SpamSlap AI – AI Spam Protection for Contact Forms

How It Works

Protection in 3 steps

From submission to verdict in under 2 seconds.

1

User submits form

Your visitor fills in the contact form as normal. SpamSlap AI intercepts the submit event before anything is sent.

2

AI classifies the message

The message is sent to SpamSlap AI — Gemini Flash. It distinguishes genuine inquiries from cold pitches, detects the language, and crafts a witty rejection if needed.

3

Block or deliver

Spam gets a sarcastic rejection message (in their own language). Legitimate messages pass through and your form submits normally. After 3 attempts, the email is permanently blocked.

Features

Everything you need

🤖

Gemini AI Brain

Google's Gemini Flash understands context. No keyword lists, no regex — actual comprehension of what the message is trying to do.

🌍

Multilingual Rejections

SpamSlap AI detects the language of each message and responds in kind. A Polish spammer gets told off in Polish. A French one in French.

⚡

One Script Tag

Drop one <script> before </body>. SpamSlap AI auto-detects all forms, finds email and message fields, and handles everything.

📊

Live Dashboard

See every check in real time. How many spam blocked, which emails, what the AI said. Manage your whitelist with one click.

🛡️

Progressive Banning

First attempt: a warning. Second: final warning. Third strike and the email is permanently blocked. No manual intervention needed.

🔓

Whitelist Control

Known partners, existing clients, trusted domains — whitelist them so they always pass through, no questions asked.

Installation

Two layers of protection

Layer 1 takes 30 seconds and stops the vast majority of spam. Layer 2 adds server-side verification — recommended for any site with a custom backend.

✓ Always required

Layer 1 — Add the script tag

Paste one line before </body> on any page with a contact form. SpamSlap AI auto-detects all forms, intercepts the submit, runs the AI check, and shows a witty rejection if needed. No backend changes required for this step.

data-key="sg_your_api_key"

data-domain="yoursite.com"></script>

Works with plain HTML, WordPress, Webflow, Squarespace, Laravel, Django — any site that uses a standard <form> element.

▲ Recommended

Layer 2 — Verify the token on your server

Sophisticated bots submit POST requests directly to your server — bypassing JavaScript entirely. When SpamSlap AI clears a message, it returns a one-time sg_token (valid for 120 seconds). Your backend verifies this token with a single API call. No token = bot = full AI re-check runs automatically as a fallback.

This is exactly how fixflex.co.uk, breathtime.info, and 24ad.info are protected.

Normal user (browser)

User fills form → sg.js AI check → token issued

Form submits + token → Backend verifies token → Email sent ✓

Bot (bypasses JavaScript)

Direct POST, no token → Backend detects no token

Runs /api/check fallback → Spam blocked ✗

// Add to your form handler (e.g. contact.php)
$token   = trim($_POST['sg_token'] ?? '');
$api_key = 'sg_your_api_key'; // ← your SpamSlap key
$domain  = 'yoursite.com';    // ← your domain
$base    = 'https://admin.fixflex.co.uk/spamslap';

if ($token) {
    // Token present — user went through AI check. Just verify it (fast).
    $ctx = stream_context_create(['http' => [
        'method'  => 'POST',
        'header'  => "Content-Type: application/json\r\n",
        'content' => json_encode(['api_key' => $api_key, 'sg_token' => $token]),
        'timeout' => 8, 'ignore_errors' => true,
    ]]);
    $res = @file_get_contents($base . '/api/verify-token', false, $ctx);
    $ok  = $res && (($d = json_decode($res, true)) !== null) && !empty($d['valid']);
    if (!$ok) {
        http_response_code(422);
        echo json_encode(['error' => 'Security check failed. Please try again.']);
        exit;
    }
} else {
    // No token — bot bypassed JS. Run full AI check as fallback.
    $ctx = stream_context_create(['http' => [
        'method'  => 'POST',
        'header'  => "Content-Type: application/json\r\n",
        'content' => json_encode([
            'api_key' => $api_key,
            'email'   => $_POST['email'] ?? '',
            'message' => $_POST['message'] ?? '',
            'domain'  => $domain,
        ]),
        'timeout' => 10, 'ignore_errors' => true,
    ]]);
    $res = @file_get_contents($base . '/api/check', false, $ctx);
    if ($res && (($d = json_decode($res, true)) !== null) && !empty($d['is_spam'])) {
        http_response_code(422);
        echo json_encode(['error' => $d['message'] ?? 'Spam detected.']);
        exit;
    }
}
// All clear — process the form normally

// Express / any Node.js backend
const SPAMSLAP_KEY  = 'sg_your_api_key'; // ← your SpamSlap key
const SPAMSLAP_BASE = 'https://admin.fixflex.co.uk/spamslap';
const DOMAIN        = 'yoursite.com';    // ← your domain

app.post('/contact', async (req, res) => {
  const { sg_token, email, message } = req.body;

  if (sg_token) {
    // Token present — verify it (user went through AI check)
    const r = await fetch(`${SPAMSLAP_BASE}/api/verify-token`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ api_key: SPAMSLAP_KEY, sg_token }),
      signal: AbortSignal.timeout(8000),
    }).then(r => r.json()).catch(() => null);
    if (!r?.valid) return res.status(422).json({ error: 'Security check failed.' });
  } else {
    // No token — bot bypassed JS. Full AI check as fallback.
    const r = await fetch(`${SPAMSLAP_BASE}/api/check`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ api_key: SPAMSLAP_KEY, email, message, domain: DOMAIN }),
      signal: AbortSignal.timeout(10000),
    }).then(r => r.json()).catch(() => null);
    if (r?.is_spam) return res.status(422).json({ error: r.message });
  }
  // All clear — process the form normally
});

