Stop Losing Real Leads to Sales-Pitch Spam on Your Contact Form
I want to start with the one number that made me build the feature this post is built around.
10 inquiries that month. 8 of them sales pitches. 2 real prospects.
I had just finished a clean ad report for a client. CVR looked great. CPA looked great. The "winning channel" was clearly winning. I almost shipped the report. Then on the way out the door I opened the inbox and started reading.
By the tenth message I realized every report I'd written for that client all year had been quietly lying to itself. Real lead count was a quarter of what I was reporting. Channel allocation was based on garbage. The CPA I was using to advise on next month's budget was off by 4x.
That's the cost. Not "my inbox is annoying." The cost is bad data shaping real money decisions, and real prospects getting lost in the noise.
If you're an indie founder with a contact form on your site, this happens to you too. You just may not have measured it.
What's actually filling your inbox
There is a mature SaaS category in Japan called "form sales" -- vendors with multi-million-company databases that send templated outreach to thousands of contact forms a month. Pricing is around USD 300-2,000 a month for the tools, or USD 0.05-0.70 per send for human-contractor services. Equivalent layers exist in the US (Apollo, Clay, Smartlead in adjacent niches; pure form-spam tooling is more nascent but technically solved).
For a B2B SaaS contact form, these senders typically account for the majority of inbound volume. From running ops for client forms over years, my own estimate: advertising agencies, recruiting firms, and consulting outfits combined are around 70% of the inbound pitches.
That's the supply side. The demand side -- the receiver -- has had no good answer.
The five things you should already be doing
These are basic, but I am genuinely surprised how often founder sites are missing two or three of them.
- Anti-solicitation notice, right above the form. Not in the footer. Right above. Reputable senders honor it. The cheapest line of defense, by far.
- Two inboxes: customer and sales. A second link labeled "for partnership / sales inquiries" siphons off a meaningful share. Real customer inbox gets cleaner.
- Honeypot field. Hidden input, drop on populated. Vendor numbers say 70-80% of bots blocked. Plugin-level work.
- CAPTCHA (Turnstile or reCAPTCHA v3). Industry baseline. The thing nobody skips.
- Required "I'm not pitching" checkbox. Used to work. Increasingly defeated by AI form-fillers, but still adds a small psychological friction.
If you implement all five, your noise floor drops a lot. It does not go to zero. The reasons:
- Human-typed sends defeat CAPTCHA and honeypots by design.
- AI form-filler tools (Browser Use, Playwright + GPT) read the form structure and tick the checkboxes contextually.
- Pure list-blast senders ignore the notice entirely.
There is a structural ceiling on "make sending harder." The next move is a different layer.
The next layer: classify what arrives
The framing change: stop trying to block, start sorting at the inbox.
For years the answer was manual triage. Open each response, label it as prospect / sales / unclear, drop the sales rows from the report. At ~1 minute per inquiry, a form with 50 inbound a month is 25-50 minutes of unpaid work. Across an agency book, hours.
The lazy alternative is to skip triage and ship the lying numbers. I've watched plenty of operators do this. They're often not aware their numbers are wrong by a multiple.
The third option, available now in a way it wasn't two years ago: ship every response through an LLM, label it legitimate / sales / suspicious, and let the operator filter.
LLM cost has dropped enough that an entire form service can absorb this on a free tier. We pay roughly USD 0.0002 per response in our setup. That's basically zero in unit economics for any plan that has a price.
The design choice that matters
The temptation is to delete sales-labeled responses. Just hide them. Less inbox noise, no manual filter step.
Don't.
Even at 99% accuracy, you misjudge one real inquiry per hundred. Reading a sales pitch costs you a minute of attention. Silently dropping a real prospect costs you a lead, a customer, a relationship. The asymmetry is brutal.
So the rule we built into our classifier prompt is "when in doubt, mark legitimate." Gray zone goes to the safe side. The classifier outputs both a label and a 0-100 score, so the operator can see uncertainty and override. Manual overrides are protected from being wiped by future re-classification.
The model proposes. The human decides. Always.
