Skip to main content
Branding mascot

Welcome! How can we help you?

Got a Question? Ask our Community!

Have a question, or a tip or trick to share! Sign in with your Thryv credentials and post in our User Community!

Master Thryv Like a Pro!

Sign in and take our self-guided courses to maximize your experience and boost productivity!

You appear to be not logged in so your learning paths progress may not be saved.

How to Find, Remove, and Prevent Spam Bots in Your Contact List

Lyle Lamb
  • Updated
  • Keap-All Editions

Spam bots can silently flood your contact list with fake records, damage your sender reputation, and trigger email compliance flags that shut down your ability to send. A spam bot is any automated submission to your database created by third-party software rather than a real person. The faster you identify and remove spam bot contacts — and close the entry point they used — the less damage they cause to your email deliverability and list quality.

This article covers how to recognize spam bot contacts, how to find and remove them from your contact list, and how to prevent new spam bots from entering through your web forms. For ongoing list maintenance, see the List Hygiene documentation.

What a Spam Bot Is and How to Recognize One

A spam bot is a piece of software that automatically submits data to web forms without human involvement. Spam bots scrape the code from your web forms, save the form structure externally, and submit fake contact data through HTTP POST requests. The more sophisticated the bot, the harder the submissions are to identify as fake.

Spam bot contacts typically appear in one of two patterns:

  • The contact name is a string of random characters — for example, a first name that looks like 58faf52f9e0f1 instead of a real name.
  • The contact name and email address do not match — for example, a contact named Bob Smith with an email address of Alice@gmail.com.

Spam bot contacts that make it into your email list increase spam complaint rates, damage your sender reputation with mailbox providers, and can trigger Email Compliance flags that restrict or shut down your ability to send email. Identifying and removing spam bots promptly and closing the form entry point they used is the fastest way to stop the damage.

How to Find and Remove Spam Bot Contacts

There are two categories of spam bot contacts — those with obviously fake names and those that look like real contacts. Each requires a different identification method.

Finding Spam Bots with Obvious Fake Names

If spam bot contacts have names that are strings of characters starting with a number — such as 58faf52f9e0f1 — the fastest way to find them is to search your contacts for everyone whose first name starts with a number. In your contact search, filter by first name beginning with the number that matches the pattern you are seeing. Review the results to spot-check for any real contacts whose name or email address happens to start with that character before removing them.

Finding Spam Bots with Real-Looking Names

Spam bots that use valid-looking names and email addresses must be identified by comparing them against data that only real contacts would have. Use the following methods to locate and remove them:

  • Look for data that only real contacts would have — filter your contacts to find records that have no tags, no orders, no opportunities, and no meaningful field data. Spam bot records typically have nothing attached to them beyond the basic form submission fields.
  • Check your double opt-in unconfirmed list — if you have double opt-in enabled, spam bots will appear in the group of contacts who never confirmed their email address. Removing all unconfirmed contacts after a reasonable waiting period is an effective way to purge bots.
  • Use the Email Status Search — search for contacts who have never opened or clicked any of your emails. Spam bot contacts will never engage, so contacts with zero engagement are strong candidates for removal. This method also catches disengaged real contacts, which is good for list hygiene regardless.
  • Use the web form tracking report — if the spam bots entered through a specific web form that is no longer in use, the web form tracking report shows every contact who submitted that form. Reviewing that list lets you identify and remove the bot submissions in bulk.
  • Send a re-engagement broadcast — send an email broadcast to your full contact list with a clear call to action such as clicking a link or completing a form. After an appropriate waiting period, remove all contacts who did not complete the action. Spam bots will never respond, so non-responders are likely bots or disengaged contacts — both are safe to remove.

If none of these methods are sufficient to isolate the spam bot contacts, you may need to manually review your contact list and remove invalid records individually, or wait until one of the above methods becomes practical for your situation.

How to Prevent Spam Bots from Entering Your Forms

Because spam bots work by scraping your form code and submitting data through HTTP POST requests, you can disrupt active bots and deter new ones using the methods below. If a form is currently under active bot attack, start with the temporary fix first, then implement at least one of the deterrent methods to prevent the bots from returning.

Temporary Fix for a Form Currently Under Attack

If spam bots are actively submitting to a specific web form, make a copy of the form in your account, delete the original form, and replace it with the copy. The bots are targeting the original form's unique code — deleting the original invalidates the code they have saved externally. The bots will not be able to resubmit until they scrape and save the new form's code from wherever you have it published. This buys time while you implement a longer-term deterrent.

Long-Term Deterrents

  • Enable double opt-in on all web forms — double opt-in requires new contacts to click a confirmation link in an email before they are fully added to your marketable list. Spam bots cannot click confirmation links, so they remain in an unconfirmed state and never enter your active list. Remove all contacts who do not confirm within a set timeframe. This is the most effective long-term protection against spam bots.

  • Confirm Google reCaptcha is enabled on all active web forms — in the Settings tab of each active web form, confirm the box to opt out of Google reCaptcha is unchecked. reCaptcha is enabled by default — opting out disables it. Keeping reCaptcha enabled adds an invisible verification layer that blocks most automated bot submissions without requiring real visitors to complete a challenge. 
     

    How Google reCaptcha works: Google does not publish exactly what triggers the reCaptcha challenge, which makes it harder for bots to work around. Contacts who submit the same form multiple times from the same device will often see the reCaptcha challenge on repeated submissions. Real first-time visitors typically will not see any challenge at all — Google has designed reCaptcha to be invisible to humans in most cases.

  • Add a human-verification question to your web forms — include a custom field on the form that only a real person could answer correctly. For example, add a question such as "What is the third word in this sentence?" and verify that submissions include the correct answer. Contact records with incorrect or blank answers to the verification question can be identified and removed. This method works independently of reCaptcha and provides an additional layer of protection.

Related articles

Comments

0 comments

Can't find what you are looking for?

Our customer support team is available 24/7 by online chat, phone, or email

© 2026 Thryv, Inc. All rights reserved.