Re: Spam Form Fills

SanfordWhiteman · ‎03-17-2017

Any reason we'd want to use this code you've posted before instead of the one linked above?

They're the exact same demo page!

Hi Sanford Whiteman thanks for the sharing! Can you clarify for me where I should put the js in your link? Do we add to the header of each page that has a form? I've got a very basic understanding of js and css.

You're going to need more than JS and CSS because you need to also call a webhook to verify the ReCAPTCHA. ReCAPTCHA, like all Captchas, is not a browser-only technology (a lot of people don't understand this) because you a bot can easily avoid filling out the Captcha at all.

What isn't easy to forge, on the other hand -- and this is why Captchas exist -- is filling out the Captcha correctly, which in the newer-fangled Captchas means "correct answer + like a human would do it." So you always need the back end call to verify upon submission, otherwise you're not getting any protection.

It's likely that you'll need someone who gets the whole "life cycle" to set this up for you, since it's a simple process but you kinda need to get it end-to-end.

Anonymous · ‎03-20-2017

Any reason we'd want to use this code you've posted before instead of the one linked above?

They're the exact same demo page!

Like I said, I'm not very advanced in js and css. Thanks for the clarification.

Hi Sanford Whiteman thanks for the sharing! Can you clarify for me where I should put the js in your link? Do we add to the header of each page that has a form? I've got a very basic understanding of js and css.

You're going to need more than JS and CSS because you need to also call a webhook to verify the ReCAPTCHA. ReCAPTCHA, like all Captchas, is not a browser-only technology (a lot of people don't understand this) because you a bot can easily avoid filling out the Captcha at all.

What isn't easy to forge, on the other hand -- and this is why Captchas exist -- is filling out the Captcha correctly, which in the newer-fangled Captchas means "correct answer + like a human would do it." So you always need the back end call to verify upon submission, otherwise you're not getting any protection.

It's likely that you'll need someone who gets the whole "life cycle" to set this up for you, since it's a simple process but you kinda need to get it end-to-end.

I get the necessity of a verification process from your explanation. If we set up our own Google ReCaptcha, is the code you provided going to work without a webhook? Again, just trying to get a full understanding of this before tasking my webmaster to help us.

SanfordWhiteman · ‎03-20-2017

I get the necessity of a verification process from your explanation. If we set up our own Google ReCaptcha, is the code you provided going to work without a webhook? Again, just trying to get a full understanding of this before tasking my webmaster to help us.

What I was saying is there's no such thing as a Captcha that works without a webhook.

You must always make a back-end call, with your Google secret key, to see if the unique Captcha attempt (it's always unique every time you view the form) was a success. Otherwise someone can just barge past the Captcha and claim they answered correctly.

Anonymous · ‎09-12-2017

Written a blog on the captcha "life cycle", Please try it out

https://medium.com/@anulals/google-recaptcha-in-marketo-forms-b992fc30d000

SanfordWhiteman · ‎09-12-2017

Anulal, thanks a lot for featuring and attributing my code!

Some flaws in your walkthrough, though...

The most fundamental is that webhook response data mappings are done asynchronously. You must not check the value of the captchaStatus in the same flow as the Call Webhook. Instead, use another trigger campaign that fires on Data Value Changes. Otherwise this is guaranteed to fail in some percentage of cases.
You want to be clear to the reader that a lead that fails ReCAPTCHA can only be deleted if it's the only thing that lead has done. You don't want to allow someone to impersonate another lead and result in the latter being deleted from the db.
Conversely, you don't want to leave failed leads around in your db indefinitely. While you may not delete them immediately, they should be marked for periodic deletion.
If a good lead already exists in your database (having either passed ReCAPTCHA or never having had the chance to be tested), what you need to do is throw out the field changes that accompanied the bad form post, but don't throw out any other fields. This requires the use of proxy fields for the complete lifecycle.
Finally, using a Boolean for captchaStatus isn't what I'd recommend. Instead have two fields, lastReCAPTCHAFail (a Datetime) and lastReCAPTCHAPass (also a Datetime). Stamp these with {{system.datetime}} accordingly. This gives you the audit trail you need to make intelligent choices about the "final fate" of leads that have submitted a form.

Anonymous · ‎09-12-2017

Marketo executes it asynchronously, let me check that once again.
Coded in UI with a restriction that, a lead fails reCAPTCHA validation wont be able to submit the form.
Boolean used so that we can configure if else, also the date time is saved.

SanfordWhiteman · ‎09-12-2017

Coded in UI with a restriction that, a lead fails reCAPTCHA validation wont be able to submit the form.

You can't stop forms from being submitted without a valid reCAPTCHA code.

You can only stop the server from accepting the form data for insert/update if the form was submitted without a valid ReCAPTCHA code.

Anonymous · ‎09-12-2017

php - How to Validate Google reCaptcha on Form Submit - Stack Overflow

SanfordWhiteman · ‎09-12-2017

Do you actually think I can't send form data to Marketo without clicking the ReCAPTCHA widget?

Care to share your URL so you can see me do it?

Anonymous · ‎09-12-2017

Genuine leads may not be using these hacks, we should accept only genuine leads right?