Spam Filtering
Your time is limited, so we want to make sure the only submission data that hits your inbox is sent by humans, not bots.
Introduction
Basin offers a variety of spam filtering options you can add to your forms to ensure only legitimate submissions are sent to your inbox. Some options are available in your form's settings: Form -> Settings -> Spam. Some are up to you to implement in your form's HTML. We recommend using a combination of spam filtering options to ensure the best results.
Basin supports multiple CAPTCHA solutions like Cloudflare Turnstile, Google reCAPTCHA v2 and v3, and hCAPTCHA, all serving the fundamental purpose of distinguishing between human and automated traffic for form submissions. However, as each of these solutions fulfills the same basic function, only one should be implemented at a time to avoid redundancy and maintain user-friendliness. In contrast, Basin's other spam filtering options, such as honeypot fields, duplicate filters, and email domain restrictions, address different aspects of spam prevention. These can be effectively combined with any chosen CAPTCHA solution, providing a comprehensive and layered approach to securing your forms against spam and automated abuse.
Background
Spam filtering is the hardest part of operating a form service. Everyone has a different tolerance for spam they are willing to sort, or expect to be filtered for them. There will always be some percentage of false positives with any spam filtering system. We filter spam in order to protect our email sending reputation, this is what enables us to land emails in your inbox instead of your spam folder.
We recommend the following techniques to ensure you review all false positives
- Webhooks can be configured to trigger regardless of the spam status of a submissions.
- Configure reminders to review your spam folders often.
- Enable spam summary emails within your form settings.
Notice:
Basin retains spam for 30 days before it is permanently deleted. Be sure to review your spam folder frequently.
Cloudflare
All our forms are protected by Cloudflare's Web Application Firewall (WAF). This is our first line of defense against submissions originiating from the dark web, and known bots.
Spamcheck.ai
To accurately assess the legitimacy of your form's submission content, we use Spamcheck.ai --- an intelligent API solution that provides automatic protection and stops spam content from reaching your inbox. As a machine learning spam filter, its constantly training and evolving to be better at what it does.
SpamCheck Version Migration
We have recently begun migrating users to a new version of SpamCheck, Version 2. By default, new forms created use Version 2 but Version 1 is also still available. Certain features, including our Invalid Email Filter, Burner Email Filter, and Risky URL Whitelist are only available with Version 2.
reCaptcha/hCaptcha/Cloudflare Turnstile Setup
We offer three captcha solutions: reCaptcha, hCaptcha, and Cloudflare Turnstile. Basin supports all three, but you can only use one at a time. We recommend using BasinJS, our easy to use javascript helper for connecting your HTML form to Basin, to setup your captcha solution. BasinJS handles all of the setup for any of our captcha solutions, including Cloudflare Turnstile. To use BasinJS, follow the steps outlined in our BasinJS Docs. If you want to setup captcha manually, follow the steps for each captcha solution in the advanced section.
Honeypot
This technique can be used to add an additional layer of protection. By including a field (hidden or visible) in your form for spam bots to fill out, the submission will be ignored when a value is entered and submitted.
A custom honeypot field name can be specified within your form settings.
<form accept-charset="UTF-8" action="https://usebasin.com/f/1a2b3c4d5e6f" method="POST">
...
<input type="hidden" name="_gotcha">
...
</form>
Duplicate Filter
The duplicate filter checks if an incoming submission is an exact copy of a submission that is already in the inbox or spam folder and automatically marks duplicate submissions as spam. You can toggle the duplicate filter on/off in your form's settings: Form -> Settings -> Spam -> Duplicate Filter
Valid Email Filter
SpamCheck Version 2 Only
The valid email filter is only available with SpamCheck Version 2.
The valid email filter checks if the email
field of an incoming submission points to a valid email address. We check for email address validitiy in two ways: First, the email must look like a valid email (email must match [someuser]@[some_domain].[tld]
), second, the email address given must point to a mailbox that can receive emails. If this setting is enabled and either of these criteria is not met, the submission is marked as spam. You can toggle this setting on/off in your form's settings: Form -> Settings -> Spam -> Valid Email Filter.
Note: A valid email
field is required for this setting to work. Forms inputs must have the name
field set to email
:
<form>
<!-- form fields here -->
<input type="email" id="email" name="email"required>
<!-- rest of form -->
</form>
Burner Email Filter
SpamCheck Version 2 Only
The burner email filter is only available with SpamCheck Version 2.
