How to Protect Your UniLink Forms From Spam (CAPTCHA, Honeypot, and Rate Limiting)

A practical guide to UniLink's built-in form spam protection features — invisible honeypot fields, optional CAPTCHA, rate limiting, email validation, and blocked keywords — and how to configure them without blocking real submissions.

Form spam is one of those problems that seems trivial until you open your inbox and find 200 fake leads with names like "asdf" and email addresses that bounce. Spam submissions pollute your CRM, inflate your contact counts, and waste time you would rather spend on real customers. UniLink's form blocks include a layered spam protection system that lets you tune aggressiveness to match your situation — from the light-touch invisible honeypot all the way to full CAPTCHA and keyword filtering.

What UniLink's Form Spam Protection Does

UniLink's spam protection stack has five layers that work independently and can be combined. The first and most important is the invisible honeypot field. This is a form field that is hidden from human visitors using CSS but is visible to bots that parse the raw HTML. Real visitors cannot see it and therefore leave it empty. Bots fill it in automatically. Any submission where the honeypot field is populated is silently discarded — the bot receives a fake success response (so it does not retry) and the submission never reaches your CRM or email notifications.

The second layer is optional visible CAPTCHA — either a checkbox challenge ("I'm not a robot") or an image-based puzzle. CAPTCHA is more effective than the honeypot against sophisticated bots but adds one extra interaction for every real visitor, which has a measurable effect on form completion rates. It is worth enabling only when the honeypot alone is not enough.

Rate limiting caps the number of submissions from a single IP address within a one-hour window. If a single IP submits more than your configured threshold, additional submissions are blocked with a generic error message. This stops automated burst attacks — when one bot fires hundreds of requests in minutes — without affecting normal visitors who would never submit the same form more than once or twice.

Email validation at the domain level lets you reject submissions from known disposable email providers. These are temporary email addresses (think mailnull.com, guerrillamail.com, and hundreds of similar services) used by people who want to claim your free download without giving a real email. UniLink checks submitted addresses against a maintained blocklist of disposable domains and rejects them before they enter your CRM. Finally, the blocked keywords list lets you define words or phrases that, if found in the message field, cause a submission to be silently discarded — useful for blocking obvious spam patterns like specific pharmaceutical terms or link-heavy messages.

How to Enable Spam Protection on a Form Block

1. Open your page in the editor — go to Dashboard → Pages and click "Edit" on the page containing the form you want to protect.
2. Select the Form block — click the form block on your page to open its settings panel on the right.
3. Go to the Spam Protection tab — in the form settings panel, navigate to the "Spam Protection" tab (it may appear as a shield icon depending on your dashboard version).
4. Confirm honeypot is enabled — the invisible honeypot field is on by default. Verify the toggle reads "Enabled." Only turn it off if you have a specific reason to do so.
5. Enable CAPTCHA if needed — toggle on "Require CAPTCHA" and choose the type: checkbox challenge (lower friction) or image puzzle (higher security). Start with checkbox.
6. Set rate limiting — enter the maximum number of submissions per IP per hour. A value of 3–5 is appropriate for contact forms; set 1 for high-value lead forms where a real visitor would only submit once.
7. Configure email validation and blocked keywords — enable "Block disposable emails" and add any known spam keywords to the blocked keywords field, one per line. Save and publish the page.

How to Tune Spam Protection Without Blocking Real Visitors

1. Start with honeypot only — for most forms, the invisible honeypot catches the vast majority of bot submissions without any impact on real visitors. Start here before enabling anything else.
2. Monitor your CRM for spam patterns — after enabling honeypot, check your CRM contacts weekly for two weeks. Look for patterns: similar names, suspicious email domains, empty or nonsensical message fields.
3. Enable rate limiting before CAPTCHA — rate limiting has zero impact on real visitors who submit once, while CAPTCHA adds friction for everyone. Try rate limiting next if honeypot alone is not enough.
4. Add disposable email blocking — if your CRM shows a lot of guerrillamail or similar addresses, enable the disposable domain blocklist. This catches human spammers using throwaway emails, not just bots.
5. Add CAPTCHA as a last resort — only enable visible CAPTCHA if all other layers are insufficient. Monitor your form completion rate for two weeks after enabling — a significant drop means CAPTCHA is costing you real leads.
6. Build your blocked keywords list incrementally — add only keywords that appear in actual spam messages you have received, not a speculative list. Overly broad keywords (like common English words) will block real submissions.
7. Review blocked submission logs monthly — UniLink logs submissions that were blocked by spam filters (without storing the content for privacy reasons). Review the count to verify the filters are working without over-blocking.

Key Settings Explained

How to Get the Most Out of Form Spam Protection

The most important thing to understand about form spam protection is that it is a tradeoff between blocking fake submissions and frictionless real submissions. Every protection layer you add reduces spam and also has some probability of adding friction or blocking a legitimate edge case. The honeypot is the one exception — it adds no friction and catches most automated bots, which is why it should always be on and why you should add other layers only when there is a specific, observed spam problem to solve.

Disposable email blocking is frequently underestimated. A significant portion of form spam on creator pages is not from bots — it is from real humans who want the free lead magnet without giving their actual email, or who are systematically harvesting contact forms to sell leads. A throw-away email address does not trigger bot detection, passes the honeypot, and looks like a valid submission. The disposable domain blocklist catches this category specifically, and enabling it rarely affects legitimate visitors who almost always use their real email to receive what they signed up for.

Rate limiting is your protection against burst attacks — where a single bad actor or bot network submits the same form dozens of times in minutes. This type of attack is common on contact forms connected to businesses because the spammer either wants their message to appear multiple times or wants to flood your inbox and obscure legitimate messages. A threshold of 3 submissions per hour per IP will never affect a genuine visitor while completely stopping automated burst campaigns.

Review your spam filter logs quarterly and update your approach based on what you see. Spam patterns evolve — new disposable email domains emerge, new bot techniques bypass old honeypots, and keyword patterns change. UniLink updates its disposable domain list automatically, but your blocked keywords list and rate limit settings should be reviewed against actual data rather than set once and forgotten. What worked well six months ago may need tightening as your form receives more traffic and attracts more targeted abuse.

Troubleshooting Common Issues