Mautic spam prevention

February 7, 2022 

Mautic is a widely used open source email marketing automation application written in PHP. Email marketing is typically used in conjunction with inbound marketing done by asking people to give their email address in exchange for something, like a free ebook or a newsletter with good content. As you're asking for the email address on a publicly facing webpage, spambots will find your form, and start misusing it to send your "Welcome" emails all over the place. This in turn may result in lots of bounces and/or complaints, which may get you locked out from your email service provider unless you pay attention. So, you need a way to block or fool those spam bots to prevent such issues, and to keep the Mautic database clean.

One way to reduce the number of bot submissions is to use a CAPTCHA, which Mautic supports out of the box. There is some evidence that CAPTCHAs negatively impacts conversions, that is, fewer real people fill your email submission form. This makes sense as CAPTCHAs are quite difficult nowadays and take a fair amount of time to complete.

Another, less invasive way is to use a honeypot field in the form that catches bots - at least the stupid and/or non-targeted kind - by surprise and prevents them from misusing your form. There is an official Mautic blog post in here that tells how to add a honeypot to campaign forms. That approach does not work with standalone forms, but fortunately there's another way to do it (idea from here):

  1. Create a custom field of data type "email" but give it a name like "Your phone". Make sure it is not a required field. Also make sure it is of "Contact" type.
  2. Add a new field of type "text area" to your standalone form.
  3. Under "Generic" tab set the label to "Phone".
  4. Under "Generic" tab set "Save result" to "No" (=never save field content to Mautic database)
  5. Under "Contact field" tab map your custom field ("Your phone").
  6. Under "Validation" tab set "Required" to "No"
  7. Under "Attributes" tab set "Field container attributes" to style=display:none. This hides the field from normal users but leaves it to the HTML source code.

The honeypot works by fooling the bots by luring them to fill the field "Phone" that is invisible to real people with phone numbers instead of email addresses. This in turn prevents them from pressing the "Submit" button because the data is invalid. As the field is not required, normal people who can't even see the field will leave it empty and are thus able to submit the form. How well this works in practice remains to be seen.

To ensure that your hidden field is actually working open your browser's developer console (Ctrl-Shirt-C on Firefox), click on your standalone form and check the you can find the "Phone" field in there. Another way is to clear the "Field container attributes" setting and ensure that you can see the field, then add it back to see it disappear again.

Even if you're able to reduce the flow of spam submissions into Mautic with CAPTCHAs and honeypots, you still probably need to clean up those that got through. For campaign forms you can use conditional logic to remove forms submitted by bots. There are at least two ways to accomplish this:

  • Remove submissions where invisible fields were filled (see here)
  • Remove submissions where the visitor never visited any pages (see here)

Another thing to do is to handle bounces from real and invalid email addresses or your outbound email provider will eventually block you. In fact, SMTP providers like Amazon SES require you to have a plan for handling bounces and complaints or they won't let you out of the development sandbox.

This article will be updated with more information as we work our way through this annoying but necessary step in Mautic configuration.

Samuli Seppänen
Samuli Seppänen
Author archive