Bot Attack not Blocked by reCaptcha

Highlighted
Level 1

Bot Attack not Blocked by reCaptcha

We experience a bot attack on one of our Marketo forms, which creates fake leads in our database.

The form does have a reCaptcha and 'honeypot' in place to prevent bot submissions, but a large number of fake bot leads still manage to get in.

A possible cause for that is that our prevention measures are blocking bot traffic from submitting the forms while loading the website, but it is still possible for the bot to attack from the server side and simulate form submission without visiting the website.

Marketo doesn't have any built-in option to block this kind of behavior excepts completely deleting the form.

So the current plan is:

  1. Clone the form
  2. Locate all the places this form is installed on and replace it with the new form
  3. Delete the old form in Marketo

The issue with this solution is that nothing prevents the attack from resuming once the new form ID is identified and targeted.

Since Marketo doesn't provide any OOTB solution to bulk change forms in multiple locations, when that happens it will have to be done manually.

For those reasons, before committing to this far-from-perfect strategy I wanted to see if there are any other potential solutions that I am unaware of.

Any suggestions how to solve this?

4 REPLIES 4
Highlighted
Level 10 - Community Moderator

Re: Bot Attack not Blocked by reCaptcha

Doesn't sound like you have reCAPTCHA implemented correctly, because net new leads that do not pass reCAPTCHA will be deleted when your flow is set up properly.

But you must move the thread to Products to continue (Move link at the right) as this isn't a support space.

Highlighted
Level 1

Re: Bot Attack not Blocked by reCaptcha

Thank you, Sanford Whiteman,

What should I look for to make sure the reCaptcha is implemented correctly?

What flow logic would you use to prevent this?

Highlighted
Level 10 - Community Moderator

Re: Bot Attack not Blocked by reCaptcha

No net new lead obtained via Filled Out Form should ever enter any other Smart Campaigns until it's proven to have passed reCAPTCHA. Simple as that.

I have no idea what you're currently doing so don't know what you're doing wrong!

Highlighted
Level 3

Re: Bot Attack not Blocked by reCaptcha

Hi Sanford, can you please be more specific on how you can actually verify this for reCAPTCHA v3? 
I'm a newbie to this and I don't find it that simple. Thank you for your understanding