Skip to content
  • There are no suggestions because the search field is empty.

How do I prevent form spam during web assessments?

This article explains why website forms may receive submissions during a web assessment and how to prevent this.

During a web app scan, the scanner actively submits POST requests to forms it discovers. To prevent this, you can either exclude the form or its URL from the assessment, limit the scan to GET requests only, or block Holm Security IP ranges from submitting forms.

Option 1: Limit the scan to GET requests only

In the web app scan profile, you can configure the scanner to only perform GET requests. This prevents the scanner from submitting any forms entirely. See the related article for more information: How do I exclude a form method in a web assessment?

Option 2: Exclude pages or form action URLs

You can exclude one or more URLs from being scanned. See the related article for more information: How do I exclude one or more URLs from being scanned?

For more advanced exclusions using regular expressions, see the related article for more information: How do I make a custom rule for exclusion of URLs for the web application scanner?

Option 3: Block Holm Security IP ranges

You can prevent form submissions by blocking our external IP ranges on your web server or firewall:

  • IPv4: 185.163.84.0/22. If a /22 network is too large to grant access to, use 185.163.84.0/24 and 185.163.85.0/24 instead.
  • IPv6: 2a0b:6800::/29

Why form spam can indicate a security issue

If the assessment triggers excessive emails or messages, it may reveal a vulnerability in your form. Common issues include no input validation or validation performed only on the client side (e.g., via JavaScript), which can be bypassed by disabling JavaScript or using automated scripts.

Cybercriminals can exploit these weaknesses to overwhelm email servers or form-processing software, slowing or even rendering systems unavailable.

Recommended protection

  • Implement CAPTCHA to prevent automated submissions.
  • Perform server-side validation for all form input.

For more information about CAPTCHA, see the related article for more information: CAPTCHA (Wikipedia)

For more information, please contact our customer support.