I did examine one of the forms you mentioned and I see two issues:
- the fields are not required
- reCAPTCHA is not used
For example, this is the HTML for the the “firstname” field:
<input type="hidden" name="firstname" />
There is no
required attribute in that
The HTML includes another
<input> with the same name and
required="" later in the form but the first definition takes precedence when there are two identically named fields (inputs).
Again, the best way to prevent spam is to enable reCAPTCHA for that form.
You also mentioned that the spam source is probably external to your website. This is true for all form submissions, both those that are spam and those that are valid have an external source. They all originate from an external client (typically a web browser or other application), not the web server.
If you believe there is a better way than reCAPTCHA, please let us know what solution you would prefer and I will enter a feature request for it.
Please note, I’m not trying to brush you off with the following. I do want to mention that you are not required to use our forms feature if you don’t like it. I just wanted to be clear that there is no “vendor lock-in” with our forms feature.
You can still host your site with Netlify and handle the form submission using a third-party service (like formget.com or formkeep.com). Obviously, this would be potential lost revenue for Netlify, but we certainly do not force anyone to use our forms feature. Hosting a site using Netlify and using third-party forms services is both allowed and will work. Nothing at Netlify will prevent you from using a different forms service.
If there are other questions about this, please let us know.