I'm looking for a way to send an alert to my team when a form has been filled out a certain number of times -- any suggestions on how to make that happen?
The reason we want to do it is to detect a bot attack on our site. I want to get an alert when a form is filled out 100 times within a minute - that way my team can get on it quickly before our instance is overwhelmed. (Before you ask, yes, we have a honeypot on our forms, the bots are bypassing it.)
I can see other uses for it too though - like letting the sales team know when webinar signups hit a certain threshold, etc.
Yep, honeypots are (effectively) a myth because anyone who knows how your form submits data can automate it easily.
What you should use instead is a ReCAPTCHA.
As far as counting events like this, it's only possible using a webhook solution like FlowBoost (you can also use a Resource Lead directly to implement an event counter, but that isn't suitable for machine-generated volume).
Thanks Sanford! I don't think making any changes to our form (like adding CAPTCHA) at this point will help since the bots are accessing an old version of the form. Marketo says the only way to stop it is deleting the form completely, which means we would lose all ability to report on or filter with that form.
A ReCAPTCHA will absolutely still help. You're validating whether the client (i.e. human or bot) also correctly solved the unique challenge on every post. It doesn't matter if they've recorded the rest of the fields and the form ID already.
Are you sure it would still help? We've added a honeypot and even made the honeypot field required since the initial bot attack and the bots are still submitting the form no problem, so the form updates don't seem to be affecting them. I have to assume it would be the same with reCAPTCHA.
ReCAPTCHA isn't a client-side validation. The unique result code is generated on the client, then verified on the server (Marketo) using a webhook. A bot that has learned your form's required fields won't be able to submit valid result codes: they'll either fail to submit a code (failure) or send a bad code (also failure).