Most form spam comes from simple, unsophisticated bots — which means most of it is stoppable without ever showing a real visitor a CAPTCHA.
If your contact form inbox is full of garbled messages, crypto pitches, or SEO link-building offers, you're dealing with automated bot traffic, not a human spammer reading your form. That distinction matters: bots follow predictable patterns, and a handful of structural defenses catch the overwhelming majority of them without ever adding friction for a real visitor trying to reach you.
A honeypot is a form field that's invisible to real visitors — hidden with CSS, positioned off-screen — but that bots fill in anyway, because most of them don't render CSS or check visibility before filling every input they find. If that hidden field has any value on submit, silently discard the submission as spam without showing the bot an error (that just teaches it to adapt).
<input
type="text"
name="website"
style="position:absolute;
left:-9999px"
tabindex="-1"
autocomplete="off"
> A single IP address submitting your form more than a handful of times in a minute is never a real visitor filling out a contact form — it's a script. Cap submissions per IP per minute at the server level, and silently drop anything past that threshold.
Bots frequently submit forms in well under a second — faster than any human could physically read the fields and type a response. Track the time between when the page loaded and when the form was submitted; anything under 2-3 seconds is almost always automated and safe to flag.
Submissions containing multiple URLs, or a small set of recurring spam keywords (crypto, SEO offers, adult content terms), can be automatically flagged for review in a separate queue instead of hitting your main inbox directly.
None of these four methods require showing visitors a CAPTCHA, which is worth avoiding when you can — CAPTCHAs measurably reduce real form completions, and the harder ones (image grids, audio puzzles) frustrate mobile users especially. Save the CAPTCHA as a last resort for the rare case where you're targeted by more sophisticated bots that already defeat honeypots and rate limiting.
FormsToDB does this automatically — no server code, no database to manage.
Start free