How we keep spam off this form
Almost all form spam comes from robots that never even open your page. The fix is simple: we only accept a message if it proves it came from a real person actually using the form. No Google, no captcha puzzles, no tracking.
A robot doesn't use your form like you do
This one difference is the whole trick. Once you see it, the rest is obvious.
How you use it
You open the page, read it, type your name and message, and press send. While you do, the page quietly does a small check and hands your browser a kind of ticket that proves a real person was actually here.
How a robot uses it
It never opens your page or sees any of this. It throws junk straight at the hidden address behind the form, the way someone might shove a flyer under the door instead of knocking. It does this to thousands of sites a day, a few goes each, which is why you get the odd junk message and not a flood.
So we check one thing: were you really here?
Not a puzzle to solve, just a quiet check that you came from a real browser.
Our server simply refuses any message that doesn't carry that ticket. A robot firing junk at the back door never opened the page, so it never got one, and its message is thrown out before it ever reaches us. That single rule stops almost all of it, and you never see it happen. You just fill in the form like any other website.
The ticket can't be copied or guessed either, because your device makes a fresh one each time by doing a tiny scrap of real computing work. That is all the brief "Checking you're a real person" pause is. A rarer, cleverer robot could run the page properly to earn a ticket, but then it has to do that work on every single attempt, which is the slow, fiddly thing it is built to avoid. So it gives up and moves to an easier target.
Four quiet checks, working together
You sail straight past all four without noticing. A junk robot trips over them.
A box only a robot ticks
There's a box on the form you can't see. Robots fill in everything they find, so the moment one ticks it, we know it isn't a person.
Real people aren't that fast
A person takes a few seconds to read and type. A message that arrives in a split second wasn't typed by a human.
The ticket
The main one. A real browser that loads and uses the page earns a ticket. No ticket, no entry, so junk fired at the back door is dropped on sight.
Knock too often and the door locks
If something does keep trying over and over from the same place, we quietly stop letting it through.
What actually reaches you
A robot fires the same junk at both forms. Only one of them passes it on.
A normal form passes whatever it's handed straight to the inbox. Ours checks every message for a ticket proving it came from a real browser that used the page. The robot never opened the page, so it never has a ticket, and the junk is dropped before it ever lands in front of you.
For the techies
No third parties, no cookies, no tracking. Here's exactly what's under the hood, and we'll happily build the same into any form we make for you.
salt + timestamp + difficulty + signature. A Web Worker then brute-forces a SHA-256 nonce whose hash has the required number of leading zero bits, off the main thread so the page never blocks. The solved token rides along with the form post.Done properly
How something is built matters as much as what it does.
Private
No Google watching your visitors and no outside trackers. The whole thing runs on our own server and in your browser, and nowhere else.
Nothing for you to do
No traffic-light puzzles, no "pick all the buses." Real people just get through without lifting a finger.
This is how we build
If we take this much care over our own contact form, picture the care we put into your project.
We build this kind of thing for a living
Websites, online systems, software products and ServiceM8 add-ons, built properly, right down to the details most people never notice.
Start a project