Dealing with Spam or Bot Form Fillouts

If we put reCAPTCHA on the form that's currently being flooded, will it stop the spam? I've been told by our own product team that if the bot already has the URL, then reCAPTCHA won't stop it.

I've been told by our own product team that if the bot already has the URL, then reCAPTCHA won't stop it.

Seems they don't understand how ReCAPTCHA works!

First, ReCAPTCHA doesn't stop the form post from going on the wire (nothing can).  It allows you to detect whether the posted data was spam, by comparing the unique ReCAPTCHA signature -- if there is one, if no sig at all, it's obviously spam -- with the correct human response.

So even if a bot knows your URL, if you enforce the rule that anything posted to that URL must have a valid ReCAPTCHA response, you will easily tell what's spam.

We've added a script from BriteVerify Email Verifier and it works to block disposable domains, and validates all domain submissions. As an email is entered in the form it is verified and accepted or rejected. Fraud prevention is in place too, after 5 attempts, the IP is blocked temporarily and the user is asked to check their email inbox and click on the verify email address CTA.

We're currently testing it on a single landing page and are impressed with the results.

Won't have any effect on bot submissions.

We have a problem with bots, but they actually manage to skip some of our required fields. I created an alert that sends me an email when someone fills out a form but is missing fields, and I go in and delete the records.

HI,

We've been under a bot attack for the last 48 hours from our corporate site, as we  implemented  Marketo form on SiteCore. Some are embedded forms and and few forms where we have only passed the Form Id.

I would like to take advice if we use the honeypot mechanism will it still work on site? Any advise on this will be very helpful.

Honeypots that are expected to be empty aren't useful once somebody has figured out how to post data directly to your form.

For the moment, you could switch to expecting a certain value (not empty) in the field instead. It's all about what you believe a human user can do that a bot can't be coded to do (hint: not much!).

But most such measures are losing battles.

Thank you for your valuable guidance.

This is a helpful email from Marketo support.

----

Regarding reCaptcha, since it is a third-party integration, we don't have formal documentation regarding setting it up, but I would recommend searching the Marketo community to see how other Marketo users have approached this, or work with using reCaptcha for more information.

In addition to implementing ReCaptcha, you may want to consider adding javascript.

- Add JavaScript validation to the header of your landing pages. This checks to see if JavaScript is enabled on the browser - and, if not, redirects the lead to a page that advises them to do so. Spam bots do not have Javascript enabled, so this can cut down on spam submissions. This will minimize but not eliminate these submissions. You can also use javascript to do custom validation on any of the fields in your form, but keep in mind that you would need a developer's help for these solutions solution.

Here is an article on our community site that may be useful.

Title - Dealing with Spam or Bot Form Fillouts

Link - https://nation.marketo.com/docs/DOC-4755-how-to-setup-a-form-honeypot-field

We suggest to working a developer to implement these solutions as well as test them as custom coding falls outside the scope of support.

----

Yes, "spam bots do not have JS enabled" but they also aren't browsers, so this part makes zero sense... ugh.