If your inbox is filling up with fake signups, your contact form is generating obvious junk, or your WordPress site keeps sending spam emails you didn't author, the cause is almost always the same: a bot is submitting your form directly, faster than any keyword filter or honeypot can keep up. The fix isn't a smarter inbox rule. It's stopping the submission before the form processes it.
Anti-spam measures that only run after submission (Akismet, server-side keyword filters, post-hoc email validation) treat the symptom. Prosopo's spam bot protection treats the cause — it sits in front of the form and rejects abusive requests before any further processing happens.
The Spam Filter sits in front of your verification step and rejects requests that already look abusive before any further processing happens. It works in two layers — Email Filter for fake or disposable addresses, and Traffic Filter for abusive network sources — and each can be tuned independently per site.
Most signup spam doesn't come from random email accounts. It comes from a small set of evasion techniques that turn a single mailbox into thousands of apparent addresses, or from networks of disposable inboxes that exist only to bypass verification.
The Email Filter catches both:
- Throwaway address normalisation. Throwaway variants from Gmail, iCloud, Yahoo and other major providers all resolve to the same mailbox. The filter optionally normalises addresses before applying your rules, so one rule catches every variant.
- Curated default patterns. A maintained ruleset that targets throwaway address tactics from the major providers used to bypass signup verification.
- Custom blocklist. Add your own patterns to block addresses unique to abuse you're seeing.
- Disposable-domain detection. Optionally rejects addresses from known throwaway providers — and follows the domain through redirects, CNAMEs and MX records so freshly-registered throwaway domains can't slip through by pointing at a known backend.
The Traffic Filter rejects requests by the type of network they came from. Each filter is an independent toggle, so you can build the exact policy your audience needs:
| Filter | What it blocks | Recommended for |
|---|
| Abusive networks | Networks with a strong abuse signal | Everyone — on by default for all accounts |
| VPN | Known consumer VPN services | Sites with high signup-fraud exposure |
| Proxy | HTTP, HTTPS and SOCKS proxies | API endpoints and high-value forms |
| Tor | Tor exit nodes | Most consumer-facing forms |
| Datacenter / Hosting | Cloud and hosting IP space | Sites whose users browse from residential networks |
| Crawler | Known automated bots | Most forms (excluding documentation/marketing pages) |
| Mobile | Cellular networks | Niche — only when fixed-line access is required |
| Satellite | Satellite internet | Niche — only when ground-based access is required |
Blocks are reported back to your application with a distinct reason for each filter, so you can show users a tailored message ("Please disconnect your VPN and try again", "This form isn't supported over Tor", and so on) rather than a generic failure.
- Free tier accounts get abusive-network blocking enabled by default — the single highest-signal filter, on without any configuration.
- Professional and Enterprise unlock every other filter and the Email Filter, with per-site tuning, custom regex patterns and Gmail normalisation.
Full capability Partial / caveat Not available
| Capability | Prosopo Spam Filter | Akismet | reCAPTCHA / hCaptcha |
|---|
| Network-level blocking (VPN, Tor, datacenter) | ● | ● | ● |
|---|
| Email signup-evasion blocking | ● | ● | ● |
|---|
| Disposable-domain detection | ● | ● Limited | ● |
|---|
| Custom blocklists | ● | ● | ● |
|---|
| Per-block reason codes for tailored user messages | ● | ● Limited | ● |
|---|
| GDPR-compliant data handling | ● | ● Varies | ● |
|---|
If you're trying to stop spam on a specific form plugin or platform, jump to the install guide:
Full details of the Email Filter rules, the eight Traffic Filter toggles and their block reasons are in the docs: