49 Replies Latest reply on Mar 20, 2018 2:08 PM by Junior Madureira

    Spam Form Fills

      Hi all, Was hoping someone could help me with an issue we have been experiencing recently.

       

      We've been getting a ton of submissions to our demo request page with complete junk information. All fields are filled out, but the person and company do not exist and the rest is gibberish.

       

      I know Marketo does things like the hidden fields on forms to segment out bots, but I'm not sure how to filter out human spammers that are filling out the form manually?

       

      Any help would be greatly appreciated!
      Ashley

        • Re: Spam Form Fills
          Roxann McGlumphy

          Hi Ashley,

           

          I'm just curious, how do you know these are human spammers?  This really sounds like bot behavior to me.

            • Re: Spam Form Fills

              Not 100% sure if they are human or bots.. But since the Marketo filter is not picking them up, I just assumed they were actual form fills. Could be wrong though!

                • Re: Spam Form Fills
                  Roxann McGlumphy

                  Have you put in a hidden field as a honeypot for bot form fills?

                    • Re: Spam Form Fills

                      How do you do the "honey pot"? I'm having the same issue - it's so bad that I've had to unpublish all PPC landing pages. My dev team is concerned about security, and my sales team is questioning the quality of my inbound efforts.

                        • Re: Spam Form Fills
                          Dory Viscogliosi

                          Hey Christine, just add a field that should remain NULL, but if it gets a value then that means that a bot filled in the form. If it's a person, they can't see the field so they won't fill it in

                          6 of 6 people found this helpful
                          • Re: Spam Form Fills
                            Sanford Whiteman

                            You can add the familiar Google reCAPTCHA protection to Marketo forms: MktoForms2 :: reCAPTCHA

                             

                            You pair it with Marketo webhook to verify submissions, and it is effectively un-bottable.

                            4 of 4 people found this helpful
                              • Re: Spam Form Fills
                                Nathan Lindsey

                                I am not sure how to use webhook with the sample you posted.

                                  • Re: Spam Form Fills
                                    Sanford Whiteman

                                    Thought you said on the other thread that the back end was already set up by another dev.

                                      • Re: Spam Form Fills
                                        Jessica Walker

                                        Hi Sanford Whiteman thanks for the sharing! Can you clarify for me where I should put the js in your link? Do we add to the header of each page that has a form? I've got a very basic understanding of js and css.

                                         

                                        Any reason we'd want to use this code you've posted before instead of the one linked above?

                                          • Re: Spam Form Fills
                                            Sanford Whiteman
                                            Any reason we'd want to use this code you've posted before instead of the one linked above?

                                            They're the exact same demo page!

                                             

                                            Hi Sanford Whiteman thanks for the sharing! Can you clarify for me where I should put the js in your link? Do we add to the header of each page that has a form? I've got a very basic understanding of js and css.

                                            You're going to need more than JS and CSS because you need to also call a webhook to verify the ReCAPTCHA. ReCAPTCHA, like all Captchas, is not a browser-only technology (a lot of people don't understand this) because you a bot can easily avoid filling out the Captcha at all.

                                             

                                            What isn't easy to forge, on the other hand -- and this is why Captchas exist -- is filling out the Captcha correctly, which in the newer-fangled Captchas means "correct answer + like a human would do it." So you always need the back end call to verify upon submission, otherwise you're not getting any protection.

                                             

                                            It's likely that you'll need someone who gets the whole "life cycle" to set this up for you, since it's a simple process but you kinda need to get it end-to-end.

                                              • Re: Spam Form Fills
                                                Jessica Walker
                                                Any reason we'd want to use this code you've posted before instead of the one linked above?

                                                They're the exact same demo page!

                                                 

                                                Like I said, I'm not very advanced in js and css. Thanks for the clarification.

                                                 

                                                Hi Sanford Whiteman thanks for the sharing! Can you clarify for me where I should put the js in your link? Do we add to the header of each page that has a form? I've got a very basic understanding of js and css.

