Bot's getting through even after blocking the domain

Are you able to provide the JS (or better a webpage with the JS and form on it) so that we can have a look? Also, if you're using the formsubmit API anywhere, it might be the case that the form was submitted by an API call instead of the real form submission on the webpage (probably a long shot, but thought of checking it once).

Sure the form is here: https://calendly.com/resources/ebooks/how-to-guide-teams

Code basically is :

// prevents form submission and displays error if email uses free domain
form.onValidate(() => {
   const email = form.vals().Email;
   if (email) {
      if (!isValidEmail(email, allowFreeEmailDomains)) {
         form.submitable(false);
         const emailElement = form.getFormElem().find('#Email');
         form.showErrorMessage(allowFreeEmailDomains ? 'Domain not allowed' : 'Must be a business email', emailElement);
      } else {
         form.submitable(true);
      }
   }
});

const bannedDomains = ['qq.com'];
const isValidEmail = (email: string, allowFreeEmailDomains: boolean) => {
   if (!allowFreeEmailDomains && freeEmailDomains.some(domain => email.includes(`@${domain}`))) {
      return false;
   }
   if (bannedDomains.some(domain => email.includes(`@${domain}`))) {
      return false;
   }
   return true;
};

@Darshil_Shah1 ^^

1. That’s not valid browser JS.  Looks like TypeScript, which will not execute.

2. A well-written bot doesn’t care about executing your JS anyway.

@SanfordWhiteman 

2. Care to expand?

---

2. Care to expand?

---

A modern-day bot is a headless browser. So it can pick and choose which JS to execute and which to skip. It just needs to send data that the back end will understand. In this case, it’s quite trivial (again, if you’re malicious) to write a bot that submits to the regular ol’ forms endpoint with a bunch of fields and the easily computed hash value, and never touch the email validation step.

@SanfordWhiteman thank you. 

I don't suppose there are ways to stop them?