Kitoform|Docs
HomeGet Started

Spam Filtering

Protect your forms with Kitoform's comprehensive multi-layered spam protection system.

Overview

Kitoform provides enterprise-grade spam protection through multiple layers of security. Our system combines CAPTCHA verification, intelligent filtering, rate limiting, and behavioral analysis to ensure only legitimate submissions reach your inbox.

🛡️ Protection Layers

  • CAPTCHA verification (reCAPTCHA v2/v3, hCaptcha)
  • Honeypot field detection
  • Rate limiting and IP analysis
  • Content-based spam detection
  • Behavioral pattern analysis
  • Real-time blacklist checking

Security Levels

Choose the appropriate security level based on your needs. Higher security provides better protection but may require more user interaction.

STANDARD

Standard Protection

Balanced security with minimal user friction. Recommended for most contact forms and newsletters.

Features enabled:

  • • Basic honeypot fields
  • • Content keyword filtering
  • • Rate limiting (standard)
  • • IP reputation checking
  • • Optional CAPTCHA on suspicious activity
  • • Submission time analysis
STRICT

Strict Protection

Enhanced security for important forms. Includes more aggressive filtering and validation.

Features enabled:

  • • All Standard features
  • • Advanced honeypot variations
  • • Stricter rate limiting
  • • Email domain validation
  • • CAPTCHA required more frequently
  • • Browser fingerprinting
  • • Geolocation analysis
  • • Advanced content analysis
PARANOID

Paranoid Protection

Maximum security for critical forms. Requires user verification but provides the highest protection.

Features enabled:

  • • All Strict features
  • • CAPTCHA required for all submissions
  • • Email verification required
  • • Multiple honeypot strategies
  • • Aggressive rate limiting
  • • Device reputation scoring
  • • Behavior pattern analysis
  • • Machine learning spam detection

CAPTCHA Integration

Kitoform supports multiple CAPTCHA providers to suit different privacy and user experience requirements.

reCAPTCHA v3

Invisible protection with risk analysis. Best user experience with intelligent scoring.

Best for: All form types

User friction: None (invisible)

Privacy: Google integration

Setup Guide →

reCAPTCHA v2

Traditional checkbox verification. Reliable protection with familiar user interface.

Best for: Contact forms, registrations

User friction: Low (checkbox)

Privacy: Google integration

Setup Guide →

hCaptcha

Privacy-focused alternative. GDPR compliant with better accessibility features.

Best for: Privacy-conscious sites

User friction: Low to moderate

Privacy: Independent, GDPR compliant

Setup Guide →

Honeypot Fields

Honeypot fields are invisible traps that catch automated spam bots. They're hidden from real users but visible to bots that automatically fill out all form fields.

How It Works

  1. 1Hidden fields are added to your form (invisible to users)
  2. 2Bots automatically fill out all fields, including hidden ones
  3. 3Kitoform detects filled honeypot fields and blocks the submission
  4. 4Real users never see or fill these fields, so their submissions pass through

Implementation

Kitoform automatically adds honeypot fields to your forms. No additional setup required.

<!-- Kitoform automatically injects fields like these: -->
<input type="text" name="website" style="display:none" tabindex="-1" autocomplete="off">
<input type="email" name="confirm_email" style="position:absolute;left:-9999px" tabindex="-1">
<input type="text" name="business_name" class="visually-hidden" tabindex="-1">

<!-- Multiple strategies used simultaneously -->
<div style="opacity:0;position:absolute;top:0;left:0;height:0;width:0;z-index:-1;">
  <input type="text" name="honeypot_field" tabindex="-1" autocomplete="off">
</div>

Rate Limiting

Prevent spam by limiting how frequently forms can be submitted from the same IP address or user.

Rate Limit Types

IP-based Limiting

Limits submissions per IP address within a time window.

Standard: 5 submissions/hour • Strict: 3 submissions/hour • Paranoid: 1 submission/hour

Form-based Limiting

Global rate limits per form across all users.

Configurable per form endpoint

Burst Protection

Prevents rapid-fire submission attempts.

Max 2 submissions per 30 seconds

Configuration

// Configure in Kitoform dashboard
{
  "rateLimiting": {
    "enabled": true,
    "strategy": "sliding_window",
    "ipLimit": {
      "requests": 5,
      "windowMs": 3600000  // 1 hour
    },
    "burstProtection": {
      "requests": 2,
      "windowMs": 30000    // 30 seconds
    },
    "blockDuration": 900000  // 15 minutes
  }
}

⚠️ Rate Limit Responses

When limits are exceeded, users receive a 429 status with retry information. Configure custom error messages in your dashboard.

Content Filtering

Intelligent analysis of form content to detect spam patterns, suspicious links, and malicious content.

Spam Keywords

Detection of common spam phrases and promotional content.

Detected patterns:

  • • Excessive promotional language
  • • Pharmaceutical terms
  • • Financial scam keywords
  • • Adult content indicators
  • • Suspicious URL patterns

Link Analysis

Real-time checking of URLs against known malicious domains.

Checks include:

  • • Malware domain blacklists
  • • Phishing site detection
  • • URL shortener analysis
  • • Domain reputation scoring
  • • Suspicious TLD patterns

Machine Learning Detection

Advanced AI-powered analysis for sophisticated spam detection.

Language Analysis

Natural language processing to detect spam patterns and gibberish content.

Behavioral Patterns

Analysis of submission patterns, timing, and user behavior indicators.

Adaptive Learning

Continuous improvement based on spam trends and false positive feedback.

Configuration Guide

Set up spam filtering for your forms through the Kitoform dashboard or API.

Dashboard Configuration

  1. 1Go to your form settings in the Kitoform dashboard
  2. 2Navigate to the "Security & Spam Protection" section
  3. 3Choose your security level (Standard, Strict, or Paranoid)
  4. 4Configure CAPTCHA settings if desired
  5. 5Save settings and test your form

API Configuration

// PUT /api/forms/:formId
{
  "spamProtection": {
    "enabled": true,
    "securityLevel": "strict",
    "captchaProvider": "recaptcha-v3",
    "captchaSettings": {
      "threshold": 0.5,
      "siteKey": "your-site-key"
    },
    "rateLimiting": {
      "enabled": true,
      "ipLimit": 3,
      "windowMinutes": 60
    },
    "contentFiltering": {
      "enabled": true,
      "strictness": "medium",
      "customKeywords": ["custom", "blocked", "words"]
    },
    "honeypot": {
      "enabled": true,
      "fieldCount": 2
    }
  }
}

Monitoring & Analytics

Track spam attempts and fine-tune your protection settings with detailed analytics.

📊 Spam Statistics

  • • Total spam attempts blocked
  • • Spam detection accuracy rates
  • • Most common spam patterns
  • • CAPTCHA challenge completion rates
  • • False positive reports

🚨 Alerts & Notifications

  • • Unusual spam activity spikes
  • • Rate limit violations
  • • CAPTCHA failure alerts
  • • Potential false positive warnings
  • • Security configuration changes

Best Practices

✅ Recommendations

  • Start with Standard security and adjust as needed
  • Monitor false positive rates regularly
  • Use multiple protection layers for best results
  • Test forms thoroughly after configuration changes

❌ Avoid

  • Using Paranoid mode for all forms unnecessarily
  • Ignoring legitimate user feedback about accessibility
  • Over-aggressive rate limiting for legitimate use cases
  • Disabling all protection to avoid configuration

Related Documentation

reCAPTCHA v3

Invisible spam protection

reCAPTCHA v2

Checkbox verification

hCaptcha

Privacy-focused protection

Basic Setup

Learn how to set up forms