I usually go for CSRF + Recaptcha but unsure what the best practice would be.
SPForm also has an anti-spam technique that requires the user to use either the mouse or the keyboard, which prevents bots from autofilling things.
FWIW, I’ve used SPForm for a number of years without Captcha. I get no spam messages at all through my contact form, though I don’t know how many spammers have tried it.
Honeypot works, last time I had some problems with the captchas but that seems to work again.
The above works great for me. So far no need for more.
Recaptcha is probably the easiest to implement and has a decent track record. I use something similar to what Bob mentioned as well as the spam hook and Rampart. It is really a matter of personal preference and what has worked in the past.
My two cents worth re ReCaptcha (v3) is that it can destroy page speed by up to 10/100 using PageSpeed Insights. I’m currently using the honeypot in Formit which is low tech but seems to work OK. (then again i’m not totally sure because the emails go to my clients …)
For others who are looking for a good anti-spam solution.
I’ve tried this solution: http://www.bitego.com/weblog/2014/05/26/protect-a-formit-web-form-from-spam-without-using-a-captcha.html
But the problem was that even with autocomplete=“off”, the field would still be filled when using autocomplete.
I found out that if you use autocomplete=“new-password” instead, the autocomplete doesnt happen anymore.
Dont know if this is the ‘right’ way or not, but it is helping me so far.
Here’s what I don’t understand about spam protection. Various methods make it so that a form on a web page can’t be submitted without user input (like recaptcha). But, spammers can scrape the contents of forms, discover the variables used, and then submit those variables in a POST request without ever engaging the initial web page at all. So, how do any of the options above prevent this kind of submission?
I’ve used tokens in the past, but started having problems with spammers getting around that somehow. The honeypot idea looks good.
My approach so far has been to present a second screen to users, showing them what they entered, and storing those fields as session variables. When users click a Confirm button, a third screen loads, submitting the session variables, rather than the content of the initial form. If there are no session variables, nothing gets submitted. So far, this has prevented 100% of spam.
I’ve used SPForm with the math string option and requiring the use of the mouse or keyboard and gotten pretty much no spam at all with just those two options.