I am implementing a blacklisting system on my website that monitors contact forms for suspicious usage (both spam content and excessive frequency).

When I find somebody / robot that meets my criteria for blacklisting, I want to send them to my DB as a blacklisted entity.

My question is, should I blacklist them as an IP or as a domain?

As far as I can see, blacklisting an IP is going to be far more effective, because I allow people to enter their email address in the form, and they can easily just change their domain on a regular basis.

However, the downside is that if I blacklist an IP, I could potentially be blacklisting a large group of people who share an IP, when only one person is bad (ie - college campuses, coffee shops, etc).

Is there a solution I'm missing?