Home/Docs/Spam Filtering

Spam Filtering

Every submission passes through a two-phase pipeline before it reaches your dashboard. Bad requests are rejected immediately; anything that gets through is scored for spam and flagged if needed.

Phase 1 — Instant rejection

These checks run before the request body is read. Malformed or abusive requests are dropped immediately with no database work.

Content-Type enforcement

415

Only application/json, multipart/form-data, and application/x-www-form-urlencoded are accepted. Any other content type is rejected.

Body size limit

413

Requests larger than 1 MB are rejected before parsing.

Field count cap

400

Submissions with more than 50 fields are rejected.

Field value length cap

400

Any single field value exceeding 10,000 characters is rejected.

Phase 2 — Spam scoring

Submissions that pass Phase 1 are scored. Each signal adds points. High-confidence spam is rejected outright; lower-confidence submissions are stored and flagged so you can review them.

Honeypot field

Add a hidden _gotcha field to your form. Real users never see it; bots fill it in. Any submission with a non-empty _gotcha is silently discarded — the bot receives a success response but nothing is stored.

Disposable email detection

hard reject

Email fields are checked against a list of over 100,000 disposable and temporary email domains (Mailinator, Guerrilla Mail, Temp Mail, and similar). Submissions using these domains are rejected and not stored.

Profanity scoring

+5 pts per match

All text fields are scanned against a blocklist of profane and abusive terms. Each matched word adds 5 points to the spam score.

Link analysis

+1–5 pts per URL

URLs in the submission are extracted and scored:

  • +1Any URL
  • +3URL shortener (bit.ly, tinyurl.com, t.co, and others)
  • +2Suspicious TLD (.xyz, .top, .click, .buzz, and others)

What happens at each score

The final score determines how the submission is handled.

ScoreOutcomeStored?
< 5AcceptedYes
5 – 9Accepted, flagged as spamYes — marked for review
≥ 10RejectedNo

Flagged submissions appear in your dashboard with a spam badge and are dimmed so they don't clutter your view.

Adding the honeypot to your form

Include a hidden _gotcha field. CSS ensures real users never interact with it.

HTML
<form action="https://formdump.com/api/f/YOUR_FORM_ID" method="POST">
  <input type="text" name="name" placeholder="Your name" />
  <input type="email" name="email" placeholder="Your email" />
  <textarea name="message" placeholder="Message"></textarea>

  <!-- Honeypot — hidden from real users, filled by bots -->
  <input
    type="text"
    name="_gotcha"
    style="display:none"
    tabindex="-1"
    autocomplete="off"
  />

  <button type="submit">Send</button>
</form>

Questions? Contact support