Last verified: 2026-04-21
This article is for anyone whose contact form is buried under sales pitches and spam. The author is a developer of FORMLOVA. Most of the article describes defenses you can use on any form service. The last sections introduce FORMLOVA's AI auto-sorting, which -- as of this writing -- is the only such feature shipped as a standard, free part of a form product.
You set up a contact form so customers could reach you. You opened it this morning and found ten sales pitches, two recruiters, and one piece of spam. The actual customer questions, if any, are buried somewhere in the pile.
If you arrived here by searching for "contact form spam," "stop sales emails contact form," "form spam protection," or "anti-solicitation notice," you are not alone. I spent years helping clients run their inquiry forms before I started building one of my own, and the same problem kept showing up.
This guide covers two things side by side: five concrete defenses to make sales pitches harder to send, and a newer option -- letting an AI sort the messages that still get through, after they arrive.
Table of contents
- Why your contact form is buried in sales pitches
- 5 ways to make spam harder to send
- Post a clear anti-solicitation notice (with copy-paste templates)
- Split your sales inbox from your real one
- Add a honeypot field
- Turn on reCAPTCHA or Cloudflare Turnstile
- The "I confirm this is not a sales inquiry" checkbox
- What the law actually says
- Why none of this fully stops the flood
- Sorting it after it arrives -- a newer option
- The risk of blocking at the gate -- why FORMLOVA chose labels, not deletion
- What FORMLOVA does, end to end
- Summary
- FAQ
Why your contact form is buried in sales pitches
Why does so much sales outreach hit your form in the first place? Because there is a mature market of services built specifically to send it.
In Japan and increasingly elsewhere, "form sales" or "form DM" is a recognized B2B outreach category. Vendors maintain large company databases (APOLLO SALES claims roughly 1.5 million companies and up to 1,000 sends per day; GeAIne offers automated sending against ~2,000 companies a month for around USD 280-560), build templated outreach copy with substitutions, and either use RPA-style automation or human contractors to fill out and submit thousands of contact forms each month. Lead Dynamics publicly states "1,000 sends in about 20 minutes." Performance-based services like Knockbot start as low as roughly USD 0.03 per send.
For roughly USD 300-2,000 a month, a sender can reach thousands of contact forms with templated pitches every month. From the receiving side this is unwanted noise. From the sending side it is a normal channel of new-business development with its own SaaS category. Both sides exist in the same market.
There is also a clear industry skew. From operating client inboxes for years, my own estimate is that advertising agencies, recruiters, and consultants together account for roughly 70% of inbound form-sales volume on B2B service sites. Consumer-facing or local-storefront sites generally see much less.
5 ways to make spam harder to send
Below are five defenses you can apply on virtually any form product, including Google Forms, Typeform, formrun, SurveyMonkey, Tally, Microsoft Forms, or a WordPress Contact Form 7 setup. FORMLOVA supports all of them as built-in features; that is covered later.
Post a clear anti-solicitation notice (with copy-paste templates)
This is the cheapest single defense, and it is more effective than people expect, for two reasons.
- Reputable outreach vendors honor "no sales" notices and exclude flagged sites from their target lists.
- Some legal commentary in Japan reads anti-solicitation notices as removing a site from the carve-out that lets sales senders argue legitimacy under the Act on Regulation of Specified Electronic Mail (more on this below).
Place the notice immediately above or below the form itself. Putting it only in the page footer is often missed by automated targeting.
Five copy-paste templates, ranging from gentle to firm:
Template 1 (standard, gentle)
This form is for product and service inquiries only.
Sales outreach and unsolicited proposals will not receive a response.
Template 2 (B2B, firm)
This form is intended for inquiries from prospective and current customers.
Sales pitches, partnership proposals, recruitment outreach, and media
requests are not accepted through this form and will not be answered.
Template 3 (independent / freelance)
This form is for project inquiries only.
Pitches for SEO services, ad management, recruitment, and SaaS tools
will not receive a response. Thank you for understanding.
Template 4 (firm, with consequences)
This form is strictly for product inquiries. Sales, marketing,
and promotional outreach will not be accepted. Repeated unsolicited
sends may result in IP-level blocks, supplier-level escalations,
and reports to the relevant authorities.
