SPForm also has an anti-spam technique that requires the user to use either the mouse or the keyboard, which prevents bots from autofilling things.
FWIW, I’ve used SPForm for a number of years without Captcha. I get no spam messages at all through my contact form, though I don’t know how many spammers have tried it.
Recaptcha is probably the easiest to implement and has a decent track record. I use something similar to what Bob mentioned as well as the spam hook and Rampart. It is really a matter of personal preference and what has worked in the past.
My two cents worth re ReCaptcha (v3) is that it can destroy page speed by up to 10/100 using PageSpeed Insights. I’m currently using the honeypot in Formit which is low tech but seems to work OK. (then again i’m not totally sure because the emails go to my clients …)
But the problem was that even with autocomplete=“off”, the field would still be filled when using autocomplete.
I found out that if you use autocomplete=“new-password” instead, the autocomplete doesnt happen anymore.
Dont know if this is the ‘right’ way or not, but it is helping me so far.
Here’s what I don’t understand about spam protection. Various methods make it so that a form on a web page can’t be submitted without user input (like recaptcha). But, spammers can scrape the contents of forms, discover the variables used, and then submit those variables in a POST request without ever engaging the initial web page at all. So, how do any of the options above prevent this kind of submission?
I’ve used tokens in the past, but started having problems with spammers getting around that somehow. The honeypot idea looks good.
My approach so far has been to present a second screen to users, showing them what they entered, and storing those fields as session variables. When users click a Confirm button, a third screen loads, submitting the session variables, rather than the content of the initial form. If there are no session variables, nothing gets submitted. So far, this has prevented 100% of spam.
I’ve used SPForm with the math string option and requiring the use of the mouse or keyboard and gotten pretty much no spam at all with just those two options.
I use SPAM Hook, CRSF Token, and Hondypot like bitego in first message here from markg.
But since one year, we get lots of SPAM. All forms are stored with FormItSaveForm and filled correctly.
Does anyone have experience why this is possible? Are the bots intelligent? Is it filled manually?
KI?
no matter what I changed, the spam continued.
Only way using google recaptcha? But this is not really GDPR compliant.
Thank you in advance for feedbacks and suggestions.
Never let the formit auto responder (fiar_…) return a copy of the message or any fields, maybe other than the name/email. Doing so opens you up as a spam source: skriddie submits a spamvertising or phishing message in the comment field to a whole bunch of targeted victims in the “from” field.
When spam is detected, instead of letting the submitter know which field is tripping things up, return a generic message like, “Something went wrong. Please try again later.”
Rate limit number of submissions per IP.
If the form is filled in too quickly, consider it spam.
Implement a filter on known bad words or phrases in the comment
I’ve been using Cleantalk for a while now and it seems to be doing the job. At least you get a report that shows exactly what’s been happening, every 24 hours.
I totally agree with Ryan about auto responders - clients often argue with me about this until they actually sit and listen.