SOLVED

Is there any way to block spam form sign ups?

Go to solution
Highlighted
Level 10 - Community Moderator

Re: Is there any way to block spam form sign ups?

You have to add JS to the page, yeah.

Highlighted
Level 3

Re: Is there any way to block spam form sign ups?

where it says payload template in webhooks, it says secret=....

Is that a MKTO code or a recaptcha code?

Highlighted
Level 10 - Community Moderator

Re: Is there any way to block spam form sign ups?

That's the Google API key that they'll generate for you when you sign up to the service.  It's specific to your use of ReCAPTCHA.

Highlighted
Level 1

Re: Is there any way to block spam form sign ups?

Found this thread about implementing Google's reCaptcha to Marketo forms (via https://nation.marketo.com/message/132824#comment-132824) and have some quick questions:

1) When do you call the webhook that talks with Google reCaptcha's servers to verify the submission? In the program flow?

2) Do you put in a wait step afterwards and then check the value of the ReCAPTCHA_Verified field? Then, if it's false, you stop the flow. And if it's true, you continue the flow?

Thanks!

Sanford Whiteman

Highlighted
Level 10 - Community Moderator

Re: Is there any way to block spam form sign ups?

1) When do you call the webhook that talks with Google reCaptcha's servers to verify the submission? In the program flow?

Yes, triggered by ​Filled Out Form.

2) Do you put in a wait step afterwards and then check the value of the ReCAPTCHA_Verified field? Then, if it's false, you stop the flow. And if it's true, you continue the flow?

Wait step? Nope, never use a wait step to await a data value change. Trigger on the Data Value Changed event.

But it's more complex than exiting stop the (chained) flow, because while not adding fake fillouts to a program is vital, it's also vital to figure out how to keep bad leads out of your database without also letting a malicious person "slam" good leads out of your database (think about what happens if I fill out a form on your behalf but don't pass the ReCAPTCHA).

I need to describe this logic more deeply on my blog but I have many other posts pending at present....

Highlighted
Level 1

Re: Is there any way to block spam form sign ups?

Is your workflow possible within one program or does it require multiple programs in order to operate?

If the latter, I'm thinking the first program is called when the user fills out the form and captcha (calling the Webhook). The second program would executes when the reCaptcha Success field is populated in Marketo (we would store some list state data in the first program).

For background, we've been using the hidden honeypot field in a Marketo form, but recently had a bot add a large number of email addresses to our list.

Looking forward to your blog post. Thanks again.

Highlighted
Level 1

Re: Is there any way to block spam form sign ups?

Coming back to this. Does the trigger on Data Value Changed live in a different program or the same program as Fill Out Form? Are you storing list state data (i.e. what list they need to be added to) in the event that you have multiple lists you want to add a lead to? Sanford Whiteman

Highlighted
Level 1

Re: Is there any way to block spam form sign ups?

Sanford Whiteman Here's what I have set up currently:

  • Form with Google ReCAPTCHA prompt
  • Trigger for Filled Out Form which calls the webhook
  • Webhook which passed ReCAPTCHA_Reponse to Google for verification. If success, the Marketo field ReCAPTCHA_Verified is set to 1.

I've tested the above and it's working fine. Now, what's next? Do I have another Trigger for Data Value Changed for ReCAPTCHA_Verified? If so, how do you know which form the lead just filled out? Are you storing the form name in some other Marketo field in the Filled Out Form trigger?

Does your workflow handle multiple form submissions? For instance, if you had two, three, or four forms that the user could fill out. Would you have to have separate webhooks and triggers for each form to prevent collisions (i.e. submitting two+ forms at the same time)?

Highlighted
Level 10 - Community Moderator

Re: Is there any way to block spam form sign ups?

I've tested the above and it's working fine. Now, what's next? Do I have another Trigger for Data Value Changed for ReCAPTCHA_Verified?

Yep.

If so, how do you know which form the lead just filled out? Are you storing the form name in some other Marketo field in the Filled Out Form trigger?

You can store the form names in a history field if you need this info, but remember, until you delete the lead completely (which you should after a time to save both $ and database clutter) the Filled Out Form activity is in the the lead's history. So you can run a Smart List to see which "people" were bots and then group by the form(s) they came in from.

What you most need to manage aren't the persistently failing leads, but those that already exist as good leads but are later submitted by a bot (a targeted attack against that person, who knows?). So check that the lead was created by the bad form fillout. Of course you also should be blocking/staging field updates or else you're letting somebody overwrite fields even if they fail the ReCAPTCHA (this happens before you even check Google). There are many form data cases that the vast majority of people don't bother with, unfortunately.

Does your workflow handle multiple form submissions? For instance, if you had two, three, or four forms that the user could fill out. Would you have to have separate webhooks and triggers for each form to prevent collisions (i.e. submitting two+ forms at the same time)?

In theory, not just different webhooks but different hidden fields to store ReCAPTCHA end user responses. But really, if you only take positive action when somebody passes ReCAPTCHA (otherwise, they're quarantined) it doesn't matter if the bot forces itself to fail the Google endpoint lookup by submitting a lot of forms. They'll still fail.

Highlighted
Level 10 - Community Moderator

Re: Is there any way to block spam form sign ups?

I just got reCAPTCHA working with Marketo forms.  If you're interested, follow me and I'll follow you back and we can discuss it.