Re: Step by step guide to recaptcha

Yeah, China is definitely a unique situation for captchas. You're better off using a locally-hosted solution such as BotDetect (which is among many things you have to think to de-Google). That said, I really think long term the solution to this problem is going to lean towards using some combination of DNSBLs (Spamhaus, StopForumSpam, Akismet, etc. I've also recently used CleanTalk in a non-Marketo context and have been impressed thus far) and/or creating some sort of collective marketing automation blacklist database. At the end of the day, that's really all noCAPTCHA is doing--it's just maintaining a giant blacklist.

Except anybody who wants to spam such a form can trivially work around that code. I mean, the rules are right there in the view-source. It's not the same as a ReCAPTCHA... at all.

As I mentioned above, we tried the honeypot field and it didn't work. We still got hit over 30k times by a spambot. We've opened a ticket with Marketo support to see if anyone can walk us through the ReCaptcha, but if anyone has done this in Marketo before and has a quick step by step guide, or could list out the process for us in the meantime, that would be super helpful!

It's not something I've ever documented end-to-end (too many other blog posts and projects in motion) but the ingredients on the back end (you seem to understand the front end) are:

• Set up 3 fields, LastReCAPTCHAUserResponse (string), LastReCAPTCHAServerStatus (boolean), LastReCAPTCHAServerSuccess (datetime), LastReCAPTCHAServerFailure (datetime)
• LastReCAPTCHAUserResponse is what holds the unique ReCAPTCHA response ID on the form end, the others are used only on the back end
• A webhook calls the Google ReCAPTCHA endpoint and passes {{lead.LastReCAPTCHAUserResponse}}
• The webhook response mapping maps the Google response to LastReCAPTCHAServerStatus
• In a trigger SC, catch a change to LastReCAPTCHAServerStatus and set either LastReCAPTCHAServerSuccess or LastReCAPTCHAServerFailure to {{system.datetime}} based on whether the status is good/bad
• Take other flow actions to sort leads into suspect/deletable lists accordingly. You don't want to delete suspect leads immediately when first rolling out. First quarantine the leads, check 'em out, and then you can start deleting them nightly or immediately.

No one at Support is going to understand this at all, sorry to say. This is pretty much my baby when it comes to Marketo.

Hi!

i might have a stupid question here, but i'm trying to recreate this one and i'm a bit confused why you need both LastReCAPTCHAUserResponse (string) and LastReCAPTCHAServerStatus (boolean)?

i have so far created webhook, mapped sucess to the server status and even managed to receive correct response

my server status is TRUE, according to your suggestion, which means that i have validaded the CAPTCHA

i've timestamped the date and the form ID

so far i've used all fields you mention but the actual LastReCAPTCHAUserResponse

​am i missing something vital here? where should this go?

LastReCAPTCHAUserResponse is for the end-user fingerprint (generated in the browser, added to the form). You have to be using some field for this, maybe you already had one and thus can skip LastReCAPTCHAUserResponse.

This may be horribly incorrect, but I was following this guide and trying to modify it for a landing page form rather than an embedded form and for the life of me can't get it to work.

I added the forms2 code below like so, but maybe it's not incorrect? It's the only part where I havent followed it to a tee...

<div class="mktoForm" id="primaryForm" mktoName="Primary Form" style="margin-bottom:40px;padding:10px 20px;min-height:80px;"></div>
<div>
                <script>
                MktoForms2.whenReady(function (form) {
                      var formEl = form.getFormElem()[0],
                        emailEl = formEl.querySelector('#Email'),
                        submitEl = formEl.querySelector('BUTTON[type="submit"]'),
                        recaptchaEl = document.querySelector('.g-recaptcha’),
                        formElId = form.getId();
                      if ("${GoogleRecaptcha}" == "block") {
                        form.submittable(false);
                        // force resize reCAPTCHA frame
                        recaptchaEl.querySelector('IFRAME').setAttribute('height','140');
                        // move reCAPTCHA inside form container    
                        formEl.appendChild(recaptchaEl);
                      }
                    form.onValidate(function(builtInValidation){        
                      //code to handle the recaptcha
                      if("${GoogleRecaptcha}" == "block") {
                          if (!builtInValidation) return;
                          //calling the recaptcha 
                          var recaptchaResponse = grecaptcha.getResponse();
                          if (!recaptchaResponse) {
                              recaptchaEl.classList.add('mktoInvalid');
                          } else {
                              recaptchaEl.classList.remove('mktoInvalid');
                              form.addHiddenFields({
                                  lastRecaptchaUserInput: recaptchaResponse,
                                  lastRecaptchaEnabledFormID: formElId
                              });
                              form.submittable(true);
                          }
                      }      
                    });
                });
                </script>
            </div>
            <div id="InvisibleRecaptcha" class="g-recaptcha" data-sitekey="${GoogleRecaptchaSiteKey}" data-size="invisible" data-callback="donothing"></div>

