Fascinating!
Marketo does have SQL injection protection, obviously, but apparently not something built-in to keep your database clean from these junk values.
The interesting part to me is that these wouldn't be valid email addresses with their pattern. There is client-side form validation eliminating people manually trying to get past keyboard-slamming in the email field, but apparently not server-side validation of these fields. Someone trying to get past that protection can easily turn off JS and submit whatever they want in the form.
You could easily set up some smart lists/smart campaigns watching for irregular email values if this continues to be a problem, and delete those leads. Any email address containing "<, ', /, &, #, -" etc. I'm sure you could find other patterns within the leads themselves, the other fields that are available, and cast your own comprehensive net to catch/delete these false leads.
You also could set up an alert for "new lead created with weird symbol value" that goes to an admin, if you think there's someone manually trying to hack into your system. That will be an overwhelming amount of emails if it's a bot doing it, though.
Best,
Edward UnthankMarketing Operations Specialist
Yesler
.png)