Spam filtering

Automatic spam protection

ContactFire filters spam before it reaches your inbox. Three independent layers catch bots without ever showing a CAPTCHA to real visitors.

How it works

Edge rate limiting

The Cloudflare edge rejects more than 10 requests per IP per minute before they reach the server.

Honeypot trap

A hidden field that no real user fills in. Bots that auto-complete all fields get silently discarded.

Server-side heuristics

Suspicious patterns — rapid submissions, known spam content, header anomalies — flag the submission for review.

Honeypot field

The JS embed snippet automatically injects a honeypot field and hides it with CSS. If you build a plain HTML form, add the field yourself:

<!-- Honeypot — must stay empty -->
<input
  type="text"
  name="_honeypot"
  value=""
  style="display:none !important;"
  tabindex="-1"
  autocomplete="off"
/>
Never label the field or make it focusable. Screen readers should never reach it. The tabindex="-1" and style="display:none" keep it invisible to assistive technology and real users alike.

Edge-layer filtering

ContactFire runs on Cloudflare Workers at the edge. Rate limiting runs in Cloudflare KV before any request reaches the server, so flood attacks are stopped immediately.

Rate limit10 requests per IP per minute
Enforcement layerCloudflare edge (before reaching the server)
Response to blocked IPsHTTP 429 with Retry-After header

Heuristic checks

Submissions that pass rate limiting and the honeypot check go through server-side analysis. These signals trigger a spam flag:

  • Fields contain known spam keywords or link patterns
  • Submission timing is suspiciously fast (below human typing threshold)
  • Missing or malformed HTTP headers expected from real browsers
  • Multiple identical submissions from the same IP within a short window
Flagged submissions are not deleted. They are stored with a spam flag and excluded from your default inbox view. You can review and recover them any time.

Flagged submissions

When a submission is flagged as spam:

  1. The API returns {"status":"success"} — the submitter does not know they were flagged
  2. The submission is stored with spam: true
  3. No email notification is sent
  4. The submission appears in the Spam inbox tab in your dashboard

To review spam: open Inbox → Spam. You can mark any submission as "not spam" to move it to your main inbox.

Avoiding false positives

Legitimate submissions are rarely flagged, but here is what can cause a false positive and how to prevent it:

⚠ Pre-filled forms in test scripts
✓ Add a delay between field fills to mimic human timing.
⚠ Honeypot field accidentally filled by a browser autocomplete
✓ Add autocomplete="off" to the honeypot field and ensure it has no label or name that browsers recognise.
⚠ High-volume burst from an API key script
✓ Add a short sleep between submissions (e.g., 200ms) or batch requests.
⚠ Email contains multiple links
✓ Reduce the link count or contact support to adjust your account's spam threshold.

Manual review

You can always access spam submissions from your dashboard:

  1. Go to Inbox
  2. Click the Spam tab
  3. Open any submission to view its full content
  4. Click Not spam to move it to your main inbox
Previous: API Reference Next: Notifications