2 Replies Latest reply on Feb 24, 2014 1:23 AM by 8442

    Spam attacking Forms

      My marketo forms are getting spammed. I think it is a botnet since it comes in spikes and most seems to be from Florida. Is there any way to block or filter this? I understand captcha isn't an option with marketo forms.
        • Re: Spam attacking Forms
               Marketo has a built in protection via a hidden field called marketo_comments. Basically if this gets filled out by a bot it does not allow the form to submit. Since that is not working for you... you could test asking a basic question like like what is 1+1 and if their answer does not match it would delete the lead. 
                
               Do yourself a favor and take a look at these spam records and see if you can find any additional similarities (besides being from Florida) between them e.g. inferred company. 
                
               Hope that helps!
                
               - Jeff
          • Re: Spam attacking Forms
                 Marketo implements a native mechanism that is very standard across the industry. You will find nearly identical implementations in Salesforce, SugarCRM, Oracle, SAP, Amazon, Google and many more. 
                  
                 Spambots are and will remain an annoyance in the foreseeable future. It is just like vandals in the real world. 
                  
                 Combating spambots is a cat and mouse game: we create mechanisms to deflect or deter them, they explore new ways, come back again until another door is closed and that goes on. They tend to target database driven websites because they know that is where it is going to cause most inconveniences. 
                  
                 Modern web applications implement browser side validation to relief servers from intense processing. That is what Marketo, Google, Amazon and Facebook do (add your favorites to that list). Most spambots take advantage of client-side validation, executed by JavaScript. The trick is simple: disable JavaScript to run browser attacks. 
                  
                 An extremely simple yet very effective solution is adding noscript tag. 
                 It evaluates whether the browser has javaScript enabled. It executes instructions between noscript opening and end tags. You can enter a message such as "Please enable JavaScript to fill out the form"and then redirect to any deflection page which could be the homepage or even a more drastic approach, a completely invalid one forcing a HTTP 404. 

                 Open the landing page being attacked, click "Landing Page Actions" on the top right corner and select "Edit Page Meta Tags"
                 Enter the following extract on Custom head HTML - replace www.example.com with your homepage or any URL, including an invalid to force HTTP 404:

                      <noscript>Please enable JavaScript!
                      <META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://www.example.com/?r=us">
                      </noscript>