Spam Form Fills | Community
Skip to main content
A
Anonymous
June 7, 2016
Question

Spam Form Fills

  • June 7, 2016
  • 6 replies
  • 18001 views

Hi all, Was hoping someone could help me with an issue we have been experiencing recently.

We've been getting a ton of submissions to our demo request page with complete junk information. All fields are filled out, but the person and company do not exist and the rest is gibberish.

I know Marketo does things like the hidden fields on forms to segment out bots, but I'm not sure how to filter out human spammers that are filling out the form manually?

Any help would be greatly appreciated!
Ashley

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    6 replies

    Roxann_McGlump1
    Roxann_McGlump1
    Level 5
    June 7, 2016

    Hi Ashley,

    I'm just curious, how do you know these are human spammers?  This really sounds like bot behavior to me.

    A
    Anonymous
    June 7, 2016

    Not 100% sure if they are human or bots.. But since the Marketo filter is not picking them up, I just assumed they were actual form fills. Could be wrong though!

    Roxann_McGlump1
    Roxann_McGlump1
    Level 5
    June 8, 2016

    Have you put in a hidden field as a honeypot for bot form fills?

    A
    AlokRa4
    Level 10
    August 13, 2016

    Ashley Ahearn

    Here are more details for the solution recommended by Dory:

    - Created a custom field in Marketo 'Is Spam' and type as 'string'.

    - Add the field in all the forms as hidden, and approve the associated landing pages.

    - In your smart campaigns for form fills, add a filter that says 'Is Spam' is empty. On any form fill, if 'Is Spam' is not empty, it will be a spam lead since humans would not be able to see it and fill it. Only spam bots will be able to fill it.    

    KanakoTone
    KanakoTone
    Level 4
    May 8, 2017

    Hi, I followed this method, and I still receive those spam form fills. Am I missing something? Here is my smart campaign.

    Carolyn_Price
    Carolyn_Price
    Level 2
    September 14, 2017

    Interested in the response to this!

    S
    Sarah_Bartell1
    Level 2
    October 9, 2017

    Is there a step-by-step guide on how to implement this? I have Sanford's code, I have a site key and secret key from google, and now i'm lost.

    Abaran
    Abaran
    Level 5
    December 8, 2017

    Hello Everyone

    We are seeing similar issues

    • the bots / hacker will push data via the form using POST URL and therefore bypassing the normal form submission by a person that clicks on the "submit" button
    • reCAPTHAT will not block spam bots in the scenario above. We have verified it using a script and we were able to submit records over and over
    • an attack of 10s of thousands like this will bring down your other systems that are syncing with Marketo
    • we use an email verification tool on our form as well. for this type of situation the results are very limited.

    So far Marketo is not giving us any options on how to prevent these leads to enter Marketo database

    • with the reCAPTCHA we can check if the submission is a person and if it not the lead can be deleted immediately
    • but what we want is for the records to never enter marketo in the first place

    I welcome any solution that is robust for this issue.

    Thanks a lot

    Axel

      SanfordWhiteman
      SanfordWhiteman
      Level 10
      December 8, 2017
      • the bots / hacker will push data via the form using POST URL and therefore bypassing the normal form submission by a person that clicks on the "submit" button
      • reCAPTHAT will not block spam bots in the scenario above. We have verified it using a script and we were able to submit records over and over

      Axel, reCAPTCHA never blocks spam bots from sending form data. That's not what it's ever been designed or advertised to do. And this is true of reCAPTCHA on all websites, not just Marketo LPs and/or forms.

      reCAPTCHA allows you to verify on the server side whether a form was submitted by a human or not.  If it doesn't pass the human test, you delete or quarantine it before you'd pass it through any processes that would result in it being in synced to another system. Unless you are getting very high volume (10s of thousands is not very high) this should not impact instance performance.

      • we use an email verification tool on our form as well. for this type of situation the results are very limited.

      Email verification won't apply to bots, so the results will be more like zero than limited.

      Abaran
      Abaran
      Level 5
      December 11, 2017

      Hi Sanford

      Thanks for your reply. We are getting 10s of thousands of these emails and therefore we have performance issues.