                                                You're going to need more than JS and CSS because you need to also call a webhook to verify the ReCAPTCHA. ReCAPTCHA, like all Captchas, is not a browser-only technology (a lot of people don't understand this) because you a bot can easily avoid filling out the Captcha at all.

                                                 

                                                What isn't easy to forge, on the other hand -- and this is why Captchas exist -- is filling out the Captcha correctly, which in the newer-fangled Captchas means "correct answer + like a human would do it." So you always need the back end call to verify upon submission, otherwise you're not getting any protection.

                                                 

                                                It's likely that you'll need someone who gets the whole "life cycle" to set this up for you, since it's a simple process but you kinda need to get it end-to-end.

                                                 

                                                I get the necessity of a verification process from your explanation. If we set up our own Google ReCaptcha, is the code you provided going to work without a webhook? Again, just trying to get a full understanding of this before tasking my webmaster to help us.

                                                  • Re: Spam Form Fills
                                                    Sanford Whiteman

                                                    I get the necessity of a verification process from your explanation. If we set up our own Google ReCaptcha, is the code you provided going to work without a webhook? Again, just trying to get a full understanding of this before tasking my webmaster to help us.

                                                    What I was saying is there's no such thing as a Captcha that works without a webhook.

                                                     

                                                    You must always make a back-end call, with your Google secret key, to see if the unique Captcha attempt (it's always unique every time you view the form) was a success. Otherwise someone can just barge past the Captcha and claim they answered correctly.

                                                    1 of 1 people found this helpful
                                                  • Re: Spam Form Fills
                                                    Anulal S

                                                    Written a blog on the captcha "life cycle", Please try it out

                                                    https://medium.com/@anulals/google-recaptcha-in-marketo-forms-b992fc30d000

                                                      • Re: Spam Form Fills
                                                        Sanford Whiteman

                                                        Anulal, thanks a lot for featuring and attributing my code!

                                                         

                                                        Some flaws in your walkthrough, though...

                                                         

                                                        • The most fundamental is that webhook response data mappings are done asynchronously. You must not check the value of the captchaStatus in the same flow as the Call Webhook.  Instead, use another trigger campaign that fires on Data Value Changes. Otherwise this is guaranteed to fail in some percentage of cases.
                                                        • You want to be clear to the reader that a lead that fails ReCAPTCHA can only be deleted if it's the only thing that lead has done. You don't want to allow someone to impersonate another lead and result in the latter being deleted from the db.
                                                        • Conversely, you don't want to leave failed leads around in your db indefinitely. While you may not delete them immediately, they should be marked for periodic deletion.
                                                        • If a good lead already exists in your database (having either passed ReCAPTCHA or never having had the chance to be tested), what you need to do is throw out the field changes that accompanied the bad form post, but don't throw out any other fields. This requires the use of proxy fields for the complete lifecycle.
                                                        • Finally, using a Boolean for captchaStatus isn't what I'd recommend. Instead have two fields, lastReCAPTCHAFail (a Datetime) and lastReCAPTCHAPass (also a Datetime). Stamp these with {{system.datetime}} accordingly. This gives you the audit trail you need to make intelligent choices about the "final fate" of leads that have submitted a form.
                                                        1 of 1 people found this helpful
                                                          • Re: Spam Form Fills
                                                            Anulal S
                                                            • Marketo executes it asynchronously, let me check that once again.
                                                            • Coded in UI with a restriction that, a lead fails reCAPTCHA validation wont be able to submit the form.
                                                            • Boolean used so that we can configure if else, also the date time is saved.
                                                              • Re: Spam Form Fills
                                                                Sanford Whiteman
                                                                • Coded in UI with a restriction that, a lead fails reCAPTCHA validation wont be able to submit the form.

                                                                You can't stop forms from being submitted without a valid reCAPTCHA code.

                                                                 

                                                                You can only stop the server from accepting the form data for insert/update if the form was submitted without a valid ReCAPTCHA code.

                                                                    • Re: Spam Form Fills
                                                                      Sanford Whiteman

                                                                      Do you actually think I can't send form data to Marketo without clicking the ReCAPTCHA widget?

