> MaxMind's minFraud is $0.015 per request and requires a call to an external endpoint. Justified for finance and shopping apps, not great for a high volume free service.
What fraud are you trying to prevent that gets abused in a free service? Most of the abuse I see for free services I host is DDoS, brute-forcing paths/authentication and port scanning, but all of those are trivial to deal with rate-limiting.
Any and all public form submissions will get spammed.
My wife ran a small business for awhile that catered to local customers only (i.e. not an online business, products didn't ship through the mail. She added a contact us type form which submitted to google forms as a quick alternate to phone calls for prospective clients. It was used almost exclusively by people trying to sell her things from overseas.
She wasn't even running ads or anything online, so how they ever found the website in the first place, I have no idea.
Just require submissions (from new users at least) to be manually approved before being shown publicly or having any other side effects and your will be set. A lot of people seem to like making spam into a much bigger problem than it is but how much do you actually get and how long do you really need to sort it out manually instead of relying on automated solutions that are GUARANTEED to have false positives. But since it's your time (not much) against other peoples frustration (which you might not even see so can easily ignore) you choose to make the world a worse place?
That's also relatively easy to protect. First defense is rate-limited, second is captchas, third is having a dynamic "secret" key fetching from some backend via JS that gets injected into the form and works as a "password" to successfully trigger the email to get sent (but displaying success messages even if it's not).
> but displaying success messages even if it's not
Please don't do stuff like this. Some of use use VPNs and aggressively block third party JS. These sorts of shenanigans render many sites unusable which is frustrating but simply not using those services is a price I'm more than willing to pay at this point.
> dynamic "secret" key fetching from some backend via JS that gets injected into the form and works as a "password" to successfully trigger the email to get sent
Are you describing nonces? A nonce is basically a "secret" (due to SSL encryption) number inserted into the HTML and submitted via a form. You don't need JS, just SSL.
What fraud are you trying to prevent that gets abused in a free service? Most of the abuse I see for free services I host is DDoS, brute-forcing paths/authentication and port scanning, but all of those are trivial to deal with rate-limiting.