Skip to content

Spam Filtering

Your time is limited, so we want to make sure the only submission data that hits your inbox is sent by humans, not bots.

Introduction

Basin offers a variety of spam filtering options you can add to your forms to ensure only legitimate submissions are sent to your inbox. Some options are available in your form's settings: Form -> Settings -> Spam. Some are up to you to implement in your form's HTML. We recommend using a combination of spam filtering options to ensure the best results.

Basin supports multiple CAPTCHA solutions like Cloudflare Turnstile, Google reCAPTCHA v2 and v3, and hCAPTCHA, all serving the fundamental purpose of distinguishing between human and automated traffic for form submissions. However, as each of these solutions fulfills the same basic function, only one should be implemented at a time to avoid redundancy and maintain user-friendliness. In contrast, Basin's other spam filtering options, such as honeypot fields, duplicate filters, and email domain restrictions, address different aspects of spam prevention. These can be effectively combined with any chosen CAPTCHA solution, providing a comprehensive and layered approach to securing your forms against spam and automated abuse.

Background


Spam filtering is the hardest part of operating a form service. Everyone has a different tolerance for spam they are willing to sort, or expect to be filtered for them. There will always be some percentage of false positives with any spam filtering system. We filter spam in order to protect our email sending reputation, this is what enables us to land emails in your inbox instead of your spam folder.

We recommend the following techniques to ensure you review all false positives

  • Webhooks can be configured to trigger regardless of the spam status of a submissions.
  • Configure reminders to review your spam folders often.
  • Enable spam summary emails within your form settings.

Notice:

Basin retains spam for 30 days before it is permanently deleted. Be sure to review your spam folder frequently.

Cloudflare

All our forms are protected by Cloudflare's Web Application Firewall (WAF). This is our first line of defense against submissions originiating from the dark web, and known bots.

Spamcheck.ai

To accurately assess the legitimacy of your form's submission content, we use Spamcheck.ai --- an intelligent API solution that provides automatic protection and stops spam content from reaching your inbox. As a machine learning spam filter, its constantly training and evolving to be better at what it does.

SpamCheck Version Migration

We have recently begun migrating users to a new version of SpamCheck, Version 2. By default, new forms created use Version 2 but Version 1 is also still available. Certain features, including our Invalid Email Filter, Burner Email Filter, and Risky URL Whitelist are only available with Version 2.

reCaptcha/hCaptcha/Cloudflare Turnstile Setup


We offer three captcha solutions: reCaptcha, hCaptcha, and Cloudflare Turnstile. Basin supports all three, but you can only use one at a time. We recommend using BasinJS, our easy to use javascript helper for connecting your HTML form to Basin, to setup your captcha solution. BasinJS handles all of the setup for any of our captcha solutions, including Cloudflare Turnstile. To use BasinJS, follow the steps outlined in our BasinJS Docs. If you want to setup captcha manually, follow the steps for each captcha solution in the advanced section.

Honeypot


This technique can be used to add an additional layer of protection. By including a field (hidden or visible) in your form for spam bots to fill out, the submission will be ignored when a value is entered and submitted.

A custom honeypot field name can be specified within your form settings.

<form accept-charset="UTF-8" action="https://usebasin.com/f/1a2b3c4d5e6f" method="POST">
    ...
    <input type="hidden" name="_gotcha">
    ...
</form>

Duplicate Filter


The duplicate filter checks if an incoming submission is an exact copy of a submission that is already in the inbox or spam folder and automatically marks duplicate submissions as spam. You can toggle the duplicate filter on/off in your form's settings: Form -> Settings -> Spam -> Duplicate Filter

Valid Email Filter


SpamCheck Version 2 Only

The valid email filter is only available with SpamCheck Version 2.

The valid email filter checks if the email field of an incoming submission points to a valid email address. We check for email address validitiy in two ways: First, the email must look like a valid email (email must match [someuser]@[some_domain].[tld]), second, the email address given must point to a mailbox that can receive emails. If this setting is enabled and either of these criteria is not met, the submission is marked as spam. You can toggle this setting on/off in your form's settings: Form -> Settings -> Spam -> Valid Email Filter.

Note: A valid email field is required for this setting to work. Forms inputs must have the name field set to email:

<form>
    <!-- form fields here -->
    <input type="email" id="email" name="email"required>
    <!-- rest of form -->
</form>

Burner Email Filter


SpamCheck Version 2 Only

The burner email filter is only available with SpamCheck Version 2.

The burner email filter checks if the email field of an incoming submission points to a temporary (burner) email domain. Burner email addresses are often used by spammers to avoid detection and/or to avoid being added to email lists. If this setting is enabled and the email address is determined to be a burner email address, the submission is automatically marked as spam. You can toggle this setting on/off in your form's settings: Form -> Settings -> Spam -> Burner Email Filter.

