validation to reject invalid contact details. No single layer stops all spam, but combining two or three of these approaches eliminates the vast majority of automated submissions.
Last modified on March 5, 2026