While all of these are valid solutions I still find myself a bit lost here.
Surely spammers aren't ramming through your reCAPTCHA. You mean you haven't rolled it out, right?
Exactly, I'm doing my due diligence before I move forward with any of the above steps.
OK. #3 still doesn't make any sense. Spambots don't care if there's a JS relocation or a <META> redirect. If they can discover and submit a rendered form on page X, they will. Now, if the form only exists after a script has run (as with Forms 2.0 embed code) you might realize some benefits; if the rendered page is inspected, the endpoint is clear to see, but that does take a bit more work.
For full protection, because Marketo endpoints always follow a clear architecture that doesn't even require a landing page to exist at all, you need to get away from the idea of concealing the form fields themselves and instead make the form fields' expected contents hard to spoof. This is why #1 can work by virtue of "expecting empty" and is really the core idea of #2.
Wow, great response. I actually came to the same conclusion as well (with a little less science) and made the recommendation for my team to apply solutions 1 & 2 to all future forms (and past as well). Especially because both are solutions that I could implement on my own.
In addition, I did setup the New Smart Campaign that identifies anyone who fills out fields on a form with entries I've identified with spam such as "123456" for phone number, etc. I set it run automatically once every hour.
I'll be a happy camper once all of this is setup and the spam is behind me. Thanks for talking this through with me. Cheers!
Thomas - would you be comfortable sharing your filtering criteria for the smart campaign?