Spam Form Fills

SanfordWhiteman
Level 10 - Community Moderator

Re: Spam Form Fills

It's not about genuine leads vs. bots.  It's about letting bots overwrite data for existing genuine leads.

ReCAPTCHA can detect non-human action, but not prevent it.  The actions you take as a result need to be informed by context. If you let a hacker who harvests your database overwrite existing leads with gibberish, you haven't rolled out ReCAPTCHA the right way, and if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.

You want a form post to be, as much as possible, in a silo as a pending data update. A lifecycle-aware rollout of ReCAPTCHA keeps form data in a sandbox until it's deemed safe to merge and doesn't remove existing leads just because somebody impersonated them and skipped the ReCAPTCHA widget.

Anonymous
Not applicable

Re: Spam Form Fills

It's about letting bots overwrite data for existing genuine leads.

Can you please explain this Scenario? How this can be possible on Marketo?

if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.

What if the actions like send email notifications etc will work only if the captcha is validated, no deletion.

SanfordWhiteman
Level 10 - Community Moderator

Re: Spam Form Fills

It's about letting bots overwrite data for existing genuine leads.

Can you please explain this Scenario? How this can be possible on Marketo?

If I post a form with your address as the Email, and other fields that either aren't filled in or aren't blocked from updates (as would be the case with a field that's intended to be self-maintainable via form), I can overwrite your current data.

if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.

What if the actions like send email notifications etc will work only if the captcha is validated, no deletion.

Yes, if you never delete, then at least you won't lose leads completely. But when you're getting attacked by a botnet, you must be able to delete invalid leads, or they will storm your database and also your wallet.

SanfordWhiteman
Level 10 - Community Moderator

Re: Spam Form Fills

  • Marketo executes it asynchronously, let me check that once again.

Outbound webhook calls are synchronous (they block the flow for up to 30 seconds).

The Change Data Value updates in response to webhook calls are asynchronous (they do not block the flow).

Ashley_Tate
Level 2

Re: Spam Form Fills

Sanford Whiteman wrote:

  • The most fundamental is that webhook response data mappings are done asynchronously. You must not check the value of the captchaStatus in the same flow as the Call Webhook. Instead, use another trigger campaign that fires on Data Value Changes. Otherwise this is guaranteed to fail in some percentage of cases.

1) Is the Data Value Change in your comment above being done on the field that stores challenge_ts?

2) After all the logic is done firing, for records that succeed, should I be setting the fields that store the response string (that I send to Google) and the success boolean (that Google returns) to null? I'm guessing that if the Data Value Change is being done on challenge_ts then clearing out these two fields isn't necessary.

SanfordWhiteman
Level 10 - Community Moderator

Re: Spam Form Fills

1) Is the Data Value Change in your comment above being done on the field that stores challenge_ts?

The field that stores the true/false result from Google.

Any value change activity that results from a webhook response mapping needs to be detected using Data Value Changes trigger, not simply by checking the value, after the webhook runs, in the same Flow.

2) After all the logic is done firing, for records that succeed, should I be setting the fields that store the response string (that I send to Google) and the success boolean (that Google returns) to null? I'm guessing that if the Data Value Change is being done on challenge_ts then clearing out these two fields isn't necessary.

On a Boolean true, I would write {{system.datetime}} to a Datetime field LastRecaptchaPass.

Then clear the ReCAPTCHA values that came in with the form data itself, so you don't get confused about them later.

Anonymous
Not applicable

Re: Spam Form Fills

I'm not exactly clear on if you're saying we should reset/clear the captcha success Boolean or just the other ReCAPTCHA values.

If we are not clearing the captcha success Boolean, does the Data Value Changes trigger still fire if it is set to true and a new form submission results in a new true response from Google?

If we are clearing the captcha success Boolean, would resetting it cause an infinite loop since we're changing the value of the field that is used as the trigger?

Finally, would it make sense to use a WAIT action after the call webhook instead of using the another campaign with the Data Change Values trigger? Are you recommending using another campaign because there's just no way to tell how long the webhook might take, is it for efficiency or does it yield some other benefits?

SanfordWhiteman
Level 10 - Community Moderator

Re: Spam Form Fills

If we are not clearing the captcha success Boolean, does the Data Value Changes trigger still fire if it is set to true and a new form submission results in a new true response from Google?

Nope, that's not a change.

If we are clearing the captcha success Boolean, would resetting it cause an infinite loop since we're changing the value of the field that is used as the trigger?

There'd be a loop if you didn't constrain the Source, but if you specify Data Value Changes + Source = Webhook then there won't be.

Finally, would it make sense to use a WAIT action after the call webhook instead of using the another campaign with the Data Change Values trigger? Are you recommending using another campaign because there's just no way to tell how long the webhook might take, is it for efficiency or does it yield some other benefits?

You should only use Wait steps for deliberate, absolute pauses, not for "best guess" scenarios like this.  And you want to minimize the number of leads in wait steps across your instance. Using Data Value Changes is exact and efficient.

Anonymous
Not applicable

Re: Spam Form Fills

Where do you put the CSS code in the Marketo form to add the captcha?

Brooke_Bartos1
Level 6 - Champion Alumni

Re: Spam Form Fills

Hi Sanford, the MktoForms2 :: reCAPTCHA code -- is that only for Marketo LP's or can that be used with other CMS? I've been trying to work off of this one Google reCAPTCHA-Mkto forms integration  but it's LP only.