Template 5 (bilingual)
This form is for product inquiries only.
Sales pitches, partnership proposals, and recruitment outreach
will not receive a response. Thank you for your understanding.
本フォームは、サービスに関するお問い合わせ専用です。
営業・売り込み目的のご連絡はご遠慮ください。
Notices do not stop everything. Senders using human contractors or AI-driven form-fillers will often plow through them. But the baseline volume drops.
In FORMLOVA you add a notice block by typing "add an anti-solicitation notice above the form" in chat. No template editing needed.
Split your sales inbox from your real one
If you publish two clearly labeled paths -- one for product inquiries, one explicitly for "sales / partnership / business development" -- a meaningful share of senders self-select into the sales inbox. From years of doing this for clients, I have seen 40-60% reductions in pollution of the real inbox simply from this routing.
The sales inbox itself doesn't need careful handling. Most teams skim it weekly or never. The point is to get the noise out of the inbox where customer messages live.
In FORMLOVA, "split into a sales inbox and a customer inbox with separate notification recipients" gets you both forms and the routing in one chat turn.
Add a honeypot field
A honeypot is a hidden form field that real users never see and never fill in. Automated senders typically fill every field they see in the markup, so anything submitted with the honeypot populated is almost certainly a bot.
Vendors and security blogs commonly cite honeypots as catching 70-80% of bot traffic on their own (vendor-reported numbers). On WordPress, "Honeypot for Contact Form 7" gives you this in a few minutes. Many headless form builders expose hidden-field support directly.
Honeypots do not catch human-driven senders, and they do not catch sufficiently sophisticated AI form-fillers. They are still cheap insurance against the blunter end of the threat.
FORMLOVA exposes hidden fields as a first-class field type, no plugin or JavaScript required.
Turn on reCAPTCHA or Cloudflare Turnstile
Google reCAPTCHA v3 and Cloudflare Turnstile are invisible challenge layers that score risk silently in the background. Adding one of them is the bare minimum for any public form.
The important caveat: CAPTCHA does not stop humans typing into your form. Both reCAPTCHA and Turnstile target machine traffic. Outreach services that pay human contractors to type real keystrokes into your form pass the challenge by design. If you have CAPTCHA on and pitches are still arriving, that is the most likely reason.
FORMLOVA has Cloudflare Turnstile enabled on every published form by default. No keys, no JavaScript snippet, no extra config.
The "I confirm this is not a sales inquiry" checkbox
A required checkbox saying "I confirm this is not a sales inquiry" sounds like a clean fix. I tried it for several clients. It does not really work, for two reasons.
- Outreach contractors who know the checkbox is there will tick it without hesitation. There is no enforcement mechanism, only a moral one.
- AI-driven form-filling tools that read form structure and fill checkboxes contextually are now within reach of any reasonably skilled operator. Open-source stacks like Browser Use or Playwright + GPT can be assembled into general-purpose form-filling agents at the individual level. Several Japanese vendors (e.g., FYBE.jp's "Form Sales Auto-Sender" via PR TIMES) already advertise that their tools detect form structure and fill required fields automatically. None I can find publicly claim to tick anti-solicitation checkboxes specifically -- the legal and reputational exposure is real -- but the underlying capability exists.
A few years ago this checkbox worked as a psychological deterrent. Today, less and less.
What the law actually says
"Isn't this illegal?" is a fair question. The honest answer is: it is hard to call form sales clearly illegal under current Japanese law.
The Act on Regulation of Specified Electronic Mail
Japan's anti-spam framework regulates unsolicited email with an opt-in default. Penalties run up to one year imprisonment or JPY 1,000,000 for individuals, and JPY 30,000,000 for corporations (MIC / Consumer Affairs Agency guidelines, Japanese PDF).
The regulated act is "sending an electronic mail." A POST request to a web form is widely read as not constituting email under the statute, and form-sales vendors lean on this reading to operate openly.
There is a caveat. The law's opt-in carve-outs exclude commercial sends to addresses that the recipient has marked as not accepting solicitation. Multiple commentaries argue that posting an explicit anti-solicitation notice on your contact page therefore strengthens the legal position against senders who proceed anyway. This is part of why posting a notice (above) has practical legal value, not just a behavioral one.
