propform forms are publicly accessible — and therefore a potential target for spam bots that indiscriminately fill in forms to leave advertisements or flood the database. Here’s what propform does automatically, and what you can add yourself.
Every propform form contains an invisible field that real people cannot see and therefore do not fill in — but bots certainly do, because they fill in everything they find.
What happens: If the honeypot field is filled in when a form is submitted, the process is aborted, the IP address is logged in our spam statistics, and the data does not end up in onOffice.
You don’t need to configure anything — this protection is enabled by default in every form.
When a form is called up, it is provided with an encrypted CSRF token. When the form is submitted, the token is checked for validity — bots that do not access the form normally will fail here.
In addition, the form signature and timestamp are checked to block replay attacks and manipulated submissions.
If you only want to make a form available for a specific period (e.g. a job application or a limited-time offer), you can set an expiry date in the form settings. Once the form has expired, propform displays a corresponding notification page and the form can no longer be submitted.
If your form sends confirmation emails, the spam score of your sender domain is crucial. Emails sent directly from generic domains are more likely to end up in spam folders or be automatically deleted by email providers (see section “Link is deleted by email providers”).
Recommendation: If you frequently experience issues with email delivery or wish to achieve a more professional brand image, set up your own external domain for your forms. For more information, please contact us at hello@propform.io.
In the statistics for your form in your propform account, you can see both regular submissions and blocked spam attempts. If the number of spam submissions is unusually high, please feel free to contact us — we’ll look into it.