The burner email filter checks if the email
field of an incoming submission points to a temporary (burner) email domain. Burner email addresses are often used by spammers to avoid detection and/or to avoid being added to email lists. If this setting is enabled and the email address is determined to be a burner email address, the submission is automatically marked as spam. You can toggle this setting on/off in your form's settings: Form -> Settings -> Spam -> Burner Email Filter.
Risky URL Whitelist
SpamCheck Version 2 Only
The risky URL whitelist is only available with SpamCheck Version 2.
Basin uses AI tools to filter for spam, including a check to see if your submissions contain 'risky URLs'. You can whitelist certain URLs Basin marks as 'risky' so they won't be sent to the spam folder. You can whitelist risky URLs in your form's settings: Form -> Settings -> Spam -> Allowed Risky URLs
Note: This filter only works on submissions flagged as spam with the reason Content contains risky URLs
. If your submissions are marked as spam for other reasons, the whitelist will not allow these through.
Country Filter
Basin collects data about the computer that made the submission, including its IP address. Using IP geolocation we can narrow down the country the submission originated from. The country filter allows you to choose which countries submissions can be sent from. The whitelist only allows submissions from countries on the whitelist and the blacklist allows submissions from all countries except those on the blacklist to be sent to the inbox. Submissions from countries that are not allowed will be automatically marked as spam. You can add countries to the Country Filter in your form's settings: Form -> Settings -> Spam -> Allowed/Blocked Countries
Note: Only one of the blacklist or whitelist should be used. If you use the whitelist, all other countries are blacklisted or if you use the blacklist, all other countries are whitelisted.
Radius-based location filter
Basin uses IP geolocation to determine the general location of the computer that made the submission. The radius-based location filter allows you to choose a point on the map and a radius for filtering submissions. Submissions originating within the radius of the point will be allowed through the filter and submissions originating outside of the radius will be marked as spam. You can enable the radius-based location filter in your form's settings: Form -> Settings -> Spam -> Radius-based location filter.
Note: This feature is only available on the Premium plan and above.
Language Filter
Basin uses language detection tools to determine the primary language(s) contained in a submission. The language filter allows you to choose which languages are allowed in submissions. The whitelist only allows submissions where the primary language is on the whitelist and the blacklist allows submissions with any primary language except those on the blacklist to be sent to the inbox. Submissions primarily containing languages that are not allowed will be automatically marked as spam. You can add languages to the Language Filter in your form's settings: Form -> Settings -> Spam -> Accepted/Blocked Languages
Note: Both the whitelist and blacklist can be used simultaneously, as the tolerances for accepted/blocked languages are slightly different.
Allowed domains (Domain restriction)
You can setup your project to only accept form submissions from a specific domain which is essentially an additional layer of spam protection. By setting your allowed domains, only submissions that originate from a form that was hosted on the specified domain and all subdomains will be accepted. The submissions that were not submitted from the specified domain will be sent to your spam folder.
When this setting is enabled, Basin checks the Origin
header of the submission to see if it matches any of your allowed domains.
You can edit your allowed domains within your project settings: Forms -> Project -> Allowed domains
NOTE: you can add multiple domains, seperated by a comma.
Advanced: Set Origin Manually for JavaScript Frameworks
While the browser normally sets the Origin header automatically for standard <form action="...">
POST requests, when users make submissions to Basin using AJAX or a JavaScript framework like React,
the Origin
header can be omitted from the request, which causes the submission to be marked as spam.
To prevent this, ensure that the Origin
header is set manually in your submission requests to Basin.
Example:
Ensure Referrer Policy is Set Correctly
In order to use Basin's domain restriction spam filter you must ensure your site's Referrer-Policy
sends your site's origin information to Basin.
By default, sites usually have the Referrer-Policy
set to strict-origin-when-cross-origin
which is compatible with Basin. Click here for more information on referrer policy
Blocked Email Domain (email restriction)
You can set up your project to block submissions from certain email domains. If you use this setting to block gmail.com
, for example, any submissions that arrive with an email
field from gmail.com
are automatically marked as spam.
You can edit your blocked email domains within your project settings: Forms -> Project -> Blocked email domains
(Advanced) Manual Captcha/Turnstile Setup
We recommend using BasinJS to setup your captcha solution, but if you prefer to setup captcha manually, you can follow the instructions below.
Cloudflare Turnstile
Cloudflare Turnstile can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.
Step 1 --- Setup your Cloudflare account, enable Turnstile, and retrieve your Site Key and Site Secret Key
You must provide your own Site Key and Site Secret Key.
See the Cloudflare documentation for more details.
Step 2 --- Add script tag to your page
You must add the following script tag somewhere outside of your form code and before the closing head tag.
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallback" async defer></script>
Danger
Please retrieve your Site Secret Key and Site Key from the Cloudflare dashboard before continuing. See here for details.
Step 3 --- Add cf-turnstile div to your form code
Your cf-turnstile div must contain your site key.
<form action="/login" method="POST">
<input type="text" placeholder="email"/>
<input type="text" placeholder="name"/>
<div class="cf-turnstile" data-sitekey="<YOUR_SITE_KEY>"></div>
<button type="submit" value="Submit">Submit</button>
</form>
Step 4 --- Enable 'Require valid Turnstile response' in Basin.
This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful Turnstile response.
Step 5 --- Review other Cloudflare Turnstile configuration options
Turnstile has many other options you can configure within your Cloudflare account and within your HTML page.
See the Cloudflare documentation for more details.
Google reCAPTCHA v2
Google reCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.
Note
Basin supports both click and invisible reCAPTCHA. Choose and use one only.
Warning
Please make sure to use Basin's reCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.
Please use the following reCAPTCHA v2 site key:
Step 1 --- Add script tag to your page
You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then reCAPTCHA won't initialize.
Step 2 --- Add reCAPTCHA div to your form code
Your reCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, reCAPTCHA will not work.
Step 3 --- Enable 'Require Valid reCAPTCHA response'
This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful reCAPTCHA.
Setup invisible reCAPTCHA Optional
If you'd rather not have the default styling of the reCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.
<script>
function onSubmit(token) {
var form = document.getElementById("invisible-recaptcha-form");
// Check if form is valid
if (form.checkValidity()) {
form.submit();
} else {
// If the form is not valid, trigger the browser's default validation UI
form.reportValidity();
}
}
</script>
<form id="invisible-recaptcha-form">
...
<button class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>
Hide Google's attribution badge Optional
If you want to hide Google's attribute, you can use the CSS below. Simply include it anywhere outside of your form tags, or to your custom stylesheet.
Google reCAPTCHA v3
Google reCAPTCHA v3 is preferable over v2 for form submissions primarily due to its user-friendly, non-intrusive nature. Unlike reCAPTCHA v2, which often requires users to solve challenges like identifying images, v3 runs quietly in the background, assessing the probability of a user being a bot without any interaction. This seamless integration enhances the user experience significantly, as it eliminates the need for manual human verification, making form submissions smoother and more efficient.
Step 1 --- Add script tag to your page
Include the reCAPTCHA v3 API script in your HTML.
<script src="https://www.google.com/recaptcha/api.js?render=6Les66kUAAAAANyLrgkl7iuN4JUpNlB5upaMovI4"></script>
Warning
Please make sure to use Basin's reCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.
Please use the following reCAPTCHA v3 site key:
Step 2 --- Add the following hidden inputs to your form
<form id="your-form-id">
<!-- Your existing form fields -->
<input type="hidden" name="g-recaptcha-response" id="g-recaptcha-response">
<input type="hidden" name="g-recaptcha-version" value="v3">
<!-- Other form elements -->
</form>
Step 3 --- Add the following script to your page
This script should be included before the closing </body>
tag.
<script>
var myForm = document.getElementById('your-form-id')
myForm.addEventListener('submit', function(event) {
event.preventDefault();
grecaptcha.ready(function() {
grecaptcha.execute('6Les66kUAAAAANyLrgkl7iuN4JUpNlB5upaMovI4', {action: 'submit'}).then(function(token) {
document.getElementById('g-recaptcha-response').value = token;
myForm.submit();
});
});
});
</script>
Note
In order to support many forms on the same page, you would need unique form IDs and unique hidden input IDs for each form and include a script for each form.
hCAPTCHA
hCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup. hCAPTCHA is a free to use, privacy-focused alternative to Google's reCAPTCHA. For more information, visit hCAPTCHA's website.
Note
Basin supports both click and invisible hCAPTCHA. Choose and use one only.
Warning
Please make sure to use Basin's hCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.
Please use the following hCAPTCHA site key:
Step 1 --- Add script tag to your page
You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then hCAPTCHA won't initialize.
Step 2 --- Add hCAPTCHA div to your form code
Your hCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, hCAPTCHA will not work.
Step 3 --- Enable 'Require Valid hCAPTCHA response'
This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful hCAPTCHA.
Setup invisible hCAPTCHA Optional
If you'd rather not have the default styling of the hCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.