Why Bots Bypass Traditional Spam Filters (And What to Do About It)
Keyword lists, IP blocklists, and CAPTCHAs were built for a different era of spam. Here's how modern bots evade all three — and what defenses actually hold.
In early 2025, SentinelOne published research on a bot called AkiraBot. It targeted small business websites at scale — contact forms, live chat widgets, comment sections. What made it notable wasn’t the volume. It was the method: AkiraBot used OpenAI’s API to generate unique, contextually relevant spam messages for each target site. Every submission looked different. Every message was coherent and on-topic. Traditional content filters saw nothing suspicious.
AkiraBot also solved CAPTCHAs automatically — not by cracking them, but by routing them through a third-party human-solving service. The CAPTCHA was completed by a real person, in real time, at scale.
This is what spam looks like now. Not obvious keyword stuffing and broken English. Not requests from known bad IP addresses. Contextually aware, CAPTCHA-solving, behaviorally convincing automated attacks.
Understanding why traditional defenses fail against this is the first step to building something that doesn’t.
Traditional Filter #1: Keyword and Pattern Matching
The original spam filter idea: build a list of spammy words and phrases, flag anything that matches. “Increase your SEO,” “Nigerian prince,” “click here now.” Simple, fast, effective against early spam.
Why bots bypass it: Keyword lists are static. The bots are adaptive. Once a phrase gets flagged consistently, spammers rotate to synonyms, reorder sentences, introduce deliberate misspellings (“SEO” becomes “S.E.O.” or “search engine optimizaton”), or — as in AkiraBot’s case — use an LLM to generate contextually appropriate messages that contain none of the flagged terms.
Pattern matching also has a false positive problem. A genuine inquiry about “pricing for bulk orders” might trigger a filter looking for “bulk” as a spam signal. You end up blocking real submissions and passing sophisticated ones.
What survives: Semantic understanding, not keyword matching. AI models that understand intent — what is this message actually trying to accomplish — can spot spam that contains none of the expected signals.
Traditional Filter #2: IP Reputation Blocklists
The idea: maintain a list of known bad IP addresses and ranges. Data center IPs that send bulk traffic. Known botnet nodes. Tor exit relays. Block anything from those sources.
Why bots bypass it: Residential proxy networks. For a few dollars per gigabyte, anyone can route traffic through IP addresses belonging to real consumer ISPs — the same IPs your legitimate users have. These addresses have no bad reputation because they’re real home internet connections, temporarily rented from their owners (often via browser extensions or software that users unknowingly installed).
A submission from a residential IP in the same city as your target audience looks indistinguishable from a real user, even to a sophisticated blocklist.
IP reputation is also a trailing indicator. A new IP range that starts sending spam today won’t appear in blocklists until after enough reports accumulate — which could take days or weeks of ongoing abuse.
What survives: Behavioral signals that are independent of IP address. How the form was interacted with. Timing patterns. Browser fingerprint consistency. These are harder to fake than an IP address.
Traditional Filter #3: CAPTCHAs
We covered CAPTCHAs in depth in Spam Filtering Without CAPTCHA, but the short version: CAPTCHAs are bypassed in two ways.
First, human-solving services. Real humans completing CAPTCHAs for $2 per 1,000 solves. The CAPTCHA sees a human. The submission is still spam.
Second, ML-based solving. Image classification models can now solve many CAPTCHA types with high accuracy. Google’s reCAPTCHA v2 has been broken repeatedly by automated solvers. The arms race between CAPTCHA designers and solvers has been running for years, and the solvers are winning.
reCAPTCHA v3 (the invisible, score-based version) is a step in the right direction — it scores behavior rather than presenting a puzzle. But it’s a single vendor’s model, and sophisticated bots specifically train against it.
What survives: Multi-signal scoring that doesn’t rely on any single checkpoint. A score-based approach that combines timing, behavior, content, and IP signals is much harder to game than a single test.
Traditional Filter #4: Rate Limiting
Limit each IP to N submissions per hour. Simple, effective against naive volume-based attacks.
Why bots bypass it: IP rotation. A bot with access to a residential proxy network can submit from a different IP address every time. Spreading 10,000 submissions across 10,000 IP addresses means each individual IP stays well within any per-IP rate limit.
Rate limiting is still worth implementing — it raises the cost of attacks and stops the dumbest bots — but it’s not a primary defense against anything moderately sophisticated.
What survives: Per-submission content scoring. Even if a bot submits from a fresh IP each time, the submission content still carries signals. Unusual phrasing patterns, semantic inconsistencies, messages that don’t match what your form is for — these don’t reset when the IP changes.
What Modern Bots Are Actually Good At
To understand what defenses work, it helps to understand where modern bots invest their sophistication:
Browser fingerprint spoofing. Headless browsers (Puppeteer, Playwright) used to be easy to detect — they reported themselves as headless in their JavaScript APIs. Modern frameworks strip those signals and report as a normal Chrome instance, with realistic screen dimensions, font lists, and canvas fingerprints.
Human timing simulation. Ghost-cursor and similar libraries generate realistic mouse trajectories, with natural acceleration/deceleration curves. Keystroke timing follows statistical distributions that match human typing patterns.
Context-aware content generation. AkiraBot-style attacks use LLMs to generate submissions that are relevant to the specific website being targeted. A plumbing company gets spam about plumbing leads. A law firm gets spam about “qualified legal leads.” Generic content filters see nothing unusual.
CAPTCHA outsourcing. Human-solving networks handle the CAPTCHA layer. The bot handles everything else.
Residential IP rotation. No IP blocklist can keep up with millions of rotating residential addresses.
The common thread: every defense layer that relies on a single signal is gameable by investing effort in that specific signal. Fingerprinting → fake the fingerprint. IP reputation → use residential IPs. CAPTCHAs → outsource to humans. Content filters → generate contextual content.
What Actually Holds
Defenses that combine multiple independent signals are much harder to beat, because gaming all of them simultaneously is expensive and technically complex.
Multi-signal scoring is the core principle. Instead of “this IP is on a blocklist,” you’re looking at: IP reputation + timing + behavior + browser fingerprint consistency + content semantics + form interaction patterns. A sophisticated bot might be able to fake two or three of these. Faking all of them simultaneously, in a way that passes a calibrated model trained on your specific form’s traffic, is hard enough that most attackers move on to easier targets.
Context-specific calibration matters too. A generic spam filter has to work across millions of different form types. An API like InputGate that accepts a context parameter — “this is a B2B SaaS pricing inquiry form” — can calibrate scoring for what legitimate submissions to your form actually look like. Submissions that are out of place for your context get flagged, even if they’d pass a generic content check.
Boundary filtering (scoring before the submission reaches your backend) means that even when a bot gets through the other layers, it doesn’t pollute your database or trigger your automations. Keeping bad data out of your system is ultimately more important than catching every bot — the goal is clean data, not perfect bot detection.
The Practical Takeaway
If you’re running traditional defenses — keyword filters, IP blocklists, basic rate limiting, a CAPTCHA — you’re well-protected against the spam of 2015. Against the spam of 2025, you have meaningful gaps.
The path forward isn’t a more sophisticated CAPTCHA. It’s moving the filter to where it’s most effective: at the API layer, scoring multi-signal inputs against a model that understands your specific context, before any submission touches your backend.
See how InputGate works, or read the API docs to see how the scoring pipeline handles each signal layer.
Related: Spam Filtering Without CAPTCHA — the practical guide to removing CAPTCHAs without increasing spam.