Business obstruction
If volume rises to the level where it actually disrupts your operations, criminal liability for "fraudulent obstruction of business" (Penal Code Article 233) can theoretically apply: up to three years' imprisonment or JPY 500,000. I have not been able to find any reported judgment that applied this article to form-sales volume specifically.
Unauthorized access
Public contact forms are not access-controlled, so the Unauthorized Computer Access Law generally does not apply.
The honest summary
You cannot effectively threaten a form-sales sender with "this is illegal" today. You can post anti-solicitation notices (which may help legally, and definitely help operationally), and you can pursue legal options if the volume becomes a real obstruction. The middle ground is gray.
For specific legal questions, consult a qualified attorney.
Why none of this fully stops the flood
The five defenses above, used together, will meaningfully reduce inbound noise. They will not bring it to zero. The reasons are structural.
- Human-typed sends pass everything. Outreach vendors that hire people to type into your form will defeat both CAPTCHA and honeypots, by design.
- AI form-fillers are catching up. The capability to read form structure and fill it intelligently is no longer rare or expensive. The "checkbox" defense is already eroding.
- Anti-solicitation notices are not always read. Pure list-based senders just blast and move on.
So there is a structural ceiling on how much "make sending harder" can do. Once you have done what you can on the front, the question becomes: what do you do with the volume that still gets through?
Sorting it after it arrives -- a newer option
The next move is a change in framing. Instead of trying harder to block sends, you accept that some volume will arrive, and separate sales pitches from real inquiries automatically, after they land.
For years the standard answer to that question was manual triage. Open each response, read it, label it as prospect / sales / unclear, drop the sales rows, build the report on what's left. At 30-60 seconds per response, a form with 50 inbound a month is 25-50 minutes of unpaid review work. Across an agency book that adds up.
The lazy alternative is to skip triage. Then your reports are wrong. Real prospects: 2. Reported as inquiries: 10. CVR / CPA / channel allocation are all shaped by the wrong base.
I lived this. There was a month where I caught my own client report being lying to itself, with 8 of 10 inquiries being sales pitches. The full story is in a separate concept piece:
The relevant change: in the last year or so, LLM cost and latency have dropped to the point where a form service can absorb the cost of classifying every response on every plan, including a free tier. As of this writing, FORMLOVA is the only form service that ships AI auto-sorting of contact-form responses as a standard, built-in feature -- across Google Forms, Typeform, formrun, SurveyMonkey, Tally, Microsoft Forms, no equivalent has shipped as a default. Anyone can wire up Zapier + an OpenAI call themselves, but operating, tuning, and paying for that pipeline is on them.
The risk of blocking at the gate -- why FORMLOVA chose labels, not deletion
A natural follow-up question: if AI can identify sales messages, why not just block them outright? Drop the response, hide it from the dashboard, send no notification. Technically that design is straightforward.
FORMLOVA deliberately did not build it that way.
The reason is asymmetric cost. The cost of misjudging one real inquiry as sales -- and silently dropping it -- is far higher than the cost of letting one sales pitch through.
Even at, say, 99% classification accuracy, one response in a hundred is misclassified. A sales pitch passing through costs you a minute of attention. A real prospect dropped silently costs you a lead, a relationship, and the trust of someone who reached out and got nothing back. Inquiries are high-value, irreversible information. They deserve a conservative default.
So FORMLOVA's design is "AI proposes, the human decides":
- The AI assigns a label (
legitimate/sales/suspicious) and a 0-100 score. It never deletes or hides the response. - Filters like "exclude sales from analytics" or "exclude sales from notifications" are user choices, not forced behaviors.
- If a label is wrong, you correct it on the dashboard. Manual corrections are protected from being overwritten by future automatic re-classification.
The classification prompt itself follows a "when in doubt, mark legitimate" rule. Gray-zone responses are kept on the safe side, with the score exposed so the operator can see the model's uncertainty.
Blocking at the gate is operationally simpler. It also means there is no recovery path for the messages that should have come through. FORMLOVA chose to keep that recovery path open and to leave the final decision with the human running the inbox.
