Spam Filtering Without CAPTCHA: What Actually Works

CAPTCHAs cost you conversions. Here's how modern spam filtering works invisibly — and why it catches more spam than a puzzle ever did.

InputGate Team · · 6 min read

A few years ago, an e-commerce company ran an A/B test on their contact form. Version A had a standard reCAPTCHA. Version B had nothing visible — just a submit button. Version B completed 27% more often. The spam rates? Nearly identical.

That result shouldn’t be surprising. CAPTCHAs are optimized to stop old bots. Modern spam doesn’t care about image puzzles.

Why CAPTCHAs Feel Safe But Aren’t

The mental model most people have: CAPTCHA = spam protection. Fill in the checkbox → prove you’re human → form submits clean data. It’s intuitive, which is why it’s been the default for 20 years.

The problem is that CAPTCHA-solving is now a commodity service. For about $2 per 1,000 solves, any spammer can outsource the puzzle to a human-powered solving farm operating 24/7. The captcha gets completed. The spam gets through. And you still made your legitimate users solve a puzzle to contact you.

On mobile, it’s worse. Touch-based CAPTCHAs have significantly higher abandonment rates. Every time a user taps “I’m not a robot” and gets a grid of blurry traffic lights, some percentage of them closes the tab.

The friction is real. The protection is theater.

What Invisible Filtering Actually Looks Like

When you remove CAPTCHA from the equation, you need signals that don’t depend on user interaction. Here’s what actually works:

1. Honeypot Fields

A honeypot is a hidden form field — invisible to humans, visible to bots. Because bots auto-fill every field they can find (it’s how they’re programmed), filling in the honeypot field is a near-certain bot signal.

<!-- Hidden from users with CSS, but bots fill it anyway -->
<input type="text" name="website" style="display:none" tabindex="-1" autocomplete="off">

Honeypots stop basic bots reliably. Against more sophisticated scrapers that parse CSS and skip hidden fields, they’re less effective. But they’re a valuable first layer — cheap to implement and zero friction.

2. Timing Analysis

Humans take time to fill out forms. They read the labels, think about their answers, maybe go back and edit. Bots submit in milliseconds.

A submission that arrives less than 2–3 seconds after the page loaded is almost certainly automated. This check alone kills a large percentage of spam without any user interaction at all.

3. Behavioral Signals

Beyond timing, behavior patterns reveal a lot:

  • Did the mouse move before the submit button was clicked?
  • Was there any keyboard activity on the page?
  • Did the user tab between fields, or did focus jump directly to the submit button?
  • Is the browser reporting JavaScript-accessible timing metrics that look human?

Bots running headless browsers (Puppeteer, Playwright, Selenium) are increasingly good at faking these signals — but most commodity spam bots don’t bother, because they’re targeting the 99% of sites that have no behavioral checks at all.

4. IP Reputation

Every submission comes from an IP address. Some IP ranges are well-known spam sources: data center IP blocks, known VPN exit nodes, Tor exit relays. A legitimate contact form submission from a data center IP at 3 AM deserves more scrutiny than one from a residential IP during business hours.

This isn’t a binary block — it’s a risk signal that feeds into an overall score.

5. Content Analysis

The actual message content is often the clearest signal of all. Phrases like “We can get you to the top of Google,” link shorteners in the body, messages written entirely in a language your business doesn’t operate in, excessive use of symbols — these patterns are detectable without keyword lists through semantic analysis.

Modern AI models understand intent, not just word matches. They can tell the difference between a message that mentions “SEO” in a legitimate business context and one that’s an SEO spam pitch.

The Problem With Doing This Yourself

You can implement each of these checks individually. Many developers do. A honeypot field here, a timing check there, a basic profanity filter on the message body.

The problem is layering. Each check works in isolation. Against a moderately sophisticated bot — one that avoids honeypots, waits 5 seconds before submitting, and has pre-warmed message templates — any single check fails.

Effective spam filtering requires combining all of these signals into a single confidence score, calibrated for your specific form and use case. A low-traffic support form for a niche B2B product has different spam patterns than a high-traffic contact form on a consumer website.

How InputGate Handles This

InputGate sits at the boundary between your form and your backend. Before any submission reaches your database or triggers an automation, it passes through a multi-layer scoring pipeline:

curl -X POST https://api.inputgate.cloud/v1/check \
  -H "Authorization: Bearer YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "fields":    { "message": "Hi, interested in your pricing" },
    "client_ip": "203.0.113.42",
    "domain":    "yourdomain.com",
    "context":   "B2B SaaS contact form"
  }'

The response includes a spam_score from 0–100 and a reason when something suspicious is detected:

{
  "spam_score": 12,
  "is_spam": false,
  "reason": null,
  "request_id": "ig_req_4a1b2c3d"
}

You set the threshold. If is_spam is true, you show an error (or silently drop the submission). If it’s false, you process normally. Your users never see a CAPTCHA, a puzzle, or a challenge. They fill out the form, click submit, and move on.

The context parameter is what makes the AI scoring useful — telling the model what your form is for lets it calibrate. A message asking about “bulk pricing” reads very differently on a wholesale supplies contact form than on a personal portfolio site.

Real-World Impact

Sites that move from CAPTCHA to API-based filtering typically see:

  • Higher form completion rates (no puzzle = less abandonment)
  • Equal or lower spam rates (multi-signal scoring catches what CAPTCHAs miss)
  • Cleaner databases (filtering at the boundary means bad data never gets written)

The tradeoff people expect — “less friction means more spam” — doesn’t hold. The filtering moves from the user-facing layer to the API layer, where it’s both more effective and completely invisible.

If your forms currently use CAPTCHA, the best next step is to run a week without it (with API-based filtering in place) and measure completion rates. Most teams are surprised by the lift.

Try InputGate free — the starter plan handles 200 submissions per month at no cost. See the API docs for a full integration guide.

← Back to blog