Implement effective spam protection without frustrating legitimate users with difficult CAPTCHAs.
The CAPTCHA Problem
Why CAPTCHAs Are Problematic
Traditional CAPTCHAs:
- "Select all images with traffic lights"
- "Type these distorted letters"
- "Solve this math problem"
- "Click until the image is upright"
Problems:
- Frustrating for all users
- Terrible accessibility (vision impaired)
- Mobile experience is poor
- Reduces conversion rates by 10-30%
- Takes time and cognitive effort
- Users often abandon forms
The paradox: You're punishing legitimate users to stop bots.
Better Alternatives
Modern spam protection that:
- Works invisibly for most users
- Maintains accessibility
- Preserves user experience
- Stops 99%+ of spam
- Requires no user interaction
Effective Anti-Spam Techniques
1. Cloudflare Turnstile (Recommended)
What it is:
Next-generation bot detection that usually works invisibly.
How it works:
- Analyzes browser behavior
- Checks for bot patterns
- Verifies humanity automatically
- Rarely needs user interaction
Benefits:
- ✓ Usually invisible to users
- ✓ WCAG accessible
- ✓ Mobile-friendly
- ✓ No puzzles or image selection
- ✓ Fast verification
- ✓ Privacy-respecting
User experience:
User fills form → Clicks submit → Form submits
(Turnstile verifies in background)
Implementation:
SupportRetriever includes Turnstile by default. No configuration needed.
Effectiveness: Blocks 95-99% of automated spam.
2. Honeypot Fields
What it is:
Hidden field that bots fill but humans never see.
How it works:
<!-- Invisible to humans, removed from tab order -->
<input
type="text"
name="website"
tabindex="-1"
autocomplete="off"
aria-hidden="true"
style="position: absolute; left: -9999px;"
>
Server-side check:
// If honeypot field is filled, it's a bot
if (formData.website !== '') {
return reject('Spam detected');
}
Benefits:
- ✓ Zero user impact
- ✓ Completely invisible
- ✓ No accessibility issues
- ✓ Catches basic bots
- ✓ Easy to implement
User experience:
No visible change. Works silently.
Effectiveness: Blocks 60-70% of basic bots.
3. Rate Limiting
What it is:
Limit number of submissions from same IP/user.
How it works:
- Track submissions per IP address
- Block if too many in short time
- Gradual throttling (not hard block)
Configuration examples:
Conservative (small sites):
- 5 submissions per hour per IP
- 20 submissions per day per IP
Balanced (medium sites):
- 10 submissions per hour per IP
- 50 submissions per day per IP
Permissive (large sites):
- 20 submissions per hour per IP
- 100 submissions per day per IP
Benefits:
- ✓ Stops spam floods
- ✓ No user impact for legitimate use
- ✓ Prevents rapid-fire attacks
- ✓ Backend implementation (invisible)
User experience:
Normal users never hit limits. Bots get blocked after first few attempts.
Effectiveness: Blocks 80-90% of automated floods.
4. Email Validation
What it is:
Verify email address is valid before accepting submission.
Validation layers:
1. Format checking:
// Basic format validation
const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
if (!emailRegex.test(email)) {
return 'Please enter a valid email address';
}
2. Domain verification:
- Check if domain exists (DNS lookup)
- Verify MX records (can receive email)
- Block temporary email services (optional)
3. Disposable email detection:
- Block known temporary email services
- Reduces fake submissions
- Optional (can be overly aggressive)
Benefits:
- ✓ Reduces fake submissions
- ✓ Improves deliverability
- ✓ Clear error messages help users
- ✓ Fast validation
User experience:
Helpful error message if email is invalid:
"Please enter a valid email address (e.g., name@example.com)"
Effectiveness: Reduces invalid submissions by 50-70%.
5. Content Filtering
What it is:
Detect spam patterns in message content.
Spam indicators:
- All caps messages
- Excessive links
- Suspicious URLs
- Known spam phrases
- Gibberish text
- Repeated characters
Example rules:
// Flag as potential spam if:
- Message contains 5+ URLs
- Message is all caps
- Contains "click here to claim"
- Contains "100% free money"
- Has repeated characters (aaaaaaa)
Benefits:
- ✓ Catches sophisticated spam
- ✓ Learns over time
- ✓ No false positives with good rules
- ✓ Invisible to legitimate users
User experience:
Legitimate message: "I need help with billing"
→ Passes through
Spam: "CLICK HERE FREE MONEY !!!"
→ Blocked
Effectiveness: Blocks 70-80% of content-based spam.
6. Time-Based Throttling
What it is:
Measure how quickly form is filled.
Implementation:
// Track time between page load and submission
const pageLoadTime = Date.now();
// On submission:
const fillTime = Date.now() - pageLoadTime;
// If submitted in less than 2 seconds, likely a bot
if (fillTime < 2000) {
return reject('Submission too fast');
}
Benefits:
- ✓ Catches automated submissions
- ✓ Invisible to normal users
- ✓ Simple to implement
Caution:
- Don't set threshold too high
- Some users fill forms quickly
- Should be gentle (not primary defense)
User experience:
Normal users take 10-30 seconds to fill form. Never notice this check.
