Advanced Regex + Server-Side Email Validation to Block Bot Form Submissions

Search Lead Capture Tools for solutions or ask a question
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
MMcLaughlin1

‎Dec 11, 2025 9:09 PM

Member

Hi everyone — looking for guidance and also proposing a product enhancement.

 

We’re seeing a large volume of bot form submissions that follow a very consistent and predictable pattern in the local part of the email address.

The pattern involves repeated substrings, which is simple enough to detect using modern regex — but not possible using HubSpot’s current validation tooling.

 

The pattern looks like:
lastnamelastname.firstname@realemaildomain.com

 

No real individual exists for these submissions, and emails bounce.


Anyone else run into this?

 

What we’ve already tried

  • Client-side JavaScript validation (bots bypass this by POSTing directly to the HubSpot forms endpoint)

  • This rule for the email property, which Hubspot cannot support: 
    • ^(?![^@]*([A-Za-z]{3,})\1)[^@]+@[^@]+\.[^@]+$

  • Standard HubSpot email validation rules

  • CAPTCHA / anti-spam toggle

  • Behavioral filtering (no cookie, 0 page views, offline source, etc.) after the contact is created... no luck so far here

  • Honeypot fields - the bots appear too smart to fill in these hidden fields

  • Workflows + suppression lists... can't seem to add regex for the contact email field unless I upgrade to Ops Hub enterprise? Would prefer not to if possible, especially because at that point the bot is already in our CRM.

None of these prevent the bad contact from being created, which pollutes reporting, wastes marketing contacts, and frustrates the sales team. 

 

How can we add better regex support for form fields?

At the very least, how can I filter these bots out asap in workflows if they do enter Hubspot?

 

What HubSpot Support confirmed

  • HubSpot’s email validation uses the RE2 regex engine, which does not support advanced regex features like lookaheads, capture groups, or backreferences.

  • There is no server-side validation layer where advanced pattern checks can run before the contact record is created.

  • No native feature exists today to block contacts based on repeated-substring or structured email patterns.

  • No announced roadmap items for advanced regex or pre-contact filtering.

Why this matters

These bots are highly consistent and trivial to detect with regex — but impossible to block natively in HubSpot. Cleaning them up post-creation isn’t ideal.

 

What I’m requesting

1. Support for advanced regex (lookaheads, backreferences, capture groups) in form field validation, especially for the Email property.

2. A server-side “pre-contact filter” layer allowing HubSpot to reject bad submissions before creating a contact record.

3. More granular workflow time filters (seconds/minutes) to detect “submits too fast to be human” behavioral patterns.

These enhancements would massively improve form hygiene and reduce CRM noise.

If anyone has additional workarounds to catch repeated-pattern emails before contact creation, I’d love to hear them — and I encourage HubSpot Product to consider expanding regex and server-side validation capabilities.

 

For reference, I'm a super admin on a Marketing Hub Professional account with Sales Pro and Service Pro seats. 

 

Thanks!

Forms
2 Replies 2
Arsalan_Faysal

‎Dec 12, 2025 9:23 AM

Participant

@MMcLaughlin1 This is an excellent problem to detail, and your assessment of HubSpot's limitations with advanced regex (like backreferences or lookaheads) and server-side pre-contact filtering is accurate based on the platform's current design.

Since the bot is bypassing client-side validation and you want to prevent contact creation before it pollutes the CRM, the best solution requires an external validation step that intercepts the form submission data.

Given your constraints (Marketing Hub Professional, avoiding Ops Hub Enterprise, and needing server-side validation), here are the two most effective pathways:

Implement an External Form Submission Handler

This strategy involves using a third-party platform (like Make/Integromat, Zapier, or a custom serverless function) to act as a secure intermediary for your form submissions.

How it Works (Using Make/Integromat as an example):

  1. Stop Using the Native HubSpot Form: You will no longer use the standard HubSpot form embed code.

  2. Create a Third-Party Endpoint:

    • Set up a Webhook in a tool like Make (or an external custom server). This webhook URL becomes your new form submission endpoint.

  3. Build Your Form:

    • Use an external form builder (like Google Forms, Typeform, or a custom HTML form on your website) and set its submission action to POST data to the Make Webhook URL. Alternatively, you can keep the HubSpot form but set the submission to send data to the webhook via a custom script, but this is more complex.

  4. The Validation and Filtering Step (The Core Solution):

    • When the external form submits, Make receives the data.

    • Step 1 (Make/External Tool): Run the submitted email address against your advanced regex (e.g., ^(?![^@]*([A-Za-z]{3,})\1)[^@]+@[^@]+\.[^@]+$). The external tool supports this advanced regex.

    • Step 2 (Make/External Tool): Add other anti-spam checks:

      • Analyze the hs_context field (if present) for behavioral flags.

      • Check for the velocity rule ("submits too fast") by logging the submission time and IP address.

    • Step 3 (The Decision):

      • IF the email FAILS the regex check or other spam filters: Stop the process. The contact is never created in HubSpot. The bot is blocked pre-CRM.

      • IF the email PASSES the checks: Proceed to the next step.

  5. Submit to HubSpot:

    • Step 4 (Make/External Tool): Use the HubSpot API (Create a new contact endpoint) to programmatically submit the clean data to your HubSpot portal. This is a clean, server-to-server transaction that bypasses the native form submission logic, ensuring only clean contacts are created.

💡 Why this is the best option:

  • It provides the server-side "pre-contact filter" you requested.

  • It allows you to use advanced regex and other complex validation rules.

  • It prevents bot submissions from ever consuming a marketing contact seat or polluting your CRM/reporting.

0 Upvotes
BérangèreL
Community Manager

‎Dec 12, 2025 4:59 AM

Community Manager

Hey @MMcLaughlin1 👋 and welcome, it's a pleasure to have you here!

Thanks for sharing your suggestions with the HubSpot Community!

I’ve noticed a similar idea already present in our Ideas Forum: Add RegEx and wildcard support to list and workflow criteria.

To contribute, you can upvote the existing idea and share more details about your specific use case in the comments.

Now, let's consult our Top Experts: Hi @SteveHTM, @Gaurav_Aggarwal and @Anton can you think of a workaround to help @MMcLaughlin1, please?

Thanks so much and have a wonderful weekend! 🌞
Bérangère





loop

Loop Marketing is a new four-stage approach that combines AI efficiency and human authenticity to drive growth.

Learn More




0 Upvotes

Sign up for the Community Newsletter

Receive Community updates and events in your inbox every Monday morning.
Advanced Regex + Server-Side Email Validation to Block Bot Form Submissions
Marketing
Dec 12, 2025