Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar
SOLVED

Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Go to solution
Meghan_Souza3
Level 2
Level 2
‎10-15-2018 01:26 PM
‎10-15-2018 01:26 PM

Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

or third party vendor...hopefully.

Hi all,

Our forms we've had honeypots installed for at least the last two years, and they are no longer working for us - could be that humans are getting hold of our form since time of day, IP, and inferred country seem to remain the throughout attacks once theyve started, say Saturday at 5pm), until the next round (next saturday at maybe 3pm) - but don't definitely know if it's human or bot.

We are looking for the next steps for form security that hopefully doesnt bring in a paid service and we have developers on hand to help. Google Recaptcha specifcally doesnt work in china and we are a global company, definitely needing this to work in china.

Does anyone have any suggestions for maybe some type of event listener or email verification (that uses an SMTP call or something rather than just validating domain, they come in with legit domains) prior to form submission?

Also, thoughts on standard captchas?

Thanks!

0 Likes
5,812
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎10-15-2018 02:18 PM
‎10-15-2018 02:18 PM

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Well, honeypots don't work: they never really did.  It takes seconds for someone to detect your honeypot requirement and then set their bot to post 1000s upon 1000s of forms that meet the requirement. (With headless browsers, there doesn't even need to be a human to do the first detection.)

reCAPTCHA is designed to detect bots by fingerprinting human activity. It only exists because old CAPTCHAs were so easily hacked via OCR, etc. There's nothing comparable out there for free. But nothing stops you from trying any of the traditional (often PHP-based) CAPTCHAs with a Marketo form. You'll need to have a server to generate the images, though, and however lightweight this task is it's still something you need a server for.

email verification (that uses an SMTP call or something rather than just validating domain, they come in with legit domains) prior to form submission?

In-browser email verification is a great feature to add to your forms, but it's designed to stop otherwise well-behaved humans from using fake addresses. It doesn't stop malicious bots, because they simply skip over the verification step. In order to verify email addresses that might've been submitted by bots, you need to run the email verification from the server (i.e. via webhook). This is after form submission.

View solution in original post

4,604
Reply
6 REPLIES 6
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎10-15-2018 02:18 PM
‎10-15-2018 02:18 PM

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Well, honeypots don't work: they never really did.  It takes seconds for someone to detect your honeypot requirement and then set their bot to post 1000s upon 1000s of forms that meet the requirement. (With headless browsers, there doesn't even need to be a human to do the first detection.)

reCAPTCHA is designed to detect bots by fingerprinting human activity. It only exists because old CAPTCHAs were so easily hacked via OCR, etc. There's nothing comparable out there for free. But nothing stops you from trying any of the traditional (often PHP-based) CAPTCHAs with a Marketo form. You'll need to have a server to generate the images, though, and however lightweight this task is it's still something you need a server for.

email verification (that uses an SMTP call or something rather than just validating domain, they come in with legit domains) prior to form submission?

In-browser email verification is a great feature to add to your forms, but it's designed to stop otherwise well-behaved humans from using fake addresses. It doesn't stop malicious bots, because they simply skip over the verification step. In order to verify email addresses that might've been submitted by bots, you need to run the email verification from the server (i.e. via webhook). This is after form submission.

4,605
Reply
Meghan_Souza3
Level 2
Level 2
‎10-15-2018 02:40 PM
‎10-15-2018 02:40 PM

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Thanks for your prompt responses!

Is the code in this post what you're referring to as in browser verification? Email validation in Marketo through Javascript

0 Likes
4,604
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎10-15-2018 02:47 PM
‎10-15-2018 02:47 PM

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

By "in-browser" I mean what Etumos Verify does: end-to-end verification -- when possible -- from the browser to a remote service, before the form touches Marketo.

0 Likes
4,604
Reply
Erik_Larson
Level 2
Level 2
‎10-27-2018 03:03 PM
‎10-27-2018 03:03 PM

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

I've implemented a server-side solution that your developers could try. Basically you can collect leads in a static list, pull from this list every N minutes, and run some code against the records in the static list. I've found using a model that scores how real a First/Last name looks, and checking against blacklisted IPs based on form fill frequency are both useful.

Happy to post some code if you're interested, just let me know.

0 Likes
4,604
Reply
Mark_Huber
Level 1
Level 1
‎11-05-2018 02:13 PM
‎11-05-2018 02:13 PM

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Definitely interested. Struggling with the same issue right now.

0 Likes
4,604
Reply
Erik_Larson
Level 2
Level 2
‎11-25-2018 05:38 PM
‎11-25-2018 05:38 PM

Re: Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

Here's some code to get you started: quick_detect.py · GitHub. This uses a few simple, but useful filters (e.g First Name == Last Name).

Let me know if you need any help with your implementation and/or extending this code.

4,604
Reply
Home