Spam Filtering

Your time is limited, so we want to make sure the only submission data that hits your inbox is sent by humans, not bots.

Introduction


Spam filtering is the hardest part of operating a form service. Everyone has a different tolerance for spam they are willing to sort, or expect to be filtered for them. There will always be some percentage of false positives with any spam filtering system. We filter spam in order to protect our email sending reputation, this is what enables us to land emails in your inbox instead of your spam folder.

We recommend the following techniques to ensure you review all false positives

  • Webhooks can be configured to trigger regardless of the spam status of a submissions.
  • Configure reminders to review your spam folders often.
  • Enable spam summary emails within your form settings.
Basin retains spam for 30 days before it is permanently deleted. Be sure to review your spam folder frequently.

Cloudflare


All our forms are protected by Cloudflare's Web Application Firewall (WAF). This is our first line of defense against submissions originiating from the dark web, and known bots.

Junkbox


To accurately assess the legitimacy of your form's submission content, we use Junkbox — an intelligent API solution that provides automatic protection and stops spam content from reaching your inbox. As a machine learning spam filter, its constantly training and evolving to be better at what it does.

Google reCAPTCHA


Google reCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.

Basin supports both click and invisible reCAPTCHA. Choose and use one only.
Please make sure to use Basin's reCAPTCHA site key when integrating your form with Basin.
Other site keys will NOT work.
Please use the following reCAPTCHA site key:
HTML
6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy
Step 1 — Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then reCAPTCHA won't initialize.

HTML
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
Step 2 — Add reCAPTCHA div to your form code

Your reCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, reCAPTCHA will not work.

HTML
<div class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy"></div>
Step 3 — Enable 'Require Valid reCAPTCHA response'

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful reCAPTCHA.

Setup invisible reCAPTCHAOptional

If you'd rather not having the default styling of the reCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.

HTML
<script>
function onSubmit(token) {
document.getElementById("invisible-recaptcha-form").submit();
}
</script>
 
<form id="invisible-recaptcha-form">
...
<button class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>
Hide Google's attribution badgeOptional

If you want to hide Google's attribute, you can use the CSS below. Simply include it anywhere outside of your form tags, or to your custom stylesheet.

CSS
<style>
.grecaptcha-badge {
display: none;
}
</style>

hCAPTCHA (Google reCAPTCHA alternative)


hCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.

Basin supports both click and invisible hCAPTCHA. Choose and use one only.
Please make sure to use Basin's hCAPTCHA site key when integrating your form with Basin.
Other site keys will NOT work.
Please use the following hCAPTCHA site key:
HTML
7fe715a1-151f-4c63-b497-bd971974df05
Step 1 — Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then hCAPTCHA won't initialize.

HTML
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
Step 2 — Add hCAPTCHA div to your form code

Your hCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, hCAPTCHA will not work.

HTML
<div class="h-captcha" data-sitekey="7fe715a1-151f-4c63-b497-bd971974df05"></div>
Step 3 — Enable 'Require Valid hCAPTCHA response'

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful hCAPTCHA.

Setup invisible hCAPTCHAOptional

If you'd rather not having the default styling of the hCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.

HTML
<script>
function onSubmit(token) {
document.getElementById("invisible-hcaptcha-form").submit();
}
</script>
 
<form id="invisible-hcaptcha-form">
...
<button class="h-captcha" data-sitekey="7fe715a1-151f-4c63-b497-bd971974df05" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>

Honeypot


This technique can be used to add an additional layer of protection. By including a hidden field in your form for spam bots to fill out, the submission will be ignored when a value is entered and submitted.

A custom honeypot field name can be specified within your form settings.

HTML
<form accept-charset="UTF-8" action="https://usebasin.com/f/1a2b3c4d5e6f" method="POST">
...
<input type="hidden" name="_gotcha">
...
</form>

Domain restriction


You can setup your project to only accept form submissions from a specific domain which is essentially an additional layer of spam protection. By setting your allowed domains, only submissions that originate from a form that was hosted on the specified domain and all subdomains will be accepted. The submissions that were not submitted from the specified domain will be sent to your spam folder.

NOTE: you can add multiple domains, seperated by a comma.