Spam Protection

Every submission passes through spam and abuse controls before delivery is queued. FormsFort supports honeypot rejection through botcheck, fixed-window per-IP and per-form rate limits, recipient verification, exact allowed domains, and optional captcha verification.

Built-in protections

• Honeypot (botcheck): Hidden checkbox field. Filled values reject as spam.
• Rate limits: Fixed-window per-IP and per-form limits prevent abuse.
• Recipient verification: Only verified recipients receive submissions.
• Allowed domains: Restrict browser submissions to exact hostnames configured on the form.
• Spam scoring: Every parsed submission receives a redacted spam score based on link-heavy content and common spam-term patterns. High-risk scores are rejected before delivery is queued; lower scores stay in metadata so support can diagnose abuse without storing raw submissions.

Captcha

Captcha provider calls fail closed and use the configured verification timeout so slow providers do not stall submissions. Supported providers:

Abuse rules

Admins can add exact block or allow rules for:

• Sender IP
• Browser-origin domain
• User agent
• Submitter email-domain
• Origin or email TLD
• Repeated submitted message text

Blocked submissions are recorded as redacted spam metadata with abuse_{type} error classes. Matching allow rules bypass matching abuse blocks while preserving the rest of the validation pipeline.

Suppression list

The suppression list blocks unsafe or bounced recipient emails before delivery and skips autoresponders for suppressed submitter emails.