A lot of my clients complain about the fact that they receive tons of spam messages via the Magento contact and review forms.

Basically in most of these cases I recommend using professional services like Akismet together with some fancy KI algorithms and an appropriate Magento Extension which effectively reduce the amount of spam messages to a minimum.

By the way, I personally don’t like Captchas because most of the time these can be tricky to submit ("Select all motorbikes in the images") and most of them require external non-GDPR conformant services (Hello Google!). Other similar mechanism like some sort of quiz ("How much is 2+2?") are too simple to keep away serious attackers and on the other side very poor usability and in my opinion should not be necessary at all in 2023.
Basically a Captcha is effective, but why punish your users because you have a problem with spam? It's your problem not theirs, so let's try to address it.

There are also some simple Magento code modifications that can easily be made in a couple of hours by an experienced Magento developer to reduce spam without using Captchas.
These are some ideas e.g. for the Magento contact form:

  • Add validate-alpha class to the "name" field as well as Zend_Validate(.., ‘Alpha’) in the contacts controller
  • Add some trivial checks like firstname equals lastname that are spam in 99.99% of all requests
  • Use an extension like Magento Honeypot to add a hidden field (Magento does this already but it can be easily detected as "honeypot" for bots)
  • Make the Honeypot field look like a regular field e.g. with type="url" name="url" and don't use obvious names or hidden styles for the field like name="honeypot" type="hidden" style="display: none"
  • Track the time between rendering the page and submitting the form and add some threshold checks to prevent instant posting (forms submitted in under 3 seconds of the page loading are typically spam)
  • Prevent any IP from posting more than once a second.
  • Block certain IP addresses/user agents known as generating bot requests
  • Implement a black list of words that are typically used in spam messages

This is how a possible honeypot HTML markup might look like:

<input class="mhhs-input d-none" type="url" name="quoteEscape($this->getHoneypotName()) ?>" autocomplete="off" tabindex="-1" />

Some interesting ideas are also described in this blog post.

Of course generally its a game of cat and mouse because spam bots learn with each form and get better and better. That’s why – depending on your amount of spam – using professional services may make sense to reduce spam without Captcha.

But on the other side if you make it more complicated for them, they perhaps will try to find another target..