The reCAPTCHA Problem
reCAPTCHA v2, the 'I am not a robot' checkbox with picture puzzles, costs you 10-30% of form conversions depending on the industry. Users bail on fire-hydrant grids. v3 is invisible but needs constant tuning and flags plenty of real people.
It also does not work on the adversaries it was designed for. 2captcha resells human solvers at fractions of a cent. AI solvers have gotten very good. A motivated attacker gets through either way, and you have already paid for it at the top of the funnel.
Method 1: Honeypot Fields
A honeypot is a hidden field real users never see. Label it 'leave this blank', hide it with CSS (display:none or off-screen positioning), and discard any submission where it got filled.
Honeypots catch the cheap bots that fill every field they find. They will not catch well-written automation that parses CSS, but they are zero-friction and kill a chunk of junk for free.
Method 2: Behavioral Analysis
People move mice. They scroll. They pause while typing because they are thinking. Bots jump to the first field, type at machine speed, and hit submit without touching anything else on the page.
Capture that passively in the browser: time from page load to first focus, typing speed variance across fields, mouse movement entropy, scroll depth, tab-order patterns. It runs silently and produces a behavioral confidence score you can feed into the overall rating.
Method 3: IP Reputation Scoring
Bad actors live in identifiable IP space: commercial datacenters, VPN exit nodes, Tor, open proxies. Checking the source IP against reputation data lets you grade the submission before it touches the CRM.
Even residential IPs can be scored. Recent abuse history, association with known bot runs, and velocity (how many submissions this IP has thrown at your site in the last hour) all help. Static reputation plus live velocity catches a large percentage of automation.
Method 4: Email Validation
Most bots either paste random strings (test123@gmail.com) or rip through disposable providers. Check the email against known disposable lists, verify MX records exist, and you cut a big share of fakes.
Domain age matters too. A domain registered three days ago, with MX records pointing at a free provider, is suspicious by itself. Stack these and email becomes a strong first filter.
Methods 5-7: Velocity, Time Thresholds, and Composite Scoring
Velocity rules catch bursts. N submissions from an IP, email pattern, or device in M minutes and you flag the batch. Time thresholds are simpler: if the form submitted in under two seconds, a human did not fill it.
The real win is combining everything into one composite score. Residential IP gets trust. Disposable email loses some. Two-second submit with zero mouse movement loses a lot. The composite handles the edge cases single-signal systems cannot.