topic Re: Form Issues in Lead Capture Tools

Why are spam form submissions sent directly to HubSpot?

leemasondesign — Wed, 12 Nov 2025 11:08:56 GMT

I have spam submissions are appearing only in HubSpot and not in my website’s form submission records. These are always fraudulent spam. The form is using the HubSpot WP plugin to forward form submissions. This implies the spam is bypassing my form entirely and being sent directly to HubSpot. ChatGPT suggested this:

Direct API Submissions to HubSpot

If your form forwards data to HubSpot using their API, spammers can send data directly to HubSpot’s API without ever touching your form. This is common if your website uses a public API key or an unprotected HubSpot form endpoint.

Solution: Ensure you’re using server-side authentication (OAuth or Private App Tokens) rather than exposing a public form endpoint.

Email Injection or Spoofing

Some bots can inject spam data into email submission systems or exploit weaknesses in web-to-email forwarding processes. If your form forwards submissions via email to HubSpot, attackers might be sending fake emails that HubSpot processes as real leads.

Solution: Ensure your email-to-HubSpot forwarding method isn’t vulnerable to spoofed submissions.

HubSpot Form Prefill or Tracking Features

•Some bots exploit HubSpot’s tracking scripts and form prefill features to inject spam leads.

• Solution: Disable form prefill and enable strict validation on required fields.

Automated Lead Generation Tools

•Some third-party tools (bad actors) scrape websites and submit automated spam to CRM systems like HubSpot, hoping you’ll engage.

•Solution: Set up blocklists and filtering rules in HubSpot.

-------
Has anyone else had similar issues?

Re: Form Issues

Ben_M — Sat, 01 Mar 2025 13:53:16 GMT

Are you sure you are using the official Hubspot plugin or is there another form plugin that is connecting to Hubspot at play here? The Hubspot plugin doesn't maintain 2 sets of records like you are describing. So when you say you have a separate website log of form submissions from that of Hubspot, that suggests to me there is a form plugin being used that is then sending submissions to Hubspot if you have 2 sets of records which is fine for comparison. Also are you able to share the form so we can take a look at the setup first hand?

Re: Form Issues

leemasondesign — Sat, 01 Mar 2025 16:46:20 GMT

My actual form plugin maintains submissions of all emails that come through
my form. If the message actually came through form - the submission is
logged. If it is not logged and saved on the form it’s self - then the form
was not filled out.

After that - the office HubSpot plugin forwards all form submissions to
HubSpot as well.

The issue is, half the emails in HubSpot - never came through the form at
all. They are being created at the HubSpot end, or somewhere along the API
journey.

Thanks

Re: Form Issues

leemasondesign — Sat, 01 Mar 2025 17:39:09 GMT

https://www.leemasondesign.com/contact/

This is the form

Re: Form Issues

Ben_M — Sun, 02 Mar 2025 13:40:15 GMT

The Hubspot plugin has very little to do with the form submission from the Elementor forms. The Hubspot WP plugin does 2 things, 1 - it adds the HS tracking code to every page of your website, and 2 - it gives you a shortcut to work in Hubspot without leaving your WP site. Despite Elementor's misleading documentation, you are not required to use the Hubspot WP plugin to integrate with their forms, but you are required to at minimum embed the tracking code either through the plugin, directly embedding within your theme or through an integration with something like Google Tag Manager.

When you use a Hubspot form, you can either do a direct embed, repost via the API, or the 3rd case which you are using which is a feature called Non-Hubspot Forms ( https://knowledge.hubspot.com/forms/use-non-hubspot-forms ). Using Hubspot for many years I will be the first to say this is a very unreliable feature and it's functionality explains all that you are seeing. The best way to explain it is to think of a keypad entry system on a home that takes a picture of everyone who attempts to input a 4-digit code to enter the building. The problem with this is that the system watches you enter the 4-digit code and press the submit button, but that's where this security recording stops. It cannot see whether the person was actually granted entry by entering the correct code. In form terms, this means it cannot see if you have validation rules to check for a valid email address, and it cannot see hidden form fields carried by the user.

Unfortunately because of how this feature works, much like a camera watching a keypad, you will always end up with more records in Hubspot than your form capture system and these records will likely be those that can be spam or ones that did not meet your validation criteria. At this point you have a few options. You can continue to utilize the feature understanding this nuance. You can directly embed the Hubspot form utilizing Hubspot's code, although with the free CRM as your post is tagged this means you will have a copyright notice on the form and be limited in functionality. Or you can evaluate other form solutions that integrate directly with Hubspot as opposed to utilizing the non-hubspot forms feature that the elementor integration utilizes.

Re: Form Issues

leemasondesign — Mon, 03 Mar 2025 13:31:20 GMT

Thanks!

All makes sense. Do you think I switched to Gravity Forms and just hooked
into the HubSpot API, that this could solve the problem? (vs using the
HubSpot plugin with Elementor Forms)?

Re: Form Issues

Ben_M — Mon, 03 Mar 2025 23:26:06 GMT

@leemasondesign wrote:
Thanks!

All makes sense. Do you think I switched to Gravity Forms and just hooked
into the HubSpot API, that this could solve the problem? (vs using the
HubSpot plugin with Elementor Forms)?

You could go that route with the gravity forms plugin. That native integration would be better than using the non-hubspot forms feature. I would also recommend turning the non-hubspot forms feature off so it doesn't pick up the gravity forms by accident which it can still do.

Also you will need to ensure that you still embed the hubspot tracking code. Personally speaking I recommend using Google Tag Manager for implementation. It's pretty simple to setup and it can manage all scripts on your webpage as opposed to just hubspot including Google Analytics, Ads, Meta, Linkedin, and more.

Re: Why are spam form submissions sent directly to HubSpot?

CBN — Fri, 14 Nov 2025 14:01:28 GMT

This is a common issue with HubSpot forms.

We need either to upvote & add your use case to the email/confirm email idea I have posted "Forms: Email and Confirm Email fields as one drop in field" here on this post: https://community.hubspot.com/t5/Lead-Capture-Tools/Confirm-email-address-in-a-form/td-p/319853

Or upvote and add your use case to this Idea "Forms - validate form submit by code sent to email" that I posted.

This way a person entering a fraudulent email must have access to get the code. Right now they bypass the control as it is a real person. This way we get a couple of phoney sign ups every day... Waste of time as well as increasing the risk of our email being flagged as spam when the real email is delivered.

Re: Form Issues

CBN — Wed, 12 Nov 2025 10:30:23 GMT

Wait for validation code idea:

https://community.hubspot.com/t5/HubSpot-Ideas/Forms-validate-form-submit-by-code-sent-to-email/idi-p/1222824#M221487