How to Tell if a Contact Form Message Is Spam
You open the contact-form inbox and there it is: another "Dear website owner, we can get you on page 1 of Google" pitch sitting next to what might be a real customer asking about shipping. Some are obvious, some are not.
This guide walks through the seven signals that reliably separate a genuine inquiry from spam. Use them by eye, or paste the message into the free Spam Checker and the same signals will be scored for you automatically.
Quick check: paste it into a free spam checker
The fastest way is to let the tool look at it. The SpamShield Spam Checker scores any message 0-100 across content, sender-reputation, and bot-pattern signals, and tells you in plain English which signals fired. No signup, no CAPTCHA.
If you only want to know "is this one message spam?", that is the one-step answer. The seven signals below explain what the score is looking at — so you can also catch them by eye.
1. The sender email address
A real customer usually emails from a personal address on a major free provider (gmail.com, outlook.com, yahoo.com) or from their own business domain. Spam tends to come from disposable / throwaway domains (e.g. mailinator, 10minutemail) or from cheap newly-registered domains designed to look agency-like — long, hyphenated, with TLDs like .biz, .help, .top, .click.
A mismatch is a strong tell: a "marketing agency" emailing from a Gmail address, or a "VP of Sales" using a free webmail.
2. The content pattern
Spam clusters into a handful of recognisable shapes. If a message matches any of these almost verbatim, it is almost certainly spam:
- SEO / backlinks pitch — "get your store on page 1", "quality backlinks", "guest post opportunity".
- Web-dev / redesign pitch — "noticed your site could use a refresh", "modern responsive redesign".
- Crypto / investment scheme — "guaranteed returns", "limited spots", anything that wants you to move money.
- Phishing / account suspension — "verify your identity", "your account is suspended", asks for credentials or a fee.
- Generic mass marketing — vague flattery + a call-to-action, no specific reference to your store or product.
3. Links, URLs, and shorteners
A real customer rarely needs to paste links into a contact form. Multiple URLs, especially shortened ones (bit.ly, tinyurl, t.co), are a strong spam signal. A link in an unexpected field (e.g. a URL in the name field) is almost always a bot.
Off-topic links — a "customer" linking to a third-party SEO service or crypto site — are spam.
4. Writing quality, tone, and personalisation
Real inquiries reference your store, your product, or a specific question ("Do you ship the blue ceramic mug to Canada?"). Spam is generic ("Dear website owner") and never mentions what you sell. Spam also tends to:
- Use urgent or threatening language ("URGENT", "immediately", "your account will be closed").
- Be in a different language than your store, or be machine-translated.
- Be gibberish or random-looking strings (test posts from bots probing what your form does).
5. The form fields they filled (or did not)
Bots often fill fields they should not. A "name" that is actually a URL or a string of dashes is a giveaway. So is a "phone" field with letters in it, or a message that just repeats the name.
Hidden honeypot fields (an extra input invisible to humans but filled by bots) are a near-perfect tell — if your form has one and it is filled, that submission is almost certainly automated.
6. Timing and behaviour
A form filled and submitted in under two seconds was not filled by a human. Identical messages arriving from different addresses, the same email submitting five times in ten minutes, or a flood of submissions at 3am are all bot patterns.
You usually cannot see this from a single message in your inbox — this is where a layered filter that watches every submission earns its keep.
7. The hard cases: real-human spammers
The hardest spam is from a real human (often outsourced) sending a personalised-looking pitch from a clean email. None of the bot-pattern signals fire; the content pattern (#2) is still the giveaway. If a message matches one of those archetypes and offers something you did not ask for, treat it as spam regardless of how human it looks.
Stop checking by hand — let it run automatically
Checking every message by eye works at low volume. Once your store grows, it does not. SpamShield runs all seven of these signals — plus bot-behaviour and reputation checks — on every contact-form, sign-up, and review submission automatically, blocks the obvious spam, quarantines the borderline cases, and lets real customers through with no CAPTCHA. There is a free plan.