# Flask / Django / FastAPI
import requests

SPAMSLAP_KEY  = 'sg_your_api_key'  # ← your SpamSlap key
SPAMSLAP_BASE = 'https://admin.fixflex.co.uk/spamslap'
DOMAIN        = 'yoursite.com'     # ← your domain

def check_spamslap(post_data):
    token = post_data.get('sg_token', '').strip()
    try:
        if token:
            # Token present — verify it (fast, no extra AI call)
            r = requests.post(
                f'{SPAMSLAP_BASE}/api/verify-token',
                json={'api_key': SPAMSLAP_KEY, 'sg_token': token},
                timeout=8
            )
            return r.json().get('valid', False), None
        else:
            # No token — bot bypassed JS. Full AI check as fallback.
            r = requests.post(
                f'{SPAMSLAP_BASE}/api/check',
                json={
                    'api_key': SPAMSLAP_KEY,
                    'email':   post_data.get('email', ''),
                    'message': post_data.get('message', ''),
                    'domain':  DOMAIN,
                },
                timeout=10
            )
            d = r.json()
            return not d.get('is_spam', False), d.get('message')
    except Exception:
        return True, None  # fail-open if SpamSlap unreachable

# In your view / route handler:
is_clean, err = check_spamslap(request.form)
if not is_clean:
    return {'error': err or 'Spam detected.'}, 422
# All clear — process the form normally

API endpoint: POST https://admin.fixflex.co.uk/spamslap/api/verify-token · Body: { "api_key": "...", "sg_token": "..." } · Returns: { "valid": true }

🛡️

Layer 1 only

Stops ~85% of spam — human spammers, webscrapers with JS, and automated tools that run a browser. Takes 30 seconds to set up.

Good for: static sites, WordPress, Webflow, no-code platforms

🔒

Layer 1 + Layer 2

Stops 100% of bots — including scripts that POST directly to your server, ignoring JavaScript completely.

Recommended for: PHP, Node.js, Python, Laravel, Django, Express

Live Demo

Try it right now

This form is protected by SpamSlap AI. Try submitting a cold sales pitch and see what happens.

0

Passed

0

Blocked

0

Total checks

This demo uses a live SpamSlap AI trial key. Results are real.

Pricing

Simple, honest pricing

Start free for 7 days — no credit card required. Upgrade when you're ready.

Trial

Free / 7 days

Everything you need to test SpamSlap AI on your site. No credit card, no commitment.

50 checks / day

AI spam detection

Multilingual rejections

Live dashboard

1 domain

Whitelist

Priority AI model

Start Free Trial

⭐ MOST POPULAR

Pro

^£9.99 / month

For growing businesses. More checks, full feature set, priority processing.

200 checks / day

AI spam detection

Multilingual rejections

Live dashboard

Up to 3 domains

Whitelist management

Priority AI model

Enterprise

^£29.99 / month

For agencies and high-traffic sites. High volume checks, up to 20 domains, premium support.

1,000 checks / day

AI spam detection

Multilingual rejections

Live dashboard

Up to 20 domains

Whitelist management

Priority AI model

Ready to stop the noise?

Start your 7-day free trial today. We'll set up your account and send you the snippet within minutes.

No credit card required · Setup in under 2 minutes · Cancel anytime

FAQ

Common questions

Does it work on any website?

Yes. The script detects all HTML forms on the page and intercepts them. It works with plain HTML, WordPress, Webflow, Squarespace, custom-built sites — anything that uses a standard <form> element.

Will it ever block legitimate messages?

SpamSlap AI is designed to be conservative. If the AI is uncertain, it lets the message through (fail-open). False positives are rare — the AI looks for clear signals like cold sales pitches and vague offer messages, not just keywords.

What happens if the AI is unavailable?

SpamSlap AI uses a fail-open design: if the AI cannot be reached within 12 seconds, the form submits normally. Your contact form never gets blocked due to a technical issue on our end.

Does it slow down my form?

The AI review takes 0.8–2 seconds. During this time, users see a brief "AI is reviewing…" animation. This is intentional — it signals that the form is protected, which deters spam even before the result comes back.

Is my data stored?

SpamSlap AI logs the email address, a 200-character preview of the message, the result, and metadata (domain, IP, timestamp). This is used to power your dashboard and progressive blocking. No full message text is stored permanently.

Can I whitelist specific emails or domains?

Yes. Your dashboard includes a whitelist manager. Add any email address or domain and messages from those senders will always pass through without AI review.

How do I install it?

Layer 1 (required): Paste one <script> tag before the closing </body> tag on any page with a contact form. No backend changes needed — SpamSlap AI auto-detects your forms and handles everything.

Layer 2 (recommended for custom backends): Add a single API call to your PHP, Node.js, or Python form handler to verify the sg_token that SpamSlap attaches to each submission. This stops bots that bypass JavaScript entirely. See the Installation section for ready-to-copy code snippets.

Stop Spam Before ItReaches Your Inbox

Protection in 3 steps

User submits form

AI classifies the message

Block or deliver

Everything you need

Gemini AI Brain

Multilingual Rejections

One Script Tag

Live Dashboard

Progressive Banning

Whitelist Control

Two layers of protection

Layer 1 — Add the script tag

Layer 2 — Verify the token on your server

Layer 1 only

Layer 1 + Layer 2

Try it right now

Simple, honest pricing

Ready to stop the noise?

Common questions

Stop Spam Before It
Reaches Your Inbox