Why no other form product ships this
I checked. Google Forms, Typeform, formrun, Tally, SurveyMonkey, Microsoft Forms -- all of them stop at CAPTCHA-class protection. None of them classify response content. You can wire it up yourself in Zapier with an OpenAI call, but you own the cost, the prompt tuning, the failure modes, and the manual-override UI.
We built it into FORMLOVA as a default, free across every plan including the free tier. As of writing, it's the only mainstream form product where this is shipped. Not because the technology is hard -- it isn't anymore -- but because few founders treat the form as the actual entry point of their pipeline.
I'm biased, obviously. But if you're an indie founder, you're closer to the data than anyone. You see when a real lead leaks. Spending 25 minutes a month doing manual triage, or shipping bad-data reports, are both bad uses of your time. Either build the classifier yourself (the patterns are simple), or take the shortcut.
Series cross-links
This is one piece of a multi-platform English-language series on contact-form spam defense.
- Canonical post (full guide)
- Dev.to (technical, "Beyond CAPTCHA")
- Medium "Receiver-Side Defense Guide Now Live" -- receiver-side guide
- Medium "8 Out of 10 Inquiries Were Sales Pitches" -- founder narrative companion
Companion piece on the founder side:
Totally agree on design impact - small tweaks in form structure can drastically change lead quality.
Really like the “bias toward legitimate” rule.
Feels like a lot of systems optimize for cleanliness over correctness, which is dangerous when the cost of a false negative is so high.
Really appreciate this. You put it better than I did.
That’s exactly the tradeoff we kept coming back to: a cleaner inbox feels good, but silently losing one real buyer is much worse than letting a few sales pitches through.
So the goal isn’t “AI decides and hides things.” It’s “AI helps the human triage faster, with a bias toward protecting real leads.”
Thanks For Sharing Looks very Interesting.
Thanks, appreciate it!
I think contact-form spam looks like a small inbox problem at first, but once you connect it to lead quality and reporting accuracy, it becomes a much bigger growth problem.
This is solid — especially the shift from blocking → classifying.
One thing I’ve noticed though: even before the form, a lot of drop happens at the “first impression” layer.
If the brand (name/domain) feels generic or low-trust, real prospects hesitate — while spam doesn’t care and still floods in.
So you end up fixing the inbox, but losing some signal before it even reaches the form.
Subtle, but it compounds.
If you’re building this into something bigger, tightening that layer can actually improve lead quality upstream too.
I work with brandable .coms for B2B tools like this — happy to share a few if you’re exploring that side.
Thanks, that’s a useful angle.
I agree the “before the form” trust layer matters too. Spam doesn’t care about brand trust, but real prospects absolutely do, so weak first impressions can quietly filter out the people you actually want to hear from.
This post was focused on the receiver-side problem, but I agree the upstream layer compounds. Not looking at domain changes right now, but appreciate the offer.
Makes sense — timing matters more than the idea itself.
Usually this becomes relevant once you start optimizing for conversion quality, not just volume.
If you revisit it later, happy to share a few tight options quickly — no noise.
Curious though — are you seeing more loss from spam volume or from low-quality legit leads right now?
Most founders treat contact forms like inboxes, but they’re really data sources for growth decisions.
Once spam pollutes that input, it doesn’t just waste time, it distorts everything downstream.
Exactly. This is the part I think a lot of teams underestimate.
Once contact forms feed into reporting, attribution, CRM, or budget decisions, spam is no longer just noise. It becomes bad input for the whole growth system.
That’s why I think “cleaning the inbox” is too small a framing. The real problem is protecting the quality of the decision data.
Exactly, once bad inputs reach reporting, the damage compounds quietly because every downstream decision feels data-backed.
Clean data is usually a growth lever disguised as an ops problem.
Yes, and that’s what makes it dangerous: spam doesn’t just create extra work, it creates false confidence.
Once noisy form data gets treated as signal, teams start optimizing spend, sales effort, and product decisions around fiction. At that point, spam prevention stops being inbox hygiene and becomes measurement infrastructure.