                                                                       

                                                                      Care to share your URL so you can see me do it? 

                                                                        • Re: Spam Form Fills
                                                                          Anulal S

                                                                          Genuine leads may not be using these hacks, we should accept only genuine leads right?  

                                                                            • Re: Spam Form Fills
                                                                              Sanford Whiteman

                                                                              It's not about genuine leads vs. bots.  It's about letting bots overwrite data for existing genuine leads.

                                                                               

                                                                              ReCAPTCHA can detect non-human action, but not prevent it.  The actions you take as a result need to be informed by context. If you let a hacker who harvests your database overwrite existing leads with gibberish, you haven't rolled out ReCAPTCHA the right way, and if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.

                                                                               

                                                                              You want a form post to be, as much as possible, in a silo as a pending data update. A lifecycle-aware rollout of ReCAPTCHA keeps form data in a sandbox until it's deemed safe to merge and doesn't remove existing leads just because somebody impersonated them and skipped the ReCAPTCHA widget.

                                                                              1 of 1 people found this helpful
                                                                                • Re: Spam Form Fills
                                                                                  Anulal S

                                                                                  It's about letting bots overwrite data for existing genuine leads.

                                                                                  Can you please explain this Scenario? How this can be possible on Marketo?

                                                                                  if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.

                                                                                  What if the actions like send email notifications etc will work only if the captcha is validated, no deletion.

                                                                                    • Re: Spam Form Fills
                                                                                      Sanford Whiteman

                                                                                      It's about letting bots overwrite data for existing genuine leads.

                                                                                      Can you please explain this Scenario? How this can be possible on Marketo?

                                                                                      If I post a form with your address as the Email, and other fields that either aren't filled in or aren't blocked from updates (as would be the case with a field that's intended to be self-maintainable via form), I can overwrite your current data.

                                                                                       

                                                                                      if the leads end up being deleted (since they failed ReCAPTCHA) that makes the attack even worse.

                                                                                      What if the actions like send email notifications etc will work only if the captcha is validated, no deletion.

                                                                                      Yes, if you never delete, then at least you won't lose leads completely. But when you're getting attacked by a botnet, you must be able to delete invalid leads, or they will storm your database and also your wallet.

                                                                          • Re: Spam Form Fills
                                                                            Sanford Whiteman
                                                                            • Marketo executes it asynchronously, let me check that once again.

                                                                            Outbound webhook calls are synchronous (they block the flow for up to 30 seconds).

                                                                             

                                                                            The Change Data Value updates in response to webhook calls are asynchronous (they do not block the flow).

                                                                            1 of 1 people found this helpful
                                                                          • Re: Spam Form Fills
                                                                            Ashley Tate

                                                                            Sanford Whiteman wrote:

                                                                             

                                                                            • The most fundamental is that webhook response data mappings are done asynchronously. You must not check the value of the captchaStatus in the same flow as the Call Webhook. Instead, use another trigger campaign that fires on Data Value Changes. Otherwise this is guaranteed to fail in some percentage of cases.

                                                                             

                                                                            1) Is the Data Value Change in your comment above being done on the field that stores challenge_ts?

                                                                            2) After all the logic is done firing, for records that succeed, should I be setting the fields that store the response string (that I send to Google) and the success boolean (that Google returns) to null? I'm guessing that if the Data Value Change is being done on challenge_ts then clearing out these two fields isn't necessary.

                                                                              • Re: Spam Form Fills
                                                                                Sanford Whiteman

                                                                                1) Is the Data Value Change in your comment above being done on the field that stores challenge_ts?

                                                                                The field that stores the true/false result from Google.

                                                                                 

                                                                                Any value change activity that results from a webhook response mapping needs to be detected using Data Value Changes trigger, not simply by checking the value, after the webhook runs, in the same Flow.

                                                                                 

                                                                                2) After all the logic is done firing, for records that succeed, should I be setting the fields that store the response string (that I send to Google) and the success boolean (that Google returns) to null? I'm guessing that if the Data Value Change is being done on challenge_ts then clearing out these two fields isn't necessary.

