If your boat was sinking, you'd want to find and fix the leak, not just apply a fix to the general area. The same can be employed to website form spam.

Too often, I've seen developers spend countless hours fixing something that isn't broken, only to realize they were in the wrong setting.

You should always Identify >> Isolate >> Fix malware and spam.

Here is how to quickly identify and stop form spam:


Check Gravity Forms entries

Gravity Form Entries

No entries = no spam. So don't worry about forms with zero entries. Concentrate on forms with too many entries. Typically it's in the hundreds / thousands.

Review emails received

Email Spam

Gravity forms have a specific look and feel; it's easy to see if spam has been generated in another contact form (e.g., Contact Form 7) or from an old PPC lander. Make sure you know what you are fixing before you begin.

Add a {referer}

Referer

Identify which pages are receiving the most spam. Adding a referer helps to see if the spam is coming from a staging server, PPC landers, Sidebar forms, or something else you weren't expecting.

Add Spam Filtering

ReCaptcha

After you've identified where spam is coming from, you need to add spam filtering to your forms. Here is a spam filtering guide.