SOLVED

Bot's getting through even after blocking the domain

Go to solution
jengcalendly
Level 2

Bot's getting through even after blocking the domain

We have blocked a domain via a javascript that is still getting into our Marketo database. 

We cannot replicate the behavior because each and every time we have tried to submit the same form using any email address that they submitted we receive an error that we cannot submit with this domain.

So behavior is:

Form submits are getting through to the database in Marketo and they are a combination of numbers @qq.com 
QQ.com has been blocked via javascript and attempts on our part to submit the form using one of the email addresses that made it through are blocked.

Help please + thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Bot's getting through even after blocking the domain


I don't suppose there are ways to stop them?

You want a combo of

  • reCAPTCHA (to stop machine-submitted forms from being accepted)
  • JS and/or native HTML validation (to stop non-malicious and/or non-skilled humans from submitting unwanted domains)
  • server-side validation (to stop malicious humans from submitting unwanted domains, having skipped around client validation)

However, gaps will always remain.

 

For example, server-side email validation detects email addresses that cannot receive mail, period. It can also detect well-known domains that give out disposable addresses. But it can’t detect domains that aren’t known for providing disposable emails — even if everything sent to those domains is deleted immediately.

View solution in original post

8 REPLIES 8
Darshil_Shah1
Level 10 - Community Advisor + Adobe Champion

Re: Bot's getting through even after blocking the domain

Are you able to provide the JS (or better a webpage with the JS and form on it) so that we can have a look? Also, if you're using the formsubmit API anywhere, it might be the case that the form was submitted by an API call instead of the real form submission on the webpage (probably a long shot, but thought of checking it once).

jengcalendly
Level 2

Re: Bot's getting through even after blocking the domain

Sure the form is here: https://calendly.com/resources/ebooks/how-to-guide-teams

Code basically is :

// prevents form submission and displays error if email uses free domain
form.onValidate(() => {
   const email = form.vals().Email;
   if (email) {
      if (!isValidEmail(email, allowFreeEmailDomains)) {
         form.submitable(false);
         const emailElement = form.getFormElem().find('#Email');
         form.showErrorMessage(allowFreeEmailDomains ? 'Domain not allowed' : 'Must be a business email', emailElement);
      } else {
         form.submitable(true);
      }
   }
});
 
const bannedDomains = ['qq.com'];
const isValidEmail = (email: string, allowFreeEmailDomains: boolean) => {
   if (!allowFreeEmailDomains && freeEmailDomains.some(domain => email.includes(`@${domain}`))) {
      return false;
   }
   if (bannedDomains.some(domain => email.includes(`@${domain}`))) {
      return false;
   }
   return true;
};

 

jengcalendly
Level 2

Re: Bot's getting through even after blocking the domain

SanfordWhiteman
Level 10 - Community Moderator

Re: Bot's getting through even after blocking the domain

1. That’s not valid browser JS.  Looks like TypeScript, which will not execute.

2. A well-written bot doesn’t care about executing your JS anyway.

jengcalendly
Level 2

Re: Bot's getting through even after blocking the domain

@SanfordWhiteman 

2. Care to expand?

SanfordWhiteman
Level 10 - Community Moderator

Re: Bot's getting through even after blocking the domain


2. Care to expand?


A modern-day bot is a headless browser. So it can pick and choose which JS to execute and which to skip. It just needs to send data that the back end will understand. In this case, it’s quite trivial (again, if you’re malicious) to write a bot that submits to the regular ol’ forms endpoint with a bunch of fields and the easily computed hash value, and never touch the email validation step.

jengcalendly
Level 2

Re: Bot's getting through even after blocking the domain

@SanfordWhiteman thank you. 

I don't suppose there are ways to stop them?

SanfordWhiteman
Level 10 - Community Moderator

Re: Bot's getting through even after blocking the domain


I don't suppose there are ways to stop them?

You want a combo of

  • reCAPTCHA (to stop machine-submitted forms from being accepted)
  • JS and/or native HTML validation (to stop non-malicious and/or non-skilled humans from submitting unwanted domains)
  • server-side validation (to stop malicious humans from submitting unwanted domains, having skipped around client validation)

However, gaps will always remain.

 

For example, server-side email validation detects email addresses that cannot receive mail, period. It can also detect well-known domains that give out disposable addresses. But it can’t detect domains that aren’t known for providing disposable emails — even if everything sent to those domains is deleted immediately.