I have a customer who for quite a long time has been going through an ongoing battle with spam on their contact forms.

We have been through reCaptcha v2 and v3 without success. v3 has significant issues with false positives and as a charity, they feel they are losing potential donors as a consequence.

We have implemented a honeypot and also a timestamp field to prevent bots and most recently they appear to be less bot and more human in their origination which makes this task even more difficult. There is a common theme in the posts as pretty much all contain URLs and this is where I am currently stumped! The customer has added the following regex ^(?!.*\.\S)(?!.*:\/\/).* to invalidate the textarea contents if it contains a URL. For me this works on the client-side and the server-side, so even if I disable javascript I still cannot get a submission to post successfully. So, how are they getting the forms through the validation? I've tried various methods of encoding the URLs but they either get blocked or do not appear as valid URLs in the submission like the ones the spammers submit.

Any ideas or recommendations would be appreciated.