Re: Is there any way to block spam form sign ups?

Nichole Cunningham - PRODUCTION​, why don't you do the email validation before the form submission, and prevent the creation of leads without a valid email address?  Most of our new leads with invalid email addresses are due to typos in the email address. It's bad to let these be submitted for several reasons - the lead doesn't get an email delivering what they requested, which results in a bad impression.  They may never submit a form again, so you've wasted lead gen $ and lost a potential customer.  if they submit the form again with a valid email address, there will be two leads that may not get merged, so your source attribution metrics won't be accurate when the lead becomes a Contact and Won Opp. .

We are implementing a real-time validation with Strikeiron right now that we hope will solve this issue.

Elliott Lowe

We've (Etumos) built a small product to do the same thing, but integrated with Marketo Forms 2.0. Does real-time validation on the email address then uses Marketo's native error codes to get the user to correct their input.

Demo to see it in action is here: Demo: Real-Time Email Verification in Marketo

Nuance to it, based on lots of testing I've done, is that this is based on MX responses, so if someone puts in a valid email address that they don't actually own, it won't kick the email address out (e.g., asdf@asdf.com )

Cheers,

Edward Unthank | Founder, Etumos

Hi there! This is obviously an old post, but looks like this Etumos tool l may help in what we're looking to do. Problem though, go to fill the form on the landing page you referenced and it's not letting me submit my business email as it's not accepting that it's real... can you offer any help or additional info here?

What's the address?

meghan.souza@euromonitor.com - I've also just created a post on the topic here if you're interested in looking : Block SPAM/Bot Form Fills - Not reCaptcha or Honeypot

The reason your email address is flagged when you fill out the demo form is your domain's MX is deliberately returning indeterminate results. After a delay, your MX will finally return correct results (if you try to submit again now, you'll see the disposition is known).

With Etumos Verify, you can configure an indeterminate result to be considered a pass instead of a fail (though the Verify demo page doesn't set this config option, as it's trying to be most precise). Then you periodically re-check those indeterminates via a webhook. Of course this means you have to let the form submit... that's why the default is to block indeterminates (which, debatably, represent a mailserver misconfiguration).

Ok, so to have this accept indeterminate results would this also mean in this config you would also allow in false domains (before re-checking and spitting out)? Or is indeterminate a level above "fake" altogether?

Indeterminate is a level above and considered separate from nonexistent, but someone could put up an MX (like yours) that makes every mailbox indeterminate.

Alright, last thing, the spam we've been getting makes me think this is a human logging hundreds of form fills - almost always come from @qq.com - so the goal is not only to check the domain but also verify the recipient is legitimate, it sounds like this tool just checks domain validity - is that correct? or the webhook checks both just after submission? Wish we could keep this out of the db altogether of course

Verify checks, end-to-end, the mailbox@domain. Not just the domain!

The question is whether the domain's MX gives a real-time result for whether the mailbox exists. If it refuses to give a real-time answer you must continue to check periodically (although it may refuse indefinitely). Because you need to retry at least a full minute later you can't do that within the form itself, you have to let the form post and then check using a 'hook.  This means you will likely still get an actionable pass/fail but that happens after the lead is in the system -- you need to defer processing a lead any further until you get firm knowledge either way. Note it's exactly the same with reCAPTCHA, though they are targeting different cases. With reCAPTCHA you must let the form submit, then check if the reCAPTCHA matched. You can't check the match in the browser, that's where the hacking happens.

Thanks for the thorough explanation! I'll look through the recapctha implementation docs you've made for the rest of my implementation q's on this further then! Much appreciated

I have this setup as described but it doesn't catch any bots at all since its been live - are there specific settings I need to make sure are setup on the form?

I just got reCAPTCHA working with Marketo forms.  If you're interested, follow me and I'll follow you back and we can discuss it.

cool - yeah just followed you, let me know

Thanks

The concept is very easily foiled, since <INPUT type="hidden"> can be readily detected by a spambot and skipped over.  You'd have better luck (but it's still just luck) having a standard <INPUT type="text">, but hiding it via CSS instead.  Other approaches using JavaScript to dynamically assemble the form post can make it harder still for a bot to detect the legit parameters for posting.  Still, you're relying on laziness and luck, since short of a robust captcha/recaptcha, a machine could learn how to post a legit-looking form.

Hi Sanford,

I just followed you as well. I'm interested in learning about how you implemented recaptcha.

Regards,

Chris