Is this a valid antispam strategy?

If the endpoint accepts requests from anywhere, frontend-only protection would be useless.

Well, looks like you can post form data from anywhere using CF7’s REST API. As long as you know _wpcf7_unit_tag , which shouldn’t be too hard to obtain, you can fire away.

That could explain receiving spam literally every second from time to time.

Hm, I’m afraid restricting the form to JS-users only won’t reduce spam significantly. Or is it rather unlikely that a spammer takes the effort to crawl the unit tag?

Thanks for your reply (and providing this great plugin), @takayukister! 🙂

To be clear: I don’t assess data privacy compliance nor evaluate it. That’s not my responsability in our organization.

Our data privacy officer doesn’t want any US-parties involved, since it’s currently highly unclear if the US will honor its data privacy agreements with the EU in the near future.

Honeypots seem perfect considering data privacy because they simply don’t use/rely on user data. Though they are far from being a perfect antispam tool because of the aforementioned characteristic.

I don’t know how severe the (theoratical) hit on efficiacy would be in our case.

Just fishing for some feedback/recommendations here. I’m a seasoned developer but spam has never been a real problem for me, so I don’t have much experience involving antispam under my belt.

Yeah, I’m not a big fan of this whole avoid US tech agenda either. Seems very unlikely to me that US companies will ignore the data privacy needs of their EU customers. But that’s not for me to decide.

Actually, the first thing I did was reading your blog post about the antispam integrations CF7 offers. After that I recommended Turnstile and Recaptcha as second option. Well, you know the result. (:

But why do you consider Honeypots not as spam protection at all? Are they mostly ineffective because spambots are JS-enabled or smart enough to circumvent them these days?