We are having performance issues with reCaptcha integration, because Marketo is not able to reliably validate a response within 2 minutes. There is a suggestion to proxy the reCaptcha results in persistent database here: https://nation.marketo.com/t5/Product-Discussions/How-to-call-reCaptcha-Webhook-in-less-than-2-minut... but the web team would prefer not to set up a persistent database.
Here is an idea of a simple alternative:
1. Instead of sending a reCaptcha fingerprint with the form submission, submit a custom signature that would be calculated in the browser based on email address, e.g. sha256 of email address.
2. Create a simple validation web service that would take an email address and a signature and return a JSON object like this
{
"success": true|false, // whether the signature matches the email address
"response_ts": timestamp // timestamp of the response (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
}
3. Marketo would call the validation web service using a webhook after a form was submitted and blacklist any leads for which the response returned success = false. The timestamp would be used for a Change Data Value trigger.
Advantages:
Disadvantages
I think the disadvantages are manageable - the spam leads we were getting were not using a browser, but directly posting to the forms endpoint. Those leads would be easily weeded out by this mechanism.
Before implementing this idea, I am submitting it for a review to the community to see if I am missing something obvious. I will appreciate any feedback.
Pavel
This is so trivially forgeable that it has nothing in common with reCAPTCHA. It's just an algorithm revealed in plain text in the browser for anyone to (ab)use.
Hi Sanford, appreciate the feedback. I agree it is forgeable, but not trivially. For starters, it will require somebody (a JavaScript knowledgeable human being) to spend some time and effort - a barrier most hackers that post SPAM leads to Marketo instances will not bother to overcome. The sha256 hash is just an example, a more complex algorithm could be used. Finally, the website could generate changing seeds for the signature that a hacker would not be able to forge.
My understanding of the spammer game is as follows: They submit to random forms on the web and monitor replies. If they find an auto-response with personalized content, they just replicate the traffic in an automated way, bypassing the browser. They do not inspect the website code - the return on such effort would not be worth it. This is the attack we are trying to block.