Dealing with Spam or Bot Form Fillouts

Thanks for the shoutout, guys. This reminds me that I need to work the reCAPTCHA demo into a full blog post.

We've been dealing with this issue this week and I want to add some additional things to consider. We had a bot attack in June and implemented a honeypot, but because the bot net had accessed a previous form without the honeypot they were able to hit us again this week (August) and fill out the form (skipping the new honeypot) 140,000 times - completely overloading our Marketo instance. According to Marketo support there isn't much we can do except delete the form (which would mean we couldn't filter on that form - not acceptable). We haven't found a reasonable solution yet!

As noted above and in your other thread, ReCAPTCHA is far stronger protection mechanism.

We're dealing with the same thing right now.  Put in the honeypot field and it didn't stop the submissions.  Working on the reCAPTCHA now.

Juliet, a few tips when using the ReCAPTCHA (if you haven't figured this out on your own):

• ReCAPTCHA responses can only be verified once on the server -- after that, they will always return false (this is a security mechanism).
• Store ReCAPTCHA pass/fail as DateTime fields, not Booleans (Last ReCAPTCHA Success, et al.). This is far better for later visibility.
• Make sure you don't treat existing leads the same as new leads. You don't want to delete a legit lead because somebody failed ReCAPTCHA with that lead's Email Address.

We were dealing with the same thing. Tried the the honeypot Implementation and it didn't stop the submissions. We couldn't have the reCAPTCHA on the form so I made a smart list to filter out the spams from our DB (using their domain as unique identifier) monitored it for a while when I was 100%  that it only filters out the spams, I created a program to automatically delete the spams from DB. There are anomalies though because sometimes they do hit us with a random domain but its still better...

We've been under a bot attack for the last 48 hours straight and client-side solutions like honeypots and preventing specific email domains from submitting simply doesn't work. We're trying to avoid reCAPTCHA.

Has anyone figured out how to prevent record creation based on criteria, or at least prevent syncing to SFDC based on criteria? Our immediate issue is that Marketo has maxed SFDC's API limit and since this is a continuous attack, we have no way of stopping it other than removing the sync between SFDC and Marketo.

We're trying to avoid reCAPTCHA.

Because... ?

Has anyone figured out how to prevent record creation based on criteria, or at least prevent syncing to SFDC based on criteria?

Persons don't automatically sync to SFDC unless you're adding them to a synced Marketo Campaign. You always have control over this in a flow. So yes, you can always prevent syncing to SFDC by not calling Sync to SFDC or by not adding them to a campaign.

The form is down (removed from the landing page) and we are still getting submissions/records created. 400+in the last 10 minutes.

Of course, the visible form isn't used to process the bot submissions.  If you delete the form then the form ID will no longer exist.

If you're saying this is why not to use ReCAPTCHA, no, that's exactly why you do use ReCAPTCHA, because it's intended to require a human hand in the process.