      Any suggestions on how we can prevent this from happening?

      Thanks

      Axel

      A
      Anonymous
      March 18, 2018

      Marketo's response about Google reCatptcha...

      ----

      Regarding reCaptcha, since it is a third-party integration, we don't have formal documentation regarding setting it up, but I would recommend searching the Marketo community to see how other Marketo users have approached this, or work with using reCaptcha for more information.

      In addition to implementing ReCaptcha, you may want to consider adding javascript.

      - Add JavaScript validation to the header of your landing pages. This checks to see if JavaScript is enabled on the browser - and, if not, redirects the lead to a page that advises them to do so. Spam bots do not have Javascript enabled, so this can cut down on spam submissions. This will minimize but not eliminate these submissions. You can also use javascript to do custom validation on any of the fields in your form, but keep in mind that you would need a developer's help for these solutions solution.

      Here is an article on our community site that may be useful.

      Title - Dealing with Spam or Bot Form Fillouts

      Link - https://nation.marketo.com/docs/DOC-4755-how-to-setup-a-form-honeypot-field

      We suggest to working a developer to implement these solutions as well as test them as custom coding falls outside the scope of support.

      -----

      In other words, it's up to us to sort this out. Just frustrated how they really don't care and have no ambition to solve the most common issue with email forms (DoS attacks). Honeypot fields doesn't work. Bots are smart now.

      They should implement a captcha system and put a toggle on/off on the form creation. It would help us tremendously and reduce the load on their server too.

        SanfordWhiteman
        SanfordWhiteman
        Level 10
        March 19, 2018

        I agree that some built-in in support for reCAPTCHA would be nice. You would still have to supply your own Google site key and secret: Marketo can't use the same account for all subscribers' reCAPTCHA lookups because Google will rate-limit them very, very fast (you can even get yourself rate-capped within a single organization).

        That said, adding the reCAPTCHA to a form is not too difficult, and it's a one-time (or few-times) procedure to set it up.

        The problem is that if the underlying forms infrastructure remains the same, it doesn't matter if Marketo creates an automatic webhook callout for you and adds the widget to your form. That doesn't reduce the server load, it actually increases the load, since every form post results in another HTTP roundtrip to lookup the reCAPTCHA status in addition to all the overhead of processing the form data.  That's because (the way it works now) form data is accepted, queued for insertion, and inserted into the database before the webhook is called. There's no resource savings, only overhead.

        If, on the other hand, the order of operations were changed, the reCAPTCHA endpoint could be called first and the data queued only on success, saving resources. But I'd rather see that pipeline be exposed as an API, not hard-coded to support reCAPTCHA only, so we could call whatever we want in the intermediate layer.

        A
        Anonymous
        March 19, 2018

        Hi Sanford,

        Thanks for your reply.

        The idea would be to have a toggle on/off on each form so that not all forms would do a reCaptcha call.

        So Marketo could implement the Google API keys in your admin, so you set that once, and then it call the API only if the toggle on a specific form is on. Not rocket science.

        I have been following your suggestions from this thread Step by step guide to recaptcha

        But got stuck at the webhook stage where I have already created all the fields you suggested on the thread, then when I go to webhooks > response mappings > add a new response attribute but then I cannot find the LastReCAPTCHAServerStatus

        Any idea? I tried everything I think, deleted and created new fields etc.

        Would appreciate your help Sanford, thanks

        A
        Anonymous
        March 20, 2018

        Thanks to @Sanford Whiteman​, the integration with reCaptcha is finally working!

        The issue with my code was a capital letter in the JS file. After getting that fixed Marketo was able to properly get a response from Google in the webhook.

        The issue was on this line:

        lastReCAPTCHAUserResponse: recaptchaResponse

        The "last" had a capital "L" in front so it never sent the response to Marketo.

                      

        Without Sanford's help I'd never find out I think

        Thank you very much again Sanford and if anyone need help with this integration I can give a bit more detail.

        Terms & ConditionsAccessibility statement

        Loading footer...