We've recently noticed an increase in fake form fills from spam bots on a webinar we are planning to run. Name doesn't match email address, job titles are random words and the domains are all blank pages, so very clearly fake. From multiple IP Addresses but in groups of 2 to 4 and the domains from those IP addresses are always different.
I noticed that about half of them are linked to 2 emails we sent promoting the webinar. All of the form fills happen in about 30mins after the emails have been sent out. The strange part is all of the leads were new, none of them received either of the 2 emails and had no previous activities.
My working theory is that we have 1 or multiple email addresses in our database that are forwarding our emails to spam bots.
Has anyone else experienced this or know what might be happening?
Solved! Go to Solution.
By far the most likely explanation is you have spammers’ addresses in your database. One of the reasons spammers attack forms in the first place is to get new places to spam — a form of amplification attack.
If it’s truly an automated attack then reCAPTCHA will combat it.
You can take extra measures for recording valid registrations:
1. Captcha is one way of suppressing spam attacks but it's not 100% foolproof. If they bypass it somehow, it's good to include two-factor authentication in the registration process. After form submission, an email holding a verification link would land in a valid inbox. Only genuine leads would click on it and you can mark them as registered then.
2. Always have a Marketable inclusion list handy while sending out email communications. The marketable would block existing not-reachable leads beforehand
Thanks for the response
1 - Will definitely look into Captcha, haven't had much luck with it in the past and requires a lot of work getting it on all our forms. With two-factor authentication we worry that people won't click on the confirmation email or don't receive it, bad customer experience. Which isn't great as we are a customer experience company.
2 - We already have a marketable inclusions list and luckily these emails are marked as invalid anyway. It's more they fill up our database and mess with our numbers in Salesforce.
I agree with you, @GregDowse on 2F authentication as that'd undoubtedly hit your registration counts. Personally, I would not want to go through the process of filling out the form and then having to click a link in the email just to confirm my registration. Btw Marketo's new native CAPTCHA integration doesn't require you to do any custom setup, and once setup you can just enable it by editing the Form Settings. This will help you identify the spam form fills by looking at the CAPTCHA score attribute in the Filled out Form activity.
True, but it will not prevent form fills. It will just rate them on a scale of likelihood to be a spam form fill or not. So you will always need a backend process to prevent them from going through your registration process and block them from future campaigns / remove them from your database.
Agreed with @Katja_Keesom! @GregDowse, you should quarantine records that have CAPTCHA Score lesser than a certain value (<0.3/0.4). Don't let these records flow through your operational flows (lifecycle, scoring, normalization, sync to CRM, etc.), and potentially remove them from your database as well. You should check out this article: Application of the CAPTCHA Integration.
This definitely looks like spam form fills. Also, how are you determining that the form fills are linked to the emails you sent? By UTMs of the form fill URL? Nevertheless, you should definitely consider implementing re-CAPTCHA to curb these spam form fills. Note that the KV (known visitor) HTML doesn't work with the native re-CAPTCHA turned on.
UTMs are saying it's Marketo and email. Plus if you look below some of them have this in their activity log. They also only happen after we send out emails about this webinar.
We have thought about re-CAPTCHA but it will take up a large amount of resource updating all of our forms. It was never a problem until now.
By far the most likely explanation is you have spammers’ addresses in your database. One of the reasons spammers attack forms in the first place is to get new places to spam — a form of amplification attack.
If it’s truly an automated attack then reCAPTCHA will combat it.
Are you promoting this webinar by email only or are there other mediums too like website promotion, paid campaigns or social posts, etc.?
If the medium is email only then based on the information you provided, it appears that your email database may have been compromised or there is a possibility of email forwarding to spam bots. Here are a few possible explanations and suggestions to investigate the issue further:
Email database compromise: It's possible that one or more email addresses in your database have been hacked or accessed by unauthorized individuals. They may be using these email addresses to forward your emails to spam bots. Check your email delivery logs and look for any suspicious activities or unusual login patterns.
Email forwarding: Another possibility is that a recipient of your emails has set up an email forwarding rule to automatically send your emails to the spam bots. This could be done intentionally or due to a compromised email account. Check if any forwarding rules are configured on your email server or individual email clients.
Email service provider issue: There could be a security breach or vulnerability in your email service provider's infrastructure that is causing the issue. Contact your email service provider and provide them with the details of the situation. They should be able to investigate and provide guidance on any potential security issues.
To further investigate and mitigate the problem, consider the following steps:
Audit your email list: Review your email database and look for any suspicious or unfamiliar email addresses. Remove any addresses that appear to be suspicious or have been identified as spam bot sources.
Strengthen email security: Change passwords for all email accounts associated with the webinar and enable two-factor authentication (2FA) if available. This will help prevent unauthorized access to your email accounts.
Monitor email delivery logs: Continuously monitor your email delivery logs for any unusual patterns or suspicious activities. Look for IP addresses that consistently appear during the time of the spam form fills and track down their origin.
Implement spam protection measures: Consider implementing additional spam protection measures, such as CAPTCHA verification or other anti-bot mechanisms, on your webinar registration forms. These measures can help prevent automated form fills by spam bots.
Educate employees and recipients: Raise awareness among your employees and recipients about email security best practices, such as avoiding clicking on suspicious links or downloading attachments from unknown sources. This can help minimize the risk of email compromise.
Report the issue: If you suspect that your email service provider may be involved in the issue, report the situation to them. Provide them with the relevant information, including email headers and logs, to assist in their investigation.
Other mediums such as website promotion, paid campaigns, or social posts can also be potential sources of the spam bot form fills. Here's how these mediums could be involved:
Website Promotion: If you have prominently displayed your webinar registration form on your website or promoted the webinar on various pages, it's possible that spam bots have found their way to the form through web scraping or other automated means. They can fill out the form using fake information and submit it.
Paid Campaigns: If you are running paid campaigns to promote your webinar, it's possible that spam bots are targeting your campaign landing pages or registration forms. This can happen if the landing page URL or registration form URL is publicly accessible and the spam bots can reach it through automated means.
Social Posts: If you have shared information about your webinar on social media platforms, it's possible that spam bots have come across those posts and accessed the registration form. They can fill out the form using fake details and submit it.
In these scenarios, the spam bots may not be directly linked to your email database. Instead, they are targeting the publicly accessible forms or URLs associated with your webinar promotion. To address this issue, consider the following steps:
Implement CAPTCHA or other anti-bot mechanisms: Add CAPTCHA verification or other anti-bot measures to your registration forms. These measures can help differentiate between human users and automated bots, reducing the chances of fake form fills.
Monitor website analytics: Keep an eye on your website analytics and track the sources of traffic to your registration forms. Look for any suspicious or abnormal patterns that could indicate bot activity. If you notice a specific source or group of IP addresses consistently generating fake form fills, take action to block or restrict access from those sources.
Use URL protection techniques: If possible, implement measures to protect your registration form URLs. This can include techniques like obfuscation, tokenization, or time-limited URLs to make it harder for spam bots to access and submit the forms.
Regularly update and patch your website: Ensure that your website software, plugins, and other components are up to date with the latest security patches. Vulnerabilities in outdated software can be exploited by spam bots and other malicious actors.
It's important to address this issue promptly to ensure the integrity and effectiveness of your webinar registration process.
Most of these solutions aren't relevant to our situation. It's definitely coming through email and has never been a problem until now, so something has changed. Not possible to go through the whole database as these emails are going out to about 8000 people.
It's not something I've seen spam bots do before and wonder if Marketo and other email platforms are going to start having bigger issues.
Will investigate using re-CAPTCHA although in the past it didn't prevent the spam bots
