In November 2020, we announced that we will forbid programmatic Form POST submissions to our /save and /save2 endpoints beginning May 7, 2021. The reason for this change is to reject methods of unsupported form submissions used by bots to fill customer databases with spam data.
We understand that many customers may need more time to update the integrations to use a supported method such as the Forms2.JS API or the Submit Form REST API endpoint. We have decided to extend the deadline in which we will begin blocking all programmatic Form submissions to take place on October 15, 2021. Programmatic FORM submissions continue to be unsupported and while we are temporarily delaying enabling validation to reject these submissions, we cannot ensure uninterrupted submission following upcoming product and infrastructure changes.
For customers that still wish to block this method of form submission to address bot attacks, will allow you to opt-in to form submission validation on your subscription. This validation will check that form submissions are coming from Marketo Forms, Forms2.js API, or the Submit Form REST API and will reject it otherwise. This is expected to block many common sources of bot attacks.
However, if you have a form integration that currently uses programmatic Form POST to submit lead data, enabling this feature will also block your Form submissions. We encourage all customers to migrate to a supported method of form submissions as soon as possible to protect their subscriptions from bot attacks.
The original announcement is below for reference. The details remain the same aside from the schedule to block programmatic form POST submissions.
In our May 7, 2021 release, Marketo Engage will be making changes to our form platform to protect the stability and security of our infrastructure:
On August 1, 2017, Marketo Engage deprecated the Forms 1.0 editor, removing the ability to create or edit Forms 1.0 assets. This change will complete our end of life efforts for Forms 1.0.
In addition, we have found that our Form endpoints “leadCapture/save” and “leadCapture/save2” are common targets for bot attacks. To protect the stability of the Marketo Engage infrastructure, and to aid customers in maintaining a clean database, we are completely disabling the “leadCapture/save” endpoint and enforcing checksum validation on the “leadCapture/save2” endpoint.
Provisioning of Marketo Engage subscriptions with the ability to create Forms 1.0 assets ended December 31, 2014. If your subscription was provisioned after this date, then it will not have Form 1.0 assets. Forms 2.0 assets will be unaffected by this change.
Marketo Engage subscriptions provisioned before December 31, 2014 may still be utilizing Forms 1.0 assets on their landing pages and website. These forms will need to be remade in our Forms 2.0 editor and replaced wherever they are still being used.
Some integrations may be performing programmatic form POSTs to “leadCapture/save" or “leadCapture/save2” to submit data into Marketo Engage databases. This method of data ingestion has always been unsupported and will cease to work as part of this deprecation. All integrations using programmatic form POSTs must be updated to use our Forms 2.0 API, Push Lead REST API, or the Submit Form REST API endpoint releasing in the January 2021 release.
Customers using native Forms 2.0 assets on pages and/or the Forms 2.0 API do not need to take any action. Checksum validation will work natively with these supported methods.
Customers that fail to replace any in-use Forms 1.0 asset with a Form 2.0 asset will find that their customers will be unable to submit to their 1.0 Forms.
Customers using integrations that perform programmatic Form POSTs to the “leadCapture/save” or “leadCapture/save2” endpoints will see these integrations fail, resulting in loss of form submission data.
Forms 1.0 and Forms 2.0 have different look and feel:
Marketo subscriptions provisioned after December 31, 2014 will only have Forms 2.0 assets.