Re: reCAPTCHA Medium Article Clarification

Thanks, Greg.  While a nice effort (and I appreciate its shout-out to my original code) the Medium article is definitely incomplete.

Christina, if you read my other comments you'll see you need much more than just a success/failure boolean.  You need to timestamp the last success and failure, and it's also important that you use a quarantine list rather than immediately deleting leads that fail reCAPTCHA -- you don't want to delete an existing lead whose email was used maliciously!

Another part that often trips people up -- and this is Google's fault, really -- is that the same word "response" is used to both refer to [1] the automatically generated client-side hash (generated by the reCAPTCHA backend in response to mouse/keyboard interaction in the browser and [2] the JSON response to the webhook that looks up the client-side hash to see if it passed. They are both responses in grand sense, yes. But it would be better to think of [1] as the "user fingerprint code" and [2] as "the webhook response."

Are you saying is that if a bot tries to submit a request using a real lead's email, that email is forever blocked from filling out a form on our website and the lead is automatically deleted from Marketo? (unless we quarantine it?)

I'm saying that you need to make sure that you don't delete a lead summarily just because it failed reCAPTCHA, if it previously passed reCAPTCHA and/or was already in your database.

I thought the point of the reCAPTCHA was to prevent any malicious bot from submitting a form request and thus becoming a lead in the first place.

In other systems, that would be the way I'd describe it, yes.

In Marketo, the reCAPTCHA runs after the form post is processed. So you can delete any malicious post that does not correspond to an existing lead.  But with existing leads you have to be more delicate.

Gotcha. Okay so I'll create a smart list that looks something like this: 1) lead created over 1 day ago, And 2) Invalid email = false.

That doesn't seem to conform to the requirements. The idea is that a lead that fails reCAPTCHA and didn't exist before can be deleted. A lead that either (a) existed before and passed reCAPTCHA before or (b) entered the system via a non-reCAPTCHA-protected mechanism should not be deleted.

... once a bot submits a form the reCAPTCHA can prevent the person from becoming a lead in Marketo? Or will I need to create a smart rule to have the person deleted... (assuming they are not already a lead in the system)...

You will always need an SC.

This is where reCAPTCHA in Marketo differs from integration with a bespoke system.  In the latter case you'd call the webhook before data is added to the main database (you would save it in a temporary database or in memory).  In Marketo the data is in the database, then the Filled Out Form and/or Person Created ​triggers fire.

A question to clarify my understanding on this portion.

Regarding the scenario where an existing lead fills out a form, how would one keep the data from being put into the Marketo db by proxy? My guess would be set up similar fields in Marketo to the actual fields and our forms would write to these proxy fields (Example: Field "First Name" might have a proxy field named "PROXY First Name", and the forms would all use these proxy fields. Then, on a positive response from the reCaptcha webhook, we'd use a SC to overwrite any data from the proxy to the actual field. Is that accurate?

If I'm completely off-base, any guide toward enlightenment is greatly appreciated!!

Absolutely right.

Hi Sanford, 

I am working through your Evernote instructions and have made it to the Changes to the forms2 code section. I am not sure where to place the lines of code for both the mktoForms2.whenready and Form onvalidate event pieces. 

Any insight you can provide would be great, thank you. 

I am working through your Evernote instructions a

---

Not mine though. 🙂

I'd advise waiting for me to pub the reCAPTCHA v3 instructions here on the Products blog, which I'll do as soon as I can gert out from under a ton of work this week...

Thanks, Sanford, looking forward to your reply. 

That is very disappointing as it in some ways defeats the purpose of using a reCAPTCHA.

Not really, as 99.999% of malicious attackers are not going to impersonate existing leads. If you find a different pattern in your instance there are other ways to combat it.

I have been meaning to lay out the "real" way to do it on the blog, but it's naturally very screenshot-heavy and I'm kind of backed up with other posts. I did just roll it out again the other week so maybe I can go into that instance while it's still fresh...

I have captured most of it here : https://www.evernote.com/l/AVtV0xpuoK5KbYCoUMa-LswjeYG1TsyTeao

-Greg

Any chance this evernote doc could be shared again? I'm trying to figure out how to set up the fields in Marketo admin->Field management.