How are bad actors using Google Forms to send spam?
Summary
What email marketers say8Marketer opinions
Email marketer from Reddit explains that spammers use Google Forms to collect email addresses and other information, which they then use to send unsolicited emails. The form itself may also contain spam links or requests for sensitive information.
Email marketer from Digital Trends shares that it's relatively simple to create a Google Form and then distribute it widely. Spammers exploit this to send out forms with malicious links or to harvest user data.
Email marketer from WPForms explains how spammers use automated bots to submit forms, often with malicious links or content. The automated submissions can be overwhelming and time-consuming to manage.
Email marketer from Cloudflare shares how bot management identifies and mitigates malicious automated traffic that attempts to perform undesirable actions, such as spamming via forms.
Email marketer from MailerLite shares that bad actors can use bots to fill out Google Forms with malicious content or links. They also explain that spammers could also use forms to collect information like emails to send phishing attempts.
Email marketer from Formspree discusses the methods of spambots that exploit forms, explaining that they can automatically and rapidly complete forms to send out phishing emails, promote scams, and distribute malware.
Email marketer from EmailToolTester mentions that CAPTCHA can mitigate automated spam form submissions, but also that the forms can be used to collect info for phishing.
Email marketer from Stack Overflow shares that Google Apps Script allows you to send emails from Google Forms responses. While legitimate, it can be exploited to automate and send a high volume of spam emails if malicious scripts are used.
What the experts say3Expert opinions
Expert from Spam Resource explains that spammers use automated tools to fill out forms rapidly and at scale, exploiting vulnerabilities in form validation and CAPTCHA implementations.
Expert from Email Geeks explains that the email is genuine Google mail, sent from Google servers and authenticated by google.com. It appears a bad actor is using Google Forms to send spam.
Expert from Word to the Wise explains that contact form spam impacts deliverability. Email programs may interpret messages as spam and you can also be added to blocklists if you have excessive amounts of spam. Also the IP or the domain of the contact form can be added to blocklists.
What the documentation says4Technical articles
Documentation from Google Support explains that Google Forms, like any online tool, can be abused to send unsolicited or unwanted content, violating Google's policies. Abuse can range from spam to phishing attempts.
Documentation from Google Developers explains that scripts have the ability to send large amounts of email, and so are subject to abuse. Google actively monitors script usage to prevent spamming.
Documentation from Google explains that reCAPTCHA helps to protect forms from spam and abuse by using advanced risk analysis techniques to tell humans and bots apart. By adding reCAPTCHA to a form, you can block automated software while still allowing your welcome users to pass through with ease.
Documentation from OWASP explains how to protect forms with CAPTCHAs, rate limiting, and honeypots to make it harder for automated bots to abuse the forms and send spam.