What FORMLOVA does, end to end
Real defense is layered. The anti-solicitation notice doesn't stop everything. CAPTCHA misses the human channel. AI sorting alone doesn't reduce volume. The combination is what makes the inbox livable.
FORMLOVA ships all of the layers in one place.
| Defense | How FORMLOVA handles it |
|---|---|
| Anti-solicitation notice | Add it via a single chat instruction |
| Sales / customer inbox split | Two forms with separate notification routing in one chat turn |
| Honeypot | Hidden fields are a first-class field type |
| reCAPTCHA / Turnstile | Cloudflare Turnstile is on by default for every published form |
| Anti-solicitation checkbox | One-click required-checkbox setup |
| AI auto-sorting of responses | Built in on every plan, including free; no add-on cost |
The final row is the one that no other mainstream form product offers as a default. The mechanics, briefly:
- Classification runs asynchronously after submit; the respondent sees no latency change.
- Cost per classification is roughly USD 0.0002, absorbed entirely by FORMLOVA.
- Manual label corrections take precedence over the AI and persist across re-runs.
- "Run this analysis excluding sales" works as a single chat instruction. So does "send the Slack notification only for non-sales responses" once you wire the workflow.
If you want to dig further, here are the dedicated articles:
- Sales-email detection -- launching free on every plan -- release announcement
- How to use sales-email detection -- enabling it, dashboard, manual corrections, exclusion in analytics, workflows
- Why we built sales-email detection -- design philosophy
There is no need to migrate just to apply the five front-end defenses; most form products can do them. The point at which migration starts to make sense is when manual triage of what arrives becomes the bottleneck. FORMLOVA is free to start, so the test is cheap.
Summary
- Form sales is a real B2B outreach category with mature SaaS infrastructure on the sender side. Roughly 70% of inbound on a typical B2B site comes from advertising, recruiting, and consulting senders.
- Five defenses meaningfully reduce inbound: anti-solicitation notice, inbox split, honeypot, CAPTCHA, consent checkbox.
- Japanese law treats form-sales sends as gray rather than clearly illegal. Posted anti-solicitation notices help both operationally and legally.
- Human-typed and AI-driven sends defeat purely-front-end defenses. There is a structural ceiling.
- The next-generation move is to sort what still arrives. As of writing, FORMLOVA is the only form product shipping this as a standard, free feature.
- Blocking at the gate is the wrong default; the cost of a misjudged real inquiry is far higher than a sales pitch let through. FORMLOVA labels, never deletes.
A contact form is the front door of a relationship. Letting sales pitches dominate it doesn't just waste time -- it raises the chance you miss the message that mattered. Layered defenses plus AI sorting is how that gets fixed.
FAQ
Does posting an anti-solicitation notice actually work?
It will not stop everything, but it lowers the baseline. Reputable senders honor it, and Japanese legal commentary treats it as strengthening your position against the rest. The cost is essentially zero. There is no reason not to.
Why do sales pitches still arrive after I install CAPTCHA?
reCAPTCHA and Turnstile target machine traffic. Outreach services that pay human contractors to type into your form pass the challenge by design. If you can't see why CAPTCHA is failing, the most likely reason is that the senders are people, not bots.
Is form sales illegal in Japan?
Japan's anti-spam law regulates email sends, and form POST requests are widely read as outside that scope. So the activity is hard to call clearly illegal. Volume that crosses into operational obstruction is theoretically reachable under the Penal Code, but I have not found a reported case applying that. Consult an attorney for a specific situation.
How is FORMLOVA different from other form products on this?
The five front-end defenses can be reproduced on most form services with some setup work. AI sorting of inbound responses, shipped as a default and free feature, is offered by FORMLOVA only as of this writing. Google Forms, Typeform, formrun, SurveyMonkey, Tally, Microsoft Forms all stop at CAPTCHA-class protection.
Is the AI sales-email detection really free on every plan?
Yes. On Free, Standard, and Premium. The LLM cost is absorbed by FORMLOVA.
Can I implement these defenses without switching form products?
Yes. The five front-end defenses are universal and largely setup-only. The one piece that is not portable today is AI auto-sorting of responses, and that is the part that becomes worth migrating for once manual triage starts costing too much time.