Risky URL Whitelist


SpamCheck Version 2 Only

The risky URL whitelist is only available with SpamCheck Version 2.

Basin uses AI tools to filter for spam, including a check to see if your submissions contain 'risky URLs'. You can whitelist certain URLs Basin marks as 'risky' so they won't be sent to the spam folder. You can whitelist risky URLs in your form's settings: Form -> Settings -> Spam -> Allowed Risky URLs

Note: This filter only works on submissions flagged as spam with the reason Content contains risky URLs. If your submissions are marked as spam for other reasons, the whitelist will not allow these through.

Country Filter


Basin collects data about the computer that made the submission, including its IP address. Using IP geolocation we can narrow down the country the submission originated from. The country filter allows you to choose which countries submissions can be sent from. The whitelist only allows submissions from countries on the whitelist and the blacklist allows submissions from all countries except those on the blacklist to be sent to the inbox. Submissions from countries that are not allowed will be automatically marked as spam. You can add countries to the Country Filter in your form's settings: Form -> Settings -> Spam -> Allowed/Blocked Countries

Note: Only one of the blacklist or whitelist should be used. If you use the whitelist, all other countries are blacklisted or if you use the blacklist, all other countries are whitelisted.

Radius-based location filter


Basin uses IP geolocation to determine the general location of the computer that made the submission. The radius-based location filter allows you to choose a point on the map and a radius for filtering submissions. Submissions originating within the radius of the point will be allowed through the filter and submissions originating outside of the radius will be marked as spam. You can enable the radius-based location filter in your form's settings: Form -> Settings -> Spam -> Radius-based location filter.

Note: This feature is only available on the Premium plan and above.

Language Filter


Basin uses language detection tools to determine the primary language(s) contained in a submission. The language filter allows you to choose which languages are allowed in submissions. The whitelist only allows submissions where the primary language is on the whitelist and the blacklist allows submissions with any primary language except those on the blacklist to be sent to the inbox. Submissions primarily containing languages that are not allowed will be automatically marked as spam. You can add languages to the Language Filter in your form's settings: Form -> Settings -> Spam -> Accepted/Blocked Languages

Note: Both the whitelist and blacklist can be used simultaneously, as the tolerances for accepted/blocked languages are slightly different.

Allowed domains (Domain restriction)


You can setup your project to only accept form submissions from a specific domain which is essentially an additional layer of spam protection. By setting your allowed domains, only submissions that originate from a form that was hosted on the specified domain and all subdomains will be accepted. The submissions that were not submitted from the specified domain will be sent to your spam folder.

When this setting is enabled, Basin checks the Origin header of the submission to see if it matches any of your allowed domains.

You can edit your allowed domains within your project settings: Forms -> Project -> Allowed domains

NOTE: you can add multiple domains, seperated by a comma.

GIF showing how to setup domain restriction for your Basin project

Advanced: Set Origin Manually for JavaScript Frameworks

While the browser normally sets the Origin header automatically for standard <form action="..."> POST requests, when users make submissions to Basin using AJAX or a JavaScript framework like React, the Origin header can be omitted from the request, which causes the submission to be marked as spam. To prevent this, ensure that the Origin header is set manually in your submission requests to Basin.

Example:

fetch('https://usebasin.com/f/[YOUR_FORM_ENDPOINT]', {
    method: 'POST',
    body: formData,
    headers: {
        'Origin': 'https://my-domain.com' // Manually add the Origin header to the request
    }
});

Ensure Referrer Policy is Set Correctly

In order to use Basin's domain restriction spam filter you must ensure your site's Referrer-Policy sends your site's origin information to Basin.

By default, sites usually have the Referrer-Policy set to strict-origin-when-cross-origin which is compatible with Basin. Click here for more information on referrer policy

Blocked Email Domain (email restriction)


You can set up your project to block submissions from certain email domains. If you use this setting to block gmail.com, for example, any submissions that arrive with an email field from gmail.com are automatically marked as spam.

You can edit your blocked email domains within your project settings: Forms -> Project -> Blocked email domains

GIF showing how to setup email restriction for you Basin project

(Advanced) Manual Captcha/Turnstile Setup

We recommend using BasinJS to setup your captcha solution, but if you prefer to setup captcha manually, you can follow the instructions below.

Cloudflare Turnstile


Cloudflare Turnstile can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.

Step 1 --- Setup your Cloudflare account, enable Turnstile, and retrieve your Site Key and Site Secret Key

You must provide your own Site Key and Site Secret Key.  

See the Cloudflare documentation for more details.

Step 2 --- Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag.

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallback" async defer></script>

Danger

Please retrieve your Site Secret Key and Site Key from the Cloudflare dashboard before continuing. See here for details.

Step 3 --- Add cf-turnstile div to your form code

Your cf-turnstile div must contain your site key.

