Wrong Defense Against Form Spam: Protect the Right Door
Identifying the right strategy to tackle form spam is crucial. Protecting the wrong door won't provide an effective solution.
Spam directed at a website's contact form cannot be effectively addressed without understanding how the form operates in the background. Since spam is routed directly to an external service, protections like Cloudflare at the front door become ineffective. This indicates that the spam does not pass through the front door, necessitating a change in the form's structure.
To prevent spam, a verification layer should be added to the backend of the form, hosted on the site's own domain. This allows Cloudflare's WAF and other protective measures to take effect. Ultimately, defense strategies are determined by where the traffic is directed, making it essential to analyze the submission process of the form first.