                                                                                On a Boolean true, I would write {{system.datetime}} to a Datetime field LastRecaptchaPass.

                                                                                 

                                                                                Then clear the ReCAPTCHA values that came in with the form data itself, so you don't get confused about them later.

                                                                                  • Re: Spam Form Fills
                                                                                    Dustin Smart

                                                                                    I'm not exactly clear on if you're saying we should reset/clear the captcha success Boolean or just the other ReCAPTCHA values.

                                                                                     

                                                                                    If we are not clearing the captcha success Boolean, does the Data Value Changes trigger still fire if it is set to true and a new form submission results in a new true response from Google?

                                                                                     

                                                                                    If we are clearing the captcha success Boolean, would resetting it cause an infinite loop since we're changing the value of the field that is used as the trigger?

                                                                                     

                                                                                    Finally, would it make sense to use a WAIT action after the call webhook instead of using the another campaign with the Data Change Values trigger? Are you recommending using another campaign because there's just no way to tell how long the webhook might take, is it for efficiency or does it yield some other benefits?

                                                                                      • Re: Spam Form Fills
                                                                                        Sanford Whiteman

                                                                                        If we are not clearing the captcha success Boolean, does the Data Value Changes trigger still fire if it is set to true and a new form submission results in a new true response from Google?

                                                                                        Nope, that's not a change.

                                                                                         

                                                                                        If we are clearing the captcha success Boolean, would resetting it cause an infinite loop since we're changing the value of the field that is used as the trigger?

                                                                                         

                                                                                        There'd be a loop if you didn't constrain the Source, but if you specify Data Value Changes + Source = Webhook then there won't be.

                                                                                         

                                                                                        Finally, would it make sense to use a WAIT action after the call webhook instead of using the another campaign with the Data Change Values trigger? Are you recommending using another campaign because there's just no way to tell how long the webhook might take, is it for efficiency or does it yield some other benefits?

                                                                                        You should only use Wait steps for deliberate, absolute pauses, not for "best guess" scenarios like this.  And you want to minimize the number of leads in wait steps across your instance. Using Data Value Changes is exact and efficient.

                                                                                • Re: Spam Form Fills
                                                                                  Kathy Shue

                                                                                  Where do you put the CSS code in the Marketo form to add the captcha?

                                                              • Re: Spam Form Fills
                                                                Alok Ramsisaria

                                                                Ashley Ahearn

                                                                Here are more details for the solution recommended by Dory:

                                                                - Created a custom field in Marketo 'Is Spam' and type as 'string'.

                                                                - Add the field in all the forms as hidden, and approve the associated landing pages.

                                                                - In your smart campaigns for form fills, add a filter that says 'Is Spam' is empty. On any form fill, if 'Is Spam' is not empty, it will be a spam lead since humans would not be able to see it and fill it. Only spam bots will be able to fill it.    

                                                                1 of 1 people found this helpful
                                                                • Re: Spam Form Fills
                                                                  Sarah Bartell

                                                                  Is there a step-by-step guide on how to implement this? I have Sanford's code, I have a site key and secret key from google, and now i'm lost.

                                                                  • Re: Spam Form Fills
                                                                    Axel Baran

                                                                    Hello Everyone

                                                                     

                                                                    We are seeing similar issues

                                                                    • the bots / hacker will push data via the form using POST URL and therefore bypassing the normal form submission by a person that clicks on the "submit" button
                                                                    • reCAPTHAT will not block spam bots in the scenario above. We have verified it using a script and we were able to submit records over and over
                                                                    • an attack of 10s of thousands like this will bring down your other systems that are syncing with Marketo
                                                                    • we use an email verification tool on our form as well. for this type of situation the results are very limited.

                                                                     

                                                                    So far Marketo is not giving us any options on how to prevent these leads to enter Marketo database

                                                                    • with the reCAPTCHA we can check if the submission is a person and if it not the lead can be deleted immediately
                                                                    • but what we want is for the records to never enter marketo in the first place

                                                                     

                                                                    I welcome any solution that is robust for this issue.

