This is more of a rant or a question, not a best practice post, at least not yet: how to stop form spam without using ReCaptcha?

Why not use ReCaptcha?

At least it works quite well, and it can be combined with other antispam techniques and databases like Akismet.

Page speed / web performance

Third-party services deteriorate page speed performance. Many online services offered by Google/Alphabet companies, like advertisements or web form security, are programmed in a way that is discouraged by their own analytics tool, PageSpeed Insights.

Privacy / GDPR

European legislation, and conservative users, prefer not to exchange user data with American companies unless there is no other alternative or if the user explicitly wishes to do so (or they get tricked to "agree" because they want to get rid of annoying cookie banners).

What to use instead?

I have been using self-made captcha/honeypot form fields, plus a check for unexpected methods or accept headers, which detect spam correctly in most cases. Additionally, we can check for repeated submissions from the same IP address within the same second(s) or minute.

So why worry?

Based on my current detection rate, I could discard messages rated as spam and not send any notifications. But then we still risk false negatives, i.e., discarding one crucial message treated as spam although it is legitimate.

If we forward all messages, even those suspected to be spam, via email, we risk our webserver and email address being mistaken for spam senders and getting blocked. If we store the discarded messages in a database or a text file, we risk security exploits.

From a frontend perspective, the form spammers wouldn't even know if I received their message as long as I didn't answer or click on a link.

My frontend sends a response code of "403 Forbidden" when I'm sure that it's spam, "503 Service unavailable" if in doubt, and "200 OK" otherwise.

Why don't they learn?

As I could see in the past months, even though my spam recognition and rejection perfectly answered all spam attempts with a "403 Forbidden" response, the clients don't stop trying.

I don't know if they're bots or pitiful human click workers, but they keep sending various messages, including repetitive patterns and identical message bodies, subjects, and sender names.