Spam protection overview

Most form spam comes from boring bots, not motivated humans. That means a stack of cheap filters catches almost everything, and the remaining signal you can train against per-form. Formspring runs every submission through six layers:

1. Honeypot — hidden field bots fill but humans never see. On by default. Field name configurable.
2. Rate limit — per IP, per form. Hard cap on burst rates.
3. Captcha — optional hCaptcha or reCAPTCHA. Toggle per form.
4. Custom rules — regex, keywords, blocked emails. You maintain the lists.
5. Akismet — Wordpress's veteran spam classifier. Bring your own key (Pro+).
6. AI moderation — Pro+ plans get a model-based moderation score on every submission.

Each layer can flag a submission. Flagged submissions go to the spam folder. Nothing is dropped silently — everything is visible and recoverable.

Tuning per form

Settings live on the form's edit page:

• Honeypot field name
• hCaptcha enabled + site key + secret
• reCAPTCHA enabled + site key + secret
• Akismet enabled + key
• Custom rules: regex array, keywords array, blocked-email array

The dashboard also surfaces the most-common spam reasons over the last 30 days so you can spot patterns in your inbox.

What's next

• Honeypot →
• Rate limits →
• Captcha →
• Custom rules →
• AI moderation →