                                                                     

                                                                    Thanks a lot

                                                                    Axel

                                                                      • Re: Spam Form Fills
                                                                        Sanford Whiteman
                                                                        • the bots / hacker will push data via the form using POST URL and therefore bypassing the normal form submission by a person that clicks on the "submit" button
                                                                        • reCAPTHAT will not block spam bots in the scenario above. We have verified it using a script and we were able to submit records over and over

                                                                        Axel, reCAPTCHA never blocks spam bots from sending form data. That's not what it's ever been designed or advertised to do. And this is true of reCAPTCHA on all websites, not just Marketo LPs and/or forms.

                                                                         

                                                                        reCAPTCHA allows you to verify on the server side whether a form was submitted by a human or not.  If it doesn't pass the human test, you delete or quarantine it before you'd pass it through any processes that would result in it being in synced to another system. Unless you are getting very high volume (10s of thousands is not very high) this should not impact instance performance.

                                                                         

                                                                        • we use an email verification tool on our form as well. for this type of situation the results are very limited.

                                                                        Email verification won't apply to bots, so the results will be more like zero than limited.

                                                                        1 of 1 people found this helpful
                                                                          • Re: Spam Form Fills
                                                                            Axel Baran

                                                                            Hi Sanford

                                                                             

                                                                            Thanks for your reply. We are getting 10s of thousands of these emails and therefore we have performance issues.

                                                                             

                                                                            Any suggestions on how we can prevent this from happening?

                                                                             

                                                                            Thanks

                                                                            Axel

                                                                              • Re: Spam Form Fills
                                                                                Sanford Whiteman

                                                                                Thanks for your reply. We are getting 10s of thousands of these emails and therefore we have performance issues.

                                                                                Are the perf issues actually from the form submissions, or from something else you're doing before checking if the lead is legit?

                                                                                  • Re: Spam Form Fills
                                                                                    Axel Baran

                                                                                    Hi Sanford

                                                                                     

                                                                                    Happy new Year!

                                                                                     

                                                                                    Sorry for delay in my reply. The performance issues are due to the the sync between Marketo and SFDC. As all the submissions are coming via a program that sync to SFDC, it impacts SFDC to the point it is stops working.

                                                                                    It is a pretty serious issue and we feel that Marketo would be best suited to help preventing those issues instead of use find ways around them.

                                                                                    But if you have a solution that works most of the time, then that would be a good start

                                                                                    Thanks

                                                                                    Axel

                                                                                      • Re: Spam Form Fills
                                                                                        Sanford Whiteman
                                                                                        Sorry for delay in my reply. The performance issues are due to the the sync between Marketo and SFDC. As all the submissions are coming via a program that sync to SFDC, it impacts SFDC to the point it is stops working.

                                                                                        It's essential, then, that you delay the addition of people to a synced program until after they've been verified.

                                                                                          • Re: Spam Form Fills
                                                                                            Axel Baran

                                                                                            Sanford

                                                                                             

                                                                                            Delaying the sync does not solve the real issue which is preventing thousands and rogue form submissions. The first time we spotted this, we have 25,000 submissions at the time.

                                                                                             

                                                                                            What would happen if this was done as combined attack on several customers' Marketo instances?

                                                                                              • Re: Spam Form Fills
                                                                                                Sanford Whiteman

                                                                                                Delaying the sync does not solve the real issue which is preventing thousands and rogue form submissions.

                                                                                                Why not? If the only Denial of Service is to the SFDC sync process, then that's what you have to throttle, and that's what you're doing by not adding unwanted people to the sync.

                                                                                                 

                                                                                                What would happen if this was done as combined attack on several customers' Marketo instances?

                                                                                                25,000 is a tiny drop by modern web standards: even a small virtual server can handle millions of POSTs per day.

                                                                                                 

                                                                                                So the question isn't the number of hits, it's preventing an amplification attack where a lightweight HTTP request gets expanded into a much longer-lived and resource-intensive process.

