Hello there!
I created a few websites using Contao which is a nice solution if you do a broad variety of stuff but for smaller projects I pefer Grav which is imho a really GOOD flat-file-CMS 
I managed to dig in a bit deeper into Grav now but there is one thing which drives me crazy: The included honeypot form-field in Grav doesn’t stop all spambots. There seems to be a bunch of bots which are trapped but still I get 10 up to 20 Messages every day via the Grav form. On the same IP where my small problem-grav-site is hosted there is also a Website using Contao using its own internal honeypot field. There is zero spam coming from the Contao-form.
I took a quick look at the generated html-source delivered to the visitor’s browser and a very very very quick overlook at the code of both implementations. As far as I can see the Contao-Honepot is almost the same as the one used in Grav with one difference:
The Contao-form is being served with a honeypot-field AND with a security-question within one div-tag. The security-question is served using NCR’s and it’s mandatory, the honeypot field isn’t mandatory.
After the closing div-tag a javascript-codesnippet is given which sets the correct answer to the security question and and which sets the whole div including security- and honeypot-field invisible.
If the form gets reloaded or if the honeypot is filled on form-submission-attempt, the form doesn’t send but now shows the security-question (without the correct answer of course). If no correct answer to questions like “What is the sum of five and seven?” is provided the form won’t be sent.
The advantage of this type of solution is that 99% of visitors won’t ever have to deal with the security-question as it just doesn’t show up for human readers using a browser. A real visitor only sees it when trying to re-submit a form which is ok for me.
I really don’t want to use a third-party solution like ReCaptcha in Grav and having seen that the solution provided in contao does work the following question comes into my mind:
Do you think it’s possible to make a two-level form-validation like this in Grav too? If you say it’s possible I’d dig into the code and try my best to do it.
At the moment my biggest problem is that I’m not sure if it’s possible to add a form-field to the forms-plugin by another plugin and to inject/override the validation process in the superior plugin from within the predecessing plugin providing only one form-field… I am a bit confused at the moment… 
Do you have different/better ideas to make the honeypot-field in grav work better? I also don’t want to sort-out messages containing links because the form is for potential customers which already have a website and which want to know if their website works with a particular software promoted on our site. Some of these real submissions include links to their websites so we can take a first look.
Thx in advance!