Thanks. Your spam message did not pass, simply because all comments here are human moderated.

Yes, spam messages from humans can pass, as they naturally do, but other processing layers in the chain can help fight them. Machine learning, traditional keyword/phrase matching, public or private services with scores, known spamming IPs, and so on can help reduce their impact to a point.

In addition, Google reCaptcha gets progressively more difficult when it detects brute force or frequent posting behavior. In another words, it is no longer ‘invisible’, or the returned spam score gets seriously downgraded.

I see no benefit in using invisible reCaptcha V2 or V3 in any real world application because it’s not just bots that you want to filter out and you definitely don’t want to filter out potential customers.

reCaptcha v3 loads on every page everywhere in the background, and this method is not even an option in that case.

There are many protections which use IP address blacklists and other methods to determine ‘dirty networks’, suspicious user behavior etc. and they operate on the server-side, thus, there is no way to know for sure which type of protection they use. Also, your Chrome version is a bit outdated (particularly, because Chrome uses auto-update by default and cannot be turned-off by ordinary users), many 3rd party protection scripts detect obsolete browsers as potential vulnerability vectors, and actively or passively prohibit their access. Of course, that field alone is not reliable security method at all (because it can be faked by clients), but it can be a signal that something is not right for that particular client.

After clicking on Show Contact Info reCaptcha was loaded using Ajax, so they do use it after all, just not right away (this is the reason why the code is not directly visible in the source, there is only a call to a JavaScript function that is executed once the user clicks on a button).