What could be wrong here?
Just in case the html code section isnt showing up correctly....

Far better to supply your code inline, highlighted with the Advanced Editor's syntax highlighter.

Or just link to the URL on which you're trying the code.

Note on Marketo LPs, forms customization JS needs to go just before the closing </body> tag, if you're not already doing this. You can't put it in the <head> or elsewhere in the <body> because it depends on the Forms 2.0 library loading first.

Also, image attachments don't show up in all versions of the Community. I didn't see anything there until I switched browsers -- you can paste images directly into posts if necessary.

Ah okay. I think I included used the right container for the post.

This is what I have for the form

            <div class="mktoForm" id="primaryForm" mktoName="Primary Form" style="margin-bottom:40px;padding:10px 20px;min-height:80px;"></div>
            <div id="InvisibleRecaptcha" class="g-recaptcha" data-sitekey="${GoogleRecaptchaSiteKey}" data-size="invisible" data-callback="donothing"></div>

I had this just right after the form, but now i've moved it to just before the </body> tag

                <script>
                MktoForms2.whenReady(function (form) {
                      var formEl = form.getFormElem()[0],
                        emailEl = formEl.querySelector('#Email'),
                        submitEl = formEl.querySelector('BUTTON[type="submit"]'),
                        recaptchaEl = document.querySelector('.g-recaptcha’),
                        formElId = form.getId();
                      if ("${GoogleRecaptcha}" == "block") {
                        form.submittable(false);
                        // force resize reCAPTCHA frame
                        recaptchaEl.querySelector('IFRAME').setAttribute('height','140');
                        // move reCAPTCHA inside form container   
                        formEl.appendChild(recaptchaEl);
                      }
                    form.onValidate(function(builtInValidation){       
                      //code to handle the recaptcha
                      if("${GoogleRecaptcha}" == "block") {
                          if (!builtInValidation) return;
                          //calling the recaptcha
                          var recaptchaResponse = grecaptcha.getResponse();
                          if (!recaptchaResponse) {
                              recaptchaEl.classList.add('mktoInvalid');
                          } else {
                              recaptchaEl.classList.remove('mktoInvalid');
                              form.addHiddenFields({
                                  lastRecaptchaUserInput: recaptchaResponse,
                                  lastRecaptchaEnabledFormID: formElId
                              });
                              form.submittable(true);
                          }
                      }     
                    });
                });
                </script>

Sanford Whiteman​ it seems it still doesn't work, so there must be something wrong with my code...

What's the URL where this is running?

It's here: https://info.xsolla.com/2019q1-xsolla-aboutus-lp.html

You have an invalid quotation mark:

Which throws this in the console:

Fix that and try again.

Hmm I've made the change but it still hasn't gone through.
This is the flow steps i'm calling the webhook with, so the results are showing that it's doing nothing...

Trying to troubleshoot backwards from the Call Webhook activity isn't going to work. You shouldn't be looking on the Marketo side at all, except perhaps for the Filled Out Form activity (the only way to audit what was posted by the browser). The browser is where everything happens.

Here you can see you've purposely added a condition which prevents the reCAPTCHA fingerprint from being added to the form:

You really need someone to troubleshoot this who can quickly trace JS code and knows what's needed.

Sanford this approach makes sense to me. Would it work in an embedded form? Also, where's a good place to learn about implementing the webhook that calls the Google ReCAPTCHA endpoint?

Sure, it works in an embedded form just fine.

Greg went deeper into some of the steps in this offsite doc. It should be wrapped up in a Products blog post at some point.