How to Prevent Form Spam

Implement honeypot fields

A honeypot is a hidden form field that real users never see or fill in, but bots fill out automatically. If the honeypot field has a value when the form is submitted, you know it is spam. This technique is invisible to users and blocks a large percentage of simple bots. The key to an effective honeypot is making it look like a real field to bots while being completely invisible to humans. Use a generic field name like "website", "url", or "company" — something a bot would logically try to fill in. Hide the field using CSS by positioning it far offscreen with position:absolute;left:-9999px instead of using display:none or visibility:hidden, because some bots are smart enough to skip fields with those CSS properties. Set tabindex="-1" so keyboard users who tab through the form do not accidentally land on the honeypot. Add autocomplete="off" to prevent browsers from auto-filling it. On the server side, check whether the honeypot field has a value. If it does, silently discard the submission — do not return an error message that tells the bot what went wrong. FormsList has built-in honeypot detection that checks common honeypot field names automatically, so if you use FormsList as your backend, this step is handled for you. Honeypot fields are effective against roughly 80-90% of simple spam bots, but they will not stop sophisticated bots that render CSS and skip hidden fields. That is why you should combine honeypots with other techniques described in the following steps.

<form action="https://formslist.com/f/YOUR_FORM_HASH" method="POST">
  <!-- Honeypot field — hidden from users, filled by bots -->
  <div style="position:absolute;left:-9999px;" aria-hidden="true">
    <label for="website">Website</label>
    <input type="text" id="website" name="website" tabindex="-1" autocomplete="off" />
  </div>

  <label for="name">Name</label>
  <input type="text" id="name" name="name" required />

  <label for="email">Email</label>
  <input type="email" id="email" name="email" required />

  <label for="message">Message</label>
  <textarea id="message" name="message" required></textarea>

  <button type="submit">Send</button>
</form>

Add time-based validation

Bots submit forms almost instantly — typically within milliseconds of loading the page. A real human needs at least a few seconds to read the form, fill in the fields, and click Submit. Time-based validation exploits this difference by recording when the page loaded and rejecting submissions that arrive too quickly. The implementation is simple. When the page loads, insert a hidden field containing the current timestamp. When the form is submitted, the server compares the submission time against the recorded timestamp. If the difference is less than 3 seconds, the submission is almost certainly automated. You can also set an upper bound — if the timestamp is older than several hours, the form data may be stale or the token may have been harvested by a bot for later use. FormsList supports time-based validation through its dashboard settings, where you can configure the minimum time threshold. If you are running your own backend, implement this check in your form handler. Be cautious with the threshold — setting it too high (like 10 seconds) will frustrate power users who fill out forms quickly, especially on mobile where auto-fill can populate fields in an instant. A threshold of 2-3 seconds is the sweet spot that catches bots without blocking real users. You can also combine this with domain-based restrictions in FormsList — set the allowed domains to your own website's domain so the endpoint cannot be abused from other sites.

<script>
  // Record the page load time in a hidden field
  window.addEventListener("DOMContentLoaded", () => {
    const form = document.querySelector("form");
    const timeField = document.createElement("input");
    timeField.type = "hidden";
    timeField.name = "_loaded_at";
    timeField.value = Date.now().toString();
    form.appendChild(timeField);
  });

  // Server-side check (pseudocode):
  // const loadedAt = parseInt(req.body._loaded_at);
  // const elapsed = Date.now() - loadedAt;
  // if (elapsed < 3000) reject as spam;
  // if (elapsed > 3600000) reject as stale;
</script>

<!-- FormsList also supports domain restriction:
     In your dashboard, set "Allowed domains" to your website's domain.
     Submissions from other origins will be rejected automatically. -->

Add CAPTCHA protection

For stronger protection, add Google reCAPTCHA or a similar CAPTCHA service. reCAPTCHA v3 runs invisibly and scores each visitor, while v2 shows a checkbox challenge. CAPTCHAs are effective against sophisticated bots but add a small amount of friction for real users. Google reCAPTCHA v3 is the recommended choice for most websites because it runs entirely in the background. It observes user behavior — mouse movements, scroll patterns, typing cadence, and browsing history — and assigns a score from 0.0 (bot) to 1.0 (human). You set a threshold (typically 0.5) and reject submissions that score below it. The advantage is zero friction for real users. The disadvantage is that the scoring can sometimes be wrong, especially for privacy-conscious users who block cookies or use VPNs. Alternatives to reCAPTCHA include Cloudflare Turnstile and hCaptcha. Turnstile is a free, privacy-focused alternative that does not use cookies and complies with GDPR without additional configuration. hCaptcha is popular as a reCAPTCHA replacement that pays website owners for the challenges served. FormsList supports all three services — reCAPTCHA, Turnstile, and hCaptcha — on Pro plans. You enable verification in your form settings, add the corresponding script and widget to your frontend, and FormsList handles the token verification on the server side automatically.

<!-- reCAPTCHA v3 (invisible) -->
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>

<script>
  document.querySelector("form").addEventListener("submit", function (e) {
    e.preventDefault();
    grecaptcha.ready(function () {
      grecaptcha.execute("YOUR_SITE_KEY", { action: "submit" }).then(function (token) {
        const input = document.createElement("input");
        input.type = "hidden";
        input.name = "g-recaptcha-response";
        input.value = token;
        e.target.appendChild(input);
        e.target.submit();
      });
    });
  });
</script>

<!-- Cloudflare Turnstile (privacy-focused alternative) -->
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<div class="cf-turnstile" data-sitekey="YOUR_TURNSTILE_SITE_KEY"></div>

Use AI-powered spam scoring

Traditional spam prevention techniques like honeypots and CAPTCHAs are effective against automated bots, but they struggle with human spammers and sophisticated bots that mimic human behavior. AI-powered spam scoring adds an intelligent layer that analyzes the actual content of each submission to determine whether it is legitimate. FormsList includes built-in AI spam detection that scores every submission automatically. The AI model analyzes multiple signals: the content of each field (looking for patterns common in spam like excessive links, pharmaceutical keywords, and cryptocurrency scams), the submission metadata (IP address, geographic location, browser fingerprint), and historical patterns (whether similar submissions have been flagged before). Each submission receives a spam score, and those above the threshold are quarantined in a separate view in your dashboard so you can review them without cluttering your main inbox. The AI scoring improves over time as it processes more submissions across all FormsList users. When you manually mark a submission as spam or not-spam in your dashboard, that feedback trains the model. This means the system gets smarter the more you use it. Enable AI spam scoring in your FormsList dashboard under form settings — it requires no code changes to your form. Combined with honeypot fields, time-based validation, and CAPTCHA, AI scoring provides a comprehensive defense against every type of form spam, from simple bot submissions to sophisticated human-operated spam campaigns.