                                                                                                 

                                                                                                I'm not saying Marketo should not be able to shed the load earlier (like by checking ReCAPCTCHA results before inserting into the db) but there's nothing impractical about funneling leads through lighter-weight processes so they don't hit heavier-weight ones.

                                                                                  • Re: Spam Form Fills
                                                                                    Junior Madureira

                                                                                    Marketo's response about Google reCatptcha...

                                                                                     

                                                                                    ----

                                                                                    Regarding reCaptcha, since it is a third-party integration, we don't have formal documentation regarding setting it up, but I would recommend searching the Marketo community to see how other Marketo users have approached this, or work with using reCaptcha for more information.

                                                                                     

                                                                                    In addition to implementing ReCaptcha, you may want to consider adding javascript.

                                                                                    - Add JavaScript validation to the header of your landing pages. This checks to see if JavaScript is enabled on the browser - and, if not, redirects the lead to a page that advises them to do so. Spam bots do not have Javascript enabled, so this can cut down on spam submissions. This will minimize but not eliminate these submissions. You can also use javascript to do custom validation on any of the fields in your form, but keep in mind that you would need a developer's help for these solutions solution.

                                                                                     

                                                                                    Here is an article on our community site that may be useful.

                                                                                    Title - Dealing with Spam or Bot Form Fillouts

                                                                                    Link - https://nation.marketo.com/docs/DOC-4755-how-to-setup-a-form-honeypot-field

                                                                                     

                                                                                    We suggest to working a developer to implement these solutions as well as test them as custom coding falls outside the scope of support.

                                                                                    -----

                                                                                    In other words, it's up to us to sort this out. Just frustrated how they really don't care and have no ambition to solve the most common issue with email forms (DoS attacks). Honeypot fields doesn't work. Bots are smart now.

                                                                                     

                                                                                    They should implement a captcha system and put a toggle on/off on the form creation. It would help us tremendously and reduce the load on their server too.

                                                                                      • Re: Spam Form Fills
                                                                                        Sanford Whiteman

                                                                                        I agree that some built-in in support for reCAPTCHA would be nice. You would still have to supply your own Google site key and secret: Marketo can't use the same account for all subscribers' reCAPTCHA lookups because Google will rate-limit them very, very fast (you can even get yourself rate-capped within a single organization).

                                                                                         

                                                                                        That said, adding the reCAPTCHA to a form is not too difficult, and it's a one-time (or few-times) procedure to set it up.

                                                                                         

                                                                                        The problem is that if the underlying forms infrastructure remains the same, it doesn't matter if Marketo creates an automatic webhook callout for you and adds the widget to your form. That doesn't reduce the server load, it actually increases the load, since every form post results in another HTTP roundtrip to lookup the reCAPTCHA status in addition to all the overhead of processing the form data.  That's because (the way it works now) form data is accepted, queued for insertion, and inserted into the database before the webhook is called. There's no resource savings, only overhead.

                                                                                         

                                                                                        If, on the other hand, the order of operations were changed, the reCAPTCHA endpoint could be called first and the data queued only on success, saving resources. But I'd rather see that pipeline be exposed as an API, not hard-coded to support reCAPTCHA only, so we could call whatever we want in the intermediate layer.

                                                                                      • Re: Spam Form Fills
                                                                                        Junior Madureira

                                                                                        Thanks to Sanford Whiteman, the integration with reCaptcha is finally working!

                                                                                         

                                                                                        The issue with my code was a capital letter in the JS file. After getting that fixed Marketo was able to properly get a response from Google in the webhook.

                                                                                         

                                                                                        The issue was on this line:

                                                                                         

                                                                                        lastReCAPTCHAUserResponse: recaptchaResponse

                                                                                         

                                                                                        The "last" had a capital "L" in front so it never sent the response to Marketo.

                                                                                                      

                                                                                        Without Sanford's help I'd never find out I think

                                                                                         

                                                                                        Thank you very much again Sanford and if anyone need help with this integration I can give a bit more detail.