Effectiveness: Blocks 50-60% of instant bot submissions.
Recommended Anti-Spam Configuration
Minimal Setup (Small Sites)
Use:
- Cloudflare Turnstile
- Email validation
- Basic rate limiting
Configuration:
Turnstile: Enabled
Rate limit: 5 per hour
Email validation: Format + domain check
Effectiveness: 95%+ spam reduction
User impact: Minimal
Setup time: 5 minutes (built into SupportRetriever)
Balanced Setup (Medium Sites)
Use:
- Cloudflare Turnstile
- Honeypot field
- Email validation (with disposable detection)
- Rate limiting
- Basic content filtering
Configuration:
Turnstile: Enabled
Honeypot: Enabled
Rate limit: 10 per hour, 50 per day
Email validation: Full (including disposable detection)
Content filtering: Moderate
Effectiveness: 99%+ spam reduction
User impact: Very low
Setup time: 10 minutes
Aggressive Setup (High-Traffic Sites)
Use:
- Cloudflare Turnstile
- Honeypot field
- Email validation (strict)
- Rate limiting (per IP and per session)
- Content filtering (strict)
- Time-based throttling
Configuration:
Turnstile: Enabled
Honeypot: Enabled
Rate limit: 10 per hour per IP, 3 per session
Email validation: Strict (block disposable/temporary)
Content filtering: Strict rules
Time throttling: Minimum 3 seconds
Effectiveness: 99.5%+ spam reduction
User impact: Low (may occasionally flag power users)
Setup time: 20 minutes
Troubleshooting: Sudden Spam Spike
If You're Getting a Spam Wave
Immediate actions:
1. Enable stricter rate limiting
Reduce to: 3 submissions per hour per IP
2. Check Turnstile is working
- Verify widget appears on form
- Check for JavaScript errors
- Confirm backend validation
3. Review recent submissions
- Look for patterns (same IP, same content)
- Identify source if possible
4. Temporary aggressive filtering
- Enable disposable email blocking
- Add stricter content rules
- Lower time threshold
5. Block specific IPs (if targeted)
- Identify attacking IPs
- Add to blocklist
- Monitor for new IPs
Long-Term Response
Investigate the source:
- Was email address leaked?
- Did a link get shared somewhere?
- Is form URL being targeted?
Strengthen defenses:
- Keep aggressive settings temporarily
- Monitor for reduction in spam
- Gradually relax settings after calm
Track metrics:
- Spam submissions per day
- Legitimate submissions (don't block those)
- False positive rate
How SupportRetriever Helps
Built-In Protection
SupportRetriever includes:
✓ Cloudflare Turnstile
- Enabled by default
- Invisible to most users
- Highly effective
✓ Rate Limiting
- Automatic per-IP throttling
- Prevents floods
- Configurable thresholds
✓ Email Validation
- Format checking
- Domain verification
- Clear error messages
✓ Honeypot Fields
- Invisible to users
- Catches basic bots
✓ Content Analysis
- Pattern detection
- Spam scoring
- Learns over time
What You Can Configure
In Settings:
- Rate limit thresholds
- Disposable email blocking (on/off)
- Content filtering strictness
- Allowed/blocked domains
Monitoring
View in Dashboard:
- Spam attempts blocked
- Protection effectiveness
- False positive rate (if any)
- Attack patterns
Best Practices
Do's
✓ Start with minimal protection
- Add more if needed
- Don't over-engineer
✓ Monitor false positives
- Check blocked submissions
- Adjust if legitimate users blocked
✓ Test your own form
- Submit test messages
- Verify protection works
- Ensure user experience is good
✓ Keep protection invisible
- Don't add obvious CAPTCHAs
- Let Turnstile work silently
- Maintain good UX
✓ Track metrics
- Spam block rate
- Legitimate submission rate
- Form completion rate
Don'ts
✗ Don't use difficult CAPTCHAs
- Hurts conversion rates
- Poor accessibility
- Frustrates users
✗ Don't set rate limits too low
- May block legitimate users
- Especially on shared IPs (offices)
✗ Don't block all disposable emails
- Some legitimate users use them
- Can reduce privacy-conscious submissions
✗ Don't ignore false positives
- Monitor blocked submissions
- Adjust rules if needed
✗ Don't rely on single technique
- Layer multiple protections
- No single technique is perfect
Effectiveness Comparison
| Technique | Spam Reduction | User Impact | Accessibility | Setup Time |
|---|---|---|---|---|
| Difficult CAPTCHA | 90% | High (bad) | Poor | 10 min |
| Turnstile | 95-99% | Very Low | Excellent | 5 min |
| Honeypot | 60-70% | None | Perfect | 5 min |
| Rate Limiting | 80-90% | None | Perfect | 10 min |
| Email Validation | 50-70% | Low | Good | 10 min |
| Content Filtering | 70-80% | Low | Good | 15 min |
| Combined Approach | 99%+ | Low | Excellent | 15 min |
Winner: Combined approach (Turnstile + helpers) provides best protection with minimal user impact.