Dealing with Spam or Bot Form Fillouts | Community
Skip to main content
A
Anonymous
June 29, 2017

Dealing with Spam or Bot Form Fillouts

  • June 29, 2017
  • 33 replies
  • 26953 views

Issue

You have been receiving form submissions that appear to have bogus/nonsensical data in the fields, such as "kjsag@sm4.to" for email address, or "111-111-1111" for phone number, or in a Comment field other random nonsensical text.

 

 


Solution

Currently, there are no default settings in Marketo that prohibit a form submission if the required fields are filled out. A great workaround for addressing these bogus form submissions in Marketo is to implement a 'honeypot' field on the form.

To do this, you will need to create a custom Marketo field, string type, and name it something distinctive (such as "spam" or "honeypot"). After creating this field in Marketo Admin > Field Management, place this new field on the form as a hidden field.

Real live end-users do not see hidden fields, but spam bots will see them and fill out all available fields. So now when we see form fills with this honeypot field "not empty," we know that it was a bot fillout.

 

Setting up the Honeypot Field

Say that you have a Trigger Campaign that's having some issue with these spam/bogus form fills. In the flow of this campaign, you can add a flow step at the top: Remove from Flow, with a Choice.

 

Choice:

If Honeypot field Is not empty, then remove from flow

Default: do nothing

 

This way, the lead record is removed from the flow. You can also have other campaigns to handle these bogus form fills, such as a daily recurring batch to delete the record.

 

Other Options

Another method of dealing with bot fillouts is to enable a reCaptcha. In fact, a very prolific Marketo user has written custom code that you feasibly could use to enable a reCaptcha on the form! Check this out: https://codepen.io/figureone/pen/meybqN?editors=0110

 

 


    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    33 replies

    Show previous replies
    A
    Anonymous
    March 20, 2018

    Thanks @Sanford Whiteman​ for helping me to get the integration working!

    The issue was on this line:

    lastReCAPTCHAUserResponse: recaptchaResponse

    The "last" had a capital "L" in front so it never sent the response to Marketo.

    Thank you very much again Sanford and if anyone need help with this integration I can give a bit more detail.

    M
    Miklo43
    Level 4
    June 21, 2018

    I tried the honeypot field, and of course it doesn't work because if the field isn't required, the bot just leaves it blank. The same would happen for a real person filling out the form, because they can't see it. Thanks for the attempted help, but maybe we can update the "honeypot" as a non-solution?

    Now I've got to try and figure out Sanford's reCaptcha solution.

      Vlad_Power
      Vlad_Power
      Level 2
      April 11, 2019

      Thank you! This is very helpful! The "honeypot" idea worked great!

      SanfordWhiteman
      SanfordWhiteman
      Level 10
      April 11, 2019

      Honeypots don't actually work. They have no effect against a trained bot.

        Vlad_Power
        Vlad_Power
        Level 2
        April 11, 2019

        Thank you for heads up; I'm sure some bots can get fairly sophisticated. For now, however, implementing that field and auto-deleting contacts with those values solved our issue. We will definitely keep an eye out on the results.

        SanfordWhiteman
        SanfordWhiteman
        Level 10
        April 11, 2019

        I'm sure some bots can get fairly sophisticated.

        I wouldn't call it "sophisticated" to leave a field empty! It's just "not incredibly dumb."


        Real bots are based on replaying how your form actually works.

        Cheral_Stewart
        Cheral_Stewart
        Level 1
        April 13, 2019

        Honeypots did not work for us.  What worked....Once we reviewed all the field entries, including the inferred field, we found patterns.  Which we then used to give negative scoring so they would not push to SFDC ( the API calls in SFDC were enormous from a spam form attack due triggering updates to other sync'd programs) or allowed into a campaign.  Then I would delete the negative scored ones 4-6x per day using time-based smart campaigns.  We found that test form fills usually happened a few days before each attack. I would check for changed info in the fields and update the scoring and deletion campaign logic.

        SanfordWhiteman
        SanfordWhiteman
        Level 10
        April 13, 2019

        Did you not try reCAPTCHA? This seems like a lot of guesswork/effort that could have been alleviated.

          Cheral_Stewart
          Cheral_Stewart
          Level 1
          April 15, 2019

          Actually, it is easy to set up and since (this is key) our attacks come from the same source most of the time, we do not have to do much maintenance for it to be effective on an ongoing basis.  The reCAPTCHA process can be difficult for some prospects/customers so we preferred this path. Any pain is on our side. If we start having multiple attack sources then we would use reCAPTCHA. With this new switch Marketo is making to the pre-filled form functionality, I am interested to see if that impacts the number of content downloads. If not, then we might consider reCAPTCHA as we ramp up our social media outreach this year.

          J
          Jeff_Odell
          September 27, 2019

          Does anyone else feel like this is ridiculous? For Marketo not to support implementation of reCAPTCHA seems like a massive failure. We never had the slightest problem when our signup form was with MailChimp—they have effective behind-the-scenes methods for blocking bots. And if you did have a problem, MailChimp enables you do implement a reCAPTCHA with a simple checkbox! Come on, Marketo!

          Show more replies
          Terms & ConditionsAccessibility statement

          Loading footer...