SOLVED

Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Go to solution
Meghan_Souza3
Level 2

Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

or third party vendor...hopefully.

Hi all,

Our forms we've had honeypots installed for at least the last two years, and they are no longer working for us - could be that humans are getting hold of our form since time of day, IP, and inferred country seem to remain the throughout attacks once theyve started, say Saturday at 5pm), until the next round (next saturday at maybe 3pm) - but don't definitely know if it's human or bot.

We are looking for the next steps for form security that hopefully doesnt bring in a paid service and we have developers on hand to help. Google Recaptcha specifcally doesnt work in china and we are a global company, definitely needing this to work in china.

Does anyone have any suggestions for maybe some type of event listener or email verification (that uses an SMTP call or something rather than just validating domain, they come in with legit domains) prior to form submission?

Also, thoughts on standard captchas?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Well, honeypots don't work: they never really did.  It takes seconds for someone to detect your honeypot requirement and then set their bot to post 1000s upon 1000s of forms that meet the requirement. (With headless browsers, there doesn't even need to be a human to do the first detection.)

reCAPTCHA is designed to detect bots by fingerprinting human activity. It only exists because old CAPTCHAs were so easily hacked via OCR, etc. There's nothing comparable out there for free. But nothing stops you from trying any of the traditional (often PHP-based) CAPTCHAs with a Marketo form. You'll need to have a server to generate the images, though, and however lightweight this task is it's still something you need a server for.

email verification (that uses an SMTP call or something rather than just validating domain, they come in with legit domains) prior to form submission?

In-browser email verification is a great feature to add to your forms, but it's designed to stop otherwise well-behaved humans from using fake addresses. It doesn't stop malicious bots, because they simply skip over the verification step. In order to verify email addresses that might've been submitted by bots, you need to run the email verification from the server (i.e. via webhook). This is after form submission.

View solution in original post

6 REPLIES 6
SanfordWhiteman
Level 10 - Community Moderator

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Well, honeypots don't work: they never really did.  It takes seconds for someone to detect your honeypot requirement and then set their bot to post 1000s upon 1000s of forms that meet the requirement. (With headless browsers, there doesn't even need to be a human to do the first detection.)

reCAPTCHA is designed to detect bots by fingerprinting human activity. It only exists because old CAPTCHAs were so easily hacked via OCR, etc. There's nothing comparable out there for free. But nothing stops you from trying any of the traditional (often PHP-based) CAPTCHAs with a Marketo form. You'll need to have a server to generate the images, though, and however lightweight this task is it's still something you need a server for.

email verification (that uses an SMTP call or something rather than just validating domain, they come in with legit domains) prior to form submission?

In-browser email verification is a great feature to add to your forms, but it's designed to stop otherwise well-behaved humans from using fake addresses. It doesn't stop malicious bots, because they simply skip over the verification step. In order to verify email addresses that might've been submitted by bots, you need to run the email verification from the server (i.e. via webhook). This is after form submission.

Meghan_Souza3
Level 2

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Thanks for your prompt responses!

Is the code in this post what you're referring to as in browser verification? Email validation in Marketo through Javascript

SanfordWhiteman
Level 10 - Community Moderator

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

By "in-browser" I mean what Etumos Verify does: end-to-end verification -- when possible -- from the browser to a remote service, before the form touches Marketo.

Erik_Larson
Level 2

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

I've implemented a server-side solution that your developers could try. Basically you can collect leads in a static list, pull from this list every N minutes, and run some code against the records in the static list. I've found using a model that scores how real a First/Last name looks, and checking against blacklisted IPs based on form fill frequency are both useful.

Happy to post some code if you're interested, just let me know.

Mark_Huber
Level 1

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Definitely interested. Struggling with the same issue right now.

Erik_Larson
Level 2

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Here's some code to get you started: quick_detect.py · GitHub. This uses a few simple, but useful filters (e.g First Name == Last Name).

Let me know if you need any help with your implementation and/or extending this code.