<form action="/login" method="POST">
  <input type="text" placeholder="email"/>
  <input type="text" placeholder="name"/>
  <div class="cf-turnstile" data-sitekey="<YOUR_SITE_KEY>"></div>
  <button type="submit" value="Submit">Submit</button>
</form>
Step 4 --- Enable 'Require valid Turnstile response' in Basin.

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful Turnstile response.

Step 5 --- Review other Cloudflare Turnstile configuration options

Turnstile has many other options you can configure within your Cloudflare account and within your HTML page.  

See the Cloudflare documentation for more details.

Google reCAPTCHA v2


Google reCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.

Note

Basin supports both click and invisible reCAPTCHA. Choose and use one only.

Warning

Please make sure to use Basin's reCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.

Please use the following reCAPTCHA v2 site key:

6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy

Step 1 --- Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then reCAPTCHA won't initialize.

<script src="https://www.google.com/recaptcha/api.js" async defer></script>
Step 2 --- Add reCAPTCHA div to your form code

Your reCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, reCAPTCHA will not work.

<div class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy"></div>
Step 3 --- Enable 'Require Valid reCAPTCHA response'

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful reCAPTCHA.

Setup invisible reCAPTCHA Optional

If you'd rather not have the default styling of the reCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.

<script>
function onSubmit(token) {
    var form = document.getElementById("invisible-recaptcha-form");

    // Check if form is valid
    if (form.checkValidity()) {
        form.submit();
    } else {
        // If the form is not valid, trigger the browser's default validation UI
        form.reportValidity();
    }
}
</script>

<form id="invisible-recaptcha-form">
    ...
    <button class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>
Hide Google's attribution badge Optional

If you want to hide Google's attribute, you can use the CSS below. Simply include it anywhere outside of your form tags, or to your custom stylesheet.

<style>
    .grecaptcha-badge {
        display: none;
    }
</style>

Google reCAPTCHA v3

Google reCAPTCHA v3 is preferable over v2 for form submissions primarily due to its user-friendly, non-intrusive nature. Unlike reCAPTCHA v2, which often requires users to solve challenges like identifying images, v3 runs quietly in the background, assessing the probability of a user being a bot without any interaction. This seamless integration enhances the user experience significantly, as it eliminates the need for manual human verification, making form submissions smoother and more efficient.

Step 1 --- Add script tag to your page

Include the reCAPTCHA v3 API script in your HTML.

<script src="https://www.google.com/recaptcha/api.js?render=6Les66kUAAAAANyLrgkl7iuN4JUpNlB5upaMovI4"></script>

Warning

Please make sure to use Basin's reCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.

Please use the following reCAPTCHA v3 site key:

6Les66kUAAAAANyLrgkl7iuN4JUpNlB5upaMovI4

Step 2 --- Add the following hidden inputs to your form
<form id="your-form-id">
    <!-- Your existing form fields -->
    <input type="hidden" name="g-recaptcha-response" id="g-recaptcha-response">
    <input type="hidden" name="g-recaptcha-version" value="v3">
    <!-- Other form elements -->
</form>
Step 3 --- Add the following script to your page

This script should be included before the closing </body> tag.

<script>
var myForm = document.getElementById('your-form-id')
myForm.addEventListener('submit', function(event) {
    event.preventDefault();

    grecaptcha.ready(function() {
        grecaptcha.execute('6Les66kUAAAAANyLrgkl7iuN4JUpNlB5upaMovI4', {action: 'submit'}).then(function(token) {
            document.getElementById('g-recaptcha-response').value = token;
            myForm.submit();
        });
    });
});
</script>

Note

In order to support many forms on the same page, you would need unique form IDs and unique hidden input IDs for each form and include a script for each form.

hCAPTCHA


hCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup. hCAPTCHA is a free to use, privacy-focused alternative to Google's reCAPTCHA. For more information, visit hCAPTCHA's website.

Note

Basin supports both click and invisible hCAPTCHA. Choose and use one only.

Warning

Please make sure to use Basin's hCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.

Please use the following hCAPTCHA site key:

7fe715a1-151f-4c63-b497-bd971974df05

Step 1 --- Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then hCAPTCHA won't initialize.

<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
Step 2 --- Add hCAPTCHA div to your form code

Your hCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, hCAPTCHA will not work.

<div class="h-captcha" data-sitekey="7fe715a1-151f-4c63-b497-bd971974df05"></div>
Step 3 --- Enable 'Require Valid hCAPTCHA response'

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful hCAPTCHA.

Setup invisible hCAPTCHA Optional

If you'd rather not have the default styling of the hCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.

<script>
  function onSubmit(token) {
    document.getElementById("invisible-hcaptcha-form").submit();
  }
</script>

<form id="invisible-hcaptcha-form">
  ...
  <button class="h-captcha" data-sitekey="7fe715a1-151f-4c63-b497-bd971974df05" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>