Guide

How to stop contact form spam

Most form spam comes from simple, unsophisticated bots — which means most of it is stoppable without ever showing a real visitor a CAPTCHA.

Fastest path: add a honeypot field, rate-limit by IP, and check submission speed. Together these three catch the large majority of bot spam with zero friction for real visitors — no CAPTCHA required.

If your contact form inbox is full of garbled messages, crypto pitches, or SEO link-building offers, you're dealing with automated bot traffic, not a human spammer reading your form. That distinction matters: bots follow predictable patterns, and a handful of structural defenses catch the overwhelming majority of them without ever adding friction for a real visitor trying to reach you.

Step by step

  1. Add a honeypot field

    A honeypot is a form field that's invisible to real visitors — hidden with CSS, positioned off-screen — but that bots fill in anyway, because most of them don't render CSS or check visibility before filling every input they find. If that hidden field has any value on submit, silently discard the submission as spam without showing the bot an error (that just teaches it to adapt).

    <input
      type="text"
      name="website"
      style="position:absolute;
             left:-9999px"
      tabindex="-1"
      autocomplete="off"
    >
  2. Rate-limit by IP

    A single IP address submitting your form more than a handful of times in a minute is never a real visitor filling out a contact form — it's a script. Cap submissions per IP per minute at the server level, and silently drop anything past that threshold.

  3. Check submission speed

    Bots frequently submit forms in well under a second — faster than any human could physically read the fields and type a response. Track the time between when the page loaded and when the form was submitted; anything under 2-3 seconds is almost always automated and safe to flag.

  4. Filter by content pattern

    Submissions containing multiple URLs, or a small set of recurring spam keywords (crypto, SEO offers, adult content terms), can be automatically flagged for review in a separate queue instead of hitting your main inbox directly.

FormsToDB applies honeypot detection, IP rate limiting, and pattern-based spam scoring automatically on every form you create — none of this needs manual configuration. Flagged submissions land in a dedicated Spam tab in your dashboard instead of your main inbox, and you can review or restore any of them at any time.
Avoid client-side-only spam checks (JavaScript validation alone). A bot that doesn't execute JavaScript will simply skip straight to a raw POST request, bypassing any check that only runs in the browser. Real filtering has to happen on the server, where the bot can't see or work around it.

None of these four methods require showing visitors a CAPTCHA, which is worth avoiding when you can — CAPTCHAs measurably reduce real form completions, and the harder ones (image grids, audio puzzles) frustrate mobile users especially. Save the CAPTCHA as a last resort for the rare case where you're targeted by more sophisticated bots that already defeat honeypots and rate limiting.

Do I still need a CAPTCHA?
For most sites, no. Honeypots plus rate limiting plus pattern detection catch the vast majority of automated spam without any visitor-facing friction. A CAPTCHA becomes worth the tradeoff only if you're specifically and persistently targeted by more sophisticated bots that solve honeypots — which is uncommon for a typical contact or lead form.
Why does spam filtering matter for lead capture specifically?
Every spam submission that reaches your inbox is a real lead notification you might eventually start ignoring or muting. Once that happens, you risk missing a genuine inquiry buried in the noise. Filtering spam at the source keeps your notifications trustworthy, so you actually see and act on real leads quickly.
Can spam filtering ever block a real visitor by mistake?
It's possible but rare with honeypot and rate-limit based approaches specifically, since they target behavior patterns no real human triggers (filling an invisible field, submitting dozens of times a minute). Pattern-based content filtering carries slightly more false-positive risk, which is why flagged submissions should land in a reviewable Spam folder rather than being deleted outright.

Skip the manual setup

FormsToDB does this automatically — no server code, no database to manage.

Start free