Spam filtering for forms is not one technique but a set of layers, because form spam is not one problem. Naive bots, scripted attacks aimed at your specific form, and human spam farms each require a different defence, and the layers should escalate in cost so legitimate visitors never pay it.
The usual stack, cheapest first: a honeypot field catches drive-by bots invisibly; rate limits and custom rules block repeat abuse and known-bad patterns; reputation filtering scores content against a global spam corpus; and AI moderation classifies what survives - the only layer that reliably catches human-written promotional spam. A CAPTCHA is the last resort, because every challenge costs real conversions.
Layering matters because no single method is sufficient and the most aggressive method (CAPTCHA) is the most costly to genuine users. The forms guide details the full layered approach, and honeypot vs reCAPTCHA vs hCaptcha weighs the options.
Related terms
Read the full guide