Re: Spam Form Fills

Interested in the response to this!

Have you put in a hidden field as a honeypot for bot form fills?

You can add the familiar Google reCAPTCHA protection to Marketo forms: MktoForms2 :: reCAPTCHA

You pair it with Marketo webhook to verify submissions, and it is effectively un-bottable.

Hi Sanford,

This is awesome, thank you for providing the code! We've used it on our forms as well, but we do run into an error: 

As we believe it is to do with the lastRecaptchaUserInput, our question is: How do we 'process' the 'lastRecaptchaUserInput' in Marketo?

form.addHiddenFields({

      lastRecaptchaUserInput: recaptchaResponse

});

Snippet from: https://codepen.io/figureone/pen/meybqN?editors=0110

Looking forward to your response!

Many thanks,

Sophie

Well, you have to send the lastRecaptchaUserInput to the webhook (which you're doing) but then working with the response is a significant number of additional steps, like triggering on Webhook Is Called and then proceeding with lead intake processing from there, only if the person passes reCAPTCHA validation. (All other processes need to be dependent on the reCAPTCHA success, there can't be stuff that fires while the validation is still running.)

Bottom line, there are too many moving parts to really troubleshoot via Community thread.

Hi Sanford, the MktoForms2 :: reCAPTCHA code -- is that only for Marketo LP's or can that be used with other CMS? I've been trying to work off of this one Google reCAPTCHA-Mkto forms integration  but it's LP only.

It can be used either with embedded Marketo forms or named mktoForm elements on a Marketo LP... you're looking at an embedded form on CodePen!

Great, thanks for confirming!

Thought you said on the other thread that the back end was already set up by another dev.

Any reason we'd want to use this code you've posted before instead of the one linked above?

They're the exact same demo page!

Hi Sanford Whiteman thanks for the sharing! Can you clarify for me where I should put the js in your link? Do we add to the header of each page that has a form? I've got a very basic understanding of js and css.

You're going to need more than JS and CSS because you need to also call a webhook to verify the ReCAPTCHA. ReCAPTCHA, like all Captchas, is not a browser-only technology (a lot of people don't understand this) because you a bot can easily avoid filling out the Captcha at all.

What isn't easy to forge, on the other hand -- and this is why Captchas exist -- is filling out the Captcha correctly, which in the newer-fangled Captchas means "correct answer + like a human would do it." So you always need the back end call to verify upon submission, otherwise you're not getting any protection.

It's likely that you'll need someone who gets the whole "life cycle" to set this up for you, since it's a simple process but you kinda need to get it end-to-end.

Anulal, thanks a lot for featuring and attributing my code!

Some flaws in your walkthrough, though...

• The most fundamental is that webhook response data mappings are done asynchronously. You must not check the value of the captchaStatus in the same flow as the Call Webhook.  Instead, use another trigger campaign that fires on Data Value Changes. Otherwise this is guaranteed to fail in some percentage of cases.
• You want to be clear to the reader that a lead that fails ReCAPTCHA can only be deleted if it's the only thing that lead has done. You don't want to allow someone to impersonate another lead and result in the latter being deleted from the db.
• Conversely, you don't want to leave failed leads around in your db indefinitely. While you may not delete them immediately, they should be marked for periodic deletion.
• If a good lead already exists in your database (having either passed ReCAPTCHA or never having had the chance to be tested), what you need to do is throw out the field changes that accompanied the bad form post, but don't throw out any other fields. This requires the use of proxy fields for the complete lifecycle.
• Finally, using a Boolean for captchaStatus isn't what I'd recommend. Instead have two fields, lastReCAPTCHAFail (a Datetime) and lastReCAPTCHAPass (also a Datetime). Stamp these with {{system.datetime}} accordingly. This gives you the audit trail you need to make intelligent choices about the "final fate" of leads that have submitted a form.

Sanford Whiteman wrote: The most fundamental is that webhook response data mappings are done asynchronously. You must not check the value of the captchaStatus in the same flow as the Call Webhook. Instead, use another trigger campaign that fires on Data Value Changes. Otherwise this is guaranteed to fail in some percentage of cases.

1) Is the Data Value Change in your comment above being done on the field that stores challenge_ts?

2) After all the logic is done firing, for records that succeed, should I be setting the fields that store the response string (that I send to Google) and the success boolean (that Google returns) to null? I'm guessing that if the Data Value Change is being done on challenge_ts then clearing out these two fields isn't necessary.

1) Is the Data Value Change in your comment above being done on the field that stores challenge_ts?

The field that stores the true/false result from Google.

Any value change activity that results from a webhook response mapping needs to be detected using Data Value Changes trigger, not simply by checking the value, after the webhook runs, in the same Flow.

2) After all the logic is done firing, for records that succeed, should I be setting the fields that store the response string (that I send to Google) and the success boolean (that Google returns) to null? I'm guessing that if the Data Value Change is being done on challenge_ts then clearing out these two fields isn't necessary.

On a Boolean true, I would write {{system.datetime}} to a Datetime field LastRecaptchaPass.

Then clear the ReCAPTCHA values that came in with the form data itself, so you don't get confused about them later.