This recipe puts a trivial speed bump in the way of form spammers. By forcing them to actually evaluate the page with a Javascript engine (or do extra processing to figure out what is needed), you raise the amount of effort required above that which most form spammers are likely to spend.
Pick a nice random number. The SHA1 of some Git commit would be a good one. I picked this one:
5187b6aec9b0607858a7c032d2c9ded04b050f31
Make this the secret for your form in PostLaunch Studio: Settings | Applications | Forms | Generic HTML Forms | Secret Key
Now go edit your form. You should have a field like:
<input id="gogoego_form_setting" type="hidden" value="secret" name="gogoego.forms.secret" />
If you don't, create one.
The value "secret" is a red herring here. The system will reject any form submissions with this value set. This is, hopefully, exactly what happens to spammers when they just scrape the form and POST a spammy submission.
Create some JavaScript to load this with the proper value if it is opened using a real browser, and real values are typed in by a real user. It should look like this to start with:
<script>
function gogoego_gfs(){
var secret = "5187b6aec9b0607858a7c032d2c9ded04b050f31";
document.getElementById("gogoego_form_setting").value = secret;
}
setTimeout("gogoego_gfs()",5000);
</script>
Note: that's my real secret, chosen in step 1. It will be loaded into the form after 5 seconds. We assume a real user will need more than 5 seconds to fill out the form ... but a bot will try to fill it sooner than that (and not execute all the timeouts early). If you'd like 10 seconds, change "5000" to "10000" and so on.
Up the arms race with the spammers by obfuscating the script. Run it through an obfuscator which escapes the strings in your password. Again, we're just creating work for the spammers, which we believe they're too lazy to do. At present, a sufficiently annoying free online obfuscator is at: http://www.javascriptobfuscator.com/
<script>
var _0xfc1f=["\x35\x31\x38\x37\x62\x36\x61\x65\x63\x39\x62\x30\x36\x30\x37\x38\x35\x38\x61\x37\x63\x30\x33\x32\x64\x32\x63\x39\x64\x65\x64\x30\x34\x62\x30\x35\x30\x66\x33\x31","\x76\x61\x6C\x75\x65","\x67\x6F\x67\x6F\x65\x67\x6F\x5F\x66\x6F\x72\x6D\x5F\x73\x65\x74\x74\x69\x6E\x67","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x67\x6F\x67\x6F\x65\x67\x6F\x5F\x67\x66\x73\x28\x29"];function gogoego_gfs(){var _0xf79cx2=_0xfc1f[0];document[_0xfc1f[3]](_0xfc1f[2])[_0xfc1f[1]]=_0xf79cx2;} ;setTimeout(_0xfc1f[4],5000);
</script>
Place that ugliness onto your form; it should behave as intended. Submit a real form yourself to test.
If this doesn't work -- that is, your form spammers are more persistent than this -- you'll need to upgrade to a CAPTCHA or just suffer the form-spam.