Skip to content

Spam Filtering

Your time is limited, so we want to make sure the only submission data that hits your inbox is sent by humans, not bots.

Introduction

Spam filtering is the hardest part of operating a form service. Everyone has a different tolerance for spam they are willing to sort, or expect to be filtered for them. There will always be some percentage of false positives with any spam filtering system. We filter spam in order to protect our email sending reputation, this is what enables us to land emails in your inbox instead of your spam folder.

We recommend the following techniques to ensure you review all false positives

  • Webhooks can be configured to trigger regardless of the spam status of a submissions.
  • Configure reminders to review your spam folders often.
  • Enable spam summary emails within your form settings.

Notice:

Basin retains spam for 30 days before it is permanently deleted. Be sure to review your spam folder frequently.

Cloudflare

All our forms are protected by Cloudflare's Web Application Firewall (WAF). This is our first line of defense against submissions originiating from the dark web, and known bots.

Junkbox

To accurately assess the legitimacy of your form's submission content, we use Junkbox --- an intelligent API solution that provides automatic protection and stops spam content from reaching your inbox. As a machine learning spam filter, its constantly training and evolving to be better at what it does.

Cloudflare Turnstile

Cloudflare Turnstile can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.

Step 1 --- Setup your Cloudflare account, enable Turnstile, and retrieve your Site Key and Site Secret Key

You must provide your own Site Key and Site Secret Key.  

See the Cloudflare documentation for more details.

Step 2 --- Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag.

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallback" async defer></script>

Danger

Please retrieve your Site Secret Key and Site Key from the Cloudflare dashboard before continuing. See here for details.

Step 3 --- Add cf-turnstile div to your form code

Your cf-turnstile div must contain your site key.

<form action="/login" method="POST">
  <input type="text" placeholder="email"/>
  <input type="text" placeholder="name"/>
  <div class="cf-turnstile" data-sitekey="<YOUR_SITE_KEY>"></div>
  <button type="submit" value="Submit">Submit</button>
</form>
Step 4 --- Enable 'Require valid Turnstile response' in Basin.

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful Turnstile response.

Step 5 --- Review other Cloudflare Turnstile configuration options

Turnstile has many other options you can configure within your Cloudflare account and within your HTML page.  

See the Cloudflare documentation for more details.

Google reCAPTCHA

Google reCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.

Note

Basin supports both click and invisible reCAPTCHA. Choose and use one only.

Warning

Please make sure to use Basin's reCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.

Please use the following reCAPTCHA site key: 

6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy

Step 1 --- Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then reCAPTCHA won't initialize.

<script src="https://www.google.com/recaptcha/api.js" async defer></script>
Step 2 --- Add reCAPTCHA div to your form code

Your reCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, reCAPTCHA will not work.

<div class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy"></div>
Step 3 --- Enable 'Require Valid reCAPTCHA response'

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful reCAPTCHA.

Setup invisible reCAPTCHA Optional

If you'd rather not have the default styling of the reCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.

<script>
function onSubmit(token) {
    document.getElementById("invisible-recaptcha-form").submit();
}
</script>

<form id="invisible-recaptcha-form">
    ...
    <button class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>
Hide Google's attribution badge Optional

If you want to hide Google's attribute, you can use the CSS below. Simply include it anywhere outside of your form tags, or to your custom stylesheet.

<style>
    .grecaptcha-badge {
        display: none;
    }
</style>

hCAPTCHA (Google reCAPTCHA alternative)

hCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.

Note

Basin supports both click and invisible hCAPTCHA. Choose and use one only.

Warning

Please make sure to use Basin's hCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.

Please use the following hCAPTCHA site key: 

7fe715a1-151f-4c63-b497-bd971974df05

Step 1 --- Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then hCAPTCHA won't initialize.

<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
Step 2 --- Add hCAPTCHA div to your form code

Your hCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, hCAPTCHA will not work.

<div class="h-captcha" data-sitekey="7fe715a1-151f-4c63-b497-bd971974df05"></div>
Step 3 --- Enable 'Require Valid hCAPTCHA response'

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful hCAPTCHA.

Setup invisible hCAPTCHA Optional

If you'd rather not have the default styling of the hCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.

<script>
  function onSubmit(token) {
    document.getElementById("invisible-hcaptcha-form").submit();
  }
</script>

<form id="invisible-hcaptcha-form">
  ...
  <button class="h-captcha" data-sitekey="7fe715a1-151f-4c63-b497-bd971974df05" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>

Honeypot

This technique can be used to add an additional layer of protection. By including a field (hidden or visible) in your form for spam bots to fill out, the submission will be ignored when a value is entered and submitted.

A custom honeypot field name can be specified within your form settings.

<form accept-charset="UTF-8" action="https://usebasin.com/f/1a2b3c4d5e6f" method="POST">
    ...
    <input type="hidden" name="_gotcha">
    ...
</form>

Allowed domains (Domain restriction)

You can setup your project to only accept form submissions from a specific domain which is essentially an additional layer of spam protection. By setting your allowed domains, only submissions that originate from a form that was hosted on the specified domain and all subdomains will be accepted. The submissions that were not submitted from the specified domain will be sent to your spam folder.

You can edit your allowed domains within your project settings: Forms -> Project -> Allowed domains

NOTE: you can add multiple domains, seperated by a comma.