10 Replies Latest reply on Apr 9, 2018 2:16 PM by Lynn Ray Pardo

    Preventing fake emails and phone numbers

    David Sacco

      I am looking for an add-on or solution that forces people to provide real email addresses and phone numbers to prevent things like 555-555-55555 or asdf@asf.com

        • Re: Preventing fake emails and phone numbers
          Sanford Whiteman

          Hi David!

           

          One thing I like to note when such questions come up: some seemingly "fake" addresses like asdf@asf.com are actually completely legitimate (in fact, that very address is emailable at asf.com, an old Eastman Kodak web property). 555-555-55555, due to the number of digits and the known-fake area code, is indeed fake, but it's not always that simple.

           

          To check in real-time whether an email address is emailable (which doesn't mean it's attended!) and whether a phone number exists (which doesn't mean somebody will pick up!) before a Marketo form is allowed to submit, as far as I know, the only service with that level of integration is Etumos Verify.  (I know about the depth of the integration b/c I contributed their Forms 2.0 code.)

           

          You'll probably hear from Edward Unthank @ Etumos on this thread to learn more.

          • Re: Preventing fake emails and phone numbers
            Edward Unthank (ETU)

            Hey David, like Sanford mentions, we have Etumos Verify which offers this service on forms in real-time. You can check out the functionality here: Real-Time Verification in Marketo

             

            We don't have the phone verification on that demo page, but that's part of the offering—just a subset of the product that's asked for less frequently. You can check out the demo page, and we can talk further offline if you're interested from there.

             

            Edward Unthank | Founder, Etumos

            2 of 2 people found this helpful
            • Re: Preventing fake emails and phone numbers
              Ariel Sasso

              Are you seeing a high number of fake addresses and phone numbers? If you are seeing a bunch of bad email addresses, it may be spam bots. I would recommend running a spam trap smart campaign, and setting up a second field in the Marketo honey pot to make sure you aren't being targeted by spammers.

              1 of 1 people found this helpful
                • Re: Preventing fake emails and phone numbers
                  Sanford Whiteman

                  Absolutely! A honeypot can be part of an end-to-end form protection solution.

                   

                  Just to be clear to others, Marketo doesn't have a built-in field designed as a honeypot (i.e, a hidden input or simply nondisplayed field that is expected to be left blank, and that would only have a value if the form is submitted by a simple posting bot). A custom field needs to be created for this, together with a non-destructive back-end flow. A more intelligent posting bot -- one whose behavior is modeled on an original human form submission -- won't be deterred by the honeypot approach.

                   

                  To take it from the top: there are multiple* distinct types of unwanted marketing form posts (I'm distinguishing marketing applications from form posts in general, like in a comments section):

                   

                  [1] Real, human leads providing fake information in an attempt to get your content without being marketed to afterward.

                  [2] Hackers/scammers providing the real information of other humans in order to target those victims in automated responses.

                  [3] Hackers providing malicious data, such as malware-distributing URLs, in hopes that the information is displayed to an impersonated lead on a personalized page. This is like [2] but doesn't require an autoresponder.

                  [4] Hackers posting purposefully suspicious-looking data in order to punish the lead they are impersonating. This one is why a back-end flow needs to be non-destructive: you must protect existing leads from deletion simply because a bad form was submitted in their name.

                  [5] High-volume automated posts with no actionable payload (because the data is never displayed elsewhere). These may be used for a DoS attack even if there is no other consequence.

                   

                  A plugin like Etumos Verify (the form-integrated part, that is) deals specifically with case [1]. The assumption is the vast majority of otherwise valid leads who try -- at first -- to use non-emailable addresses or non-callable phone numbers will adapt to the restrictions of your form and switch to real contact info. Such services can also check if someone is using a domain that is known to provide disposable addresses (in an effort to create valid info that becomes invalid shortly afterward). Naturally, they cannot detect a just-set-up Gmail account that will never be checked, but they can detect addresses at the hundreds of known "disposable address" providers.

                   

                  A honeypot field covers cases [2]-[4] well, as long as untrained bots are used.  Where the honeypot stalls is when the honeypot logic is figured out by a human (which is easy since it must be in the view-source of the page). For this reason I prefer a reCAPTCHA widget over a honeypot field, since reCAPTCHA it is resistant to both dumb and smart bots: it is, I would say, unbottable.

                   

                  Unfortunately, when [2]-[4] are executed by a large mass of humans (there are services the bad guys can hire for this) instead of by machines, both honeypot fields and reCAPTCHA fall down, since the form is indeed being filled out in a browser that executes JavaScript (so it obeys the honeypot rules, and the person can also complete the reCAPTCHA correctly). reCAPTCHA does have rate limits -- both hard limits enforced by the Google code and the implicit limit of how long it takes to choose the squares with a piece of pizza or what-have-you -- which make it relatively successful vs. a honeypot in these cases. But it still can be defeated by a sufficiently wide, real-life crew.

                   

                  Case [5] is essentially unsolvable in "userland." Even if you can detect fake leads in a flow (either with a reCAPTCHA verification or honeypot emptiness check), the payload is the DoS itself against your instance, not the lead information. By the time the flow sees the data, the DoS is already in progress (and triggers that delete fake leads even increase the effectiveness of the DoS, which is a classic systems conundrum called a stampede that can be used in an amplifier attack).  Marketo has set reasonable limits on the number of form posts per minute from a given IP, so there's not much more you can do yourself on this note. But one thing you shouldn't do is circumvent Marketo's protections by using an ungoverned server-side form post or an API-based form post. Both of these options make you trivially vulnerable to DoS attacks that wouldn't be successful otherwise.

                   

                  * I could've gone on with [6] and more, but I decided to keep it short.

                  5 of 5 people found this helpful