Spam Form Fills

Anonymous · ‎06-07-2016

Hi all, Was hoping someone could help me with an issue we have been experiencing recently.

We've been getting a ton of submissions to our demo request page with complete junk information. All fields are filled out, but the person and company do not exist and the rest is gibberish.

I know Marketo does things like the hidden fields on forms to segment out bots, but I'm not sure how to filter out human spammers that are filling out the form manually?

Any help would be greatly appreciated!
Ashley

Anonymous · ‎01-15-2018

I'm not exactly clear on if you're saying we should reset/clear the captcha success Boolean or just the other ReCAPTCHA values.

If we are not clearing the captcha success Boolean, does the Data Value Changes trigger still fire if it is set to true and a new form submission results in a new true response from Google?

If we are clearing the captcha success Boolean, would resetting it cause an infinite loop since we're changing the value of the field that is used as the trigger?

Finally, would it make sense to use a WAIT action after the call webhook instead of using the another campaign with the Data Change Values trigger? Are you recommending using another campaign because there's just no way to tell how long the webhook might take, is it for efficiency or does it yield some other benefits?

SanfordWhiteman · ‎01-15-2018

If we are not clearing the captcha success Boolean, does the Data Value Changes trigger still fire if it is set to true and a new form submission results in a new true response from Google?

Nope, that's not a change.

If we are clearing the captcha success Boolean, would resetting it cause an infinite loop since we're changing the value of the field that is used as the trigger?

There'd be a loop if you didn't constrain the Source, but if you specify Data Value Changes + Source = Webhook then there won't be.

Finally, would it make sense to use a WAIT action after the call webhook instead of using the another campaign with the Data Change Values trigger? Are you recommending using another campaign because there's just no way to tell how long the webhook might take, is it for efficiency or does it yield some other benefits?

You should only use Wait steps for deliberate, absolute pauses, not for "best guess" scenarios like this. And you want to minimize the number of leads in wait steps across your instance. Using Data Value Changes is exact and efficient.

Anonymous · ‎09-12-2017

Marketo executes it asynchronously, let me check that once again.
Coded in UI with a restriction that, a lead fails reCAPTCHA validation wont be able to submit the form.
Boolean used so that we can configure if else, also the date time is saved.

SanfordWhiteman · ‎09-12-2017

Marketo executes it asynchronously, let me check that once again.

Outbound webhook calls are synchronous (they block the flow for up to 30 seconds).

The Change Data Value updates in response to webhook calls are asynchronous (they do not block the flow).

SanfordWhiteman · ‎09-12-2017

Coded in UI with a restriction that, a lead fails reCAPTCHA validation wont be able to submit the form.

You can't stop forms from being submitted without a valid reCAPTCHA code.

You can only stop the server from accepting the form data for insert/update if the form was submitted without a valid ReCAPTCHA code.

Anonymous · ‎09-12-2017

php - How to Validate Google reCaptcha on Form Submit - Stack Overflow

SanfordWhiteman · ‎09-12-2017

Do you actually think I can't send form data to Marketo without clicking the ReCAPTCHA widget?

Care to share your URL so you can see me do it?

Anonymous · ‎09-12-2017

Genuine leads may not be using these hacks, we should accept only genuine leads right?

SanfordWhiteman · ‎09-12-2017

It's not about genuine leads vs. bots. It's about letting bots overwrite data for existing genuine leads.

ReCAPTCHA can detect non-human action, but not prevent it. The actions you take as a result need to be informed by context. If you let a hacker who harvests your database overwrite existing leads with gibberish, you haven't rolled out ReCAPTCHA the right way, and if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.

You want a form post to be, as much as possible, in a silo as a pending data update. A lifecycle-aware rollout of ReCAPTCHA keeps form data in a sandbox until it's deemed safe to merge and doesn't remove existing leads just because somebody impersonated them and skipped the ReCAPTCHA widget.

Anonymous · ‎09-13-2017

It's about letting bots overwrite data for existing genuine leads.

Can you please explain this Scenario? How this can be possible on Marketo?

if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.

What if the actions like send email notifications etc will work only if the captcha is validated, no deletion.

SanfordWhiteman · ‎09-13-2017

It's about letting bots overwrite data for existing genuine leads.
Can you please explain this Scenario? How this can be possible on Marketo?

If I post a form with your address as the Email, and other fields that either aren't filled in or aren't blocked from updates (as would be the case with a field that's intended to be self-maintainable via form), I can overwrite your current data.

if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.
What if the actions like send email notifications etc will work only if the captcha is validated, no deletion.

Yes, if you never delete, then at least you won't lose leads completely. But when you're getting attacked by a botnet, you must be able to delete invalid leads, or they will storm your database and also your wallet.

Anonymous · ‎03-20-2017

Any reason we'd want to use this code you've posted before instead of the one linked above?

They're the exact same demo page!

Like I said, I'm not very advanced in js and css. Thanks for the clarification.

Hi Sanford Whiteman thanks for the sharing! Can you clarify for me where I should put the js in your link? Do we add to the header of each page that has a form? I've got a very basic understanding of js and css.

You're going to need more than JS and CSS because you need to also call a webhook to verify the ReCAPTCHA. ReCAPTCHA, like all Captchas, is not a browser-only technology (a lot of people don't understand this) because you a bot can easily avoid filling out the Captcha at all.

What isn't easy to forge, on the other hand -- and this is why Captchas exist -- is filling out the Captcha correctly, which in the newer-fangled Captchas means "correct answer + like a human would do it." So you always need the back end call to verify upon submission, otherwise you're not getting any protection.

It's likely that you'll need someone who gets the whole "life cycle" to set this up for you, since it's a simple process but you kinda need to get it end-to-end.

I get the necessity of a verification process from your explanation. If we set up our own Google ReCaptcha, is the code you provided going to work without a webhook? Again, just trying to get a full understanding of this before tasking my webmaster to help us.

SanfordWhiteman · ‎03-20-2017

I get the necessity of a verification process from your explanation. If we set up our own Google ReCaptcha, is the code you provided going to work without a webhook? Again, just trying to get a full understanding of this before tasking my webmaster to help us.

What I was saying is there's no such thing as a Captcha that works without a webhook.

You must always make a back-end call, with your Google secret key, to see if the unique Captcha attempt (it's always unique every time you view the form) was a success. Otherwise someone can just barge past the Captcha and claim they answered correctly.

Dory_Viscoglio · ‎08-12-2016

Hey Christine, just add a field that should remain NULL, but if it gets a value then that means that a bot filled in the form. If it's a person, they can't see the field so they won't fill it in