Forms serve as a valuable point of entry to your Marketo Engage database for your prospective and existing customers to express interest in your business. They also serve as a portal for malicious actors to flood your database with junk data, hoping to trigger emails to use in phishing attacks, to overwhelm your business services, or to DDoS our platform. We are rolling out enhancements to strengthen the security of Marketo Engage forms to address this growing problem in the industry.


These features are releasing throughout Q3 2020 and will be available to all Secured Domains for Landing Pages customers. No changes to your forms or landing pages are needed to take advantage of these enhancements.


EDIT: We have delayed the rollout of our form field validation to Q1 2021 to ensure a high level of quality.


Bot Spam Blocking

We have identified bot patterns common among most spam attacks on Marketo Engage forms. These patterns were identified by examining form data captured in bot attacks for values that were impossible to have been submitted by a human submitter. This new feature will introduce server-side validation on standard Marketo Engage form fields that will reject submissions of illegitimate values that match these bot patterns.


Sever-side form field validation

Today, Marketo Engage forms enforce field data rules with client-side Javascript validation that is easily circumvented by bots or users that disable scripting in their browsers. To address this, we are enhancing forms with server-side validation of form field rules. These include:

• Validation of field type. For example, checkbox form fields must be submitted with boolean values; numerical form fields cannot contain alphabetical characters, etc.
• Presence of required fields
• Values in Select type fields must match the configured list of values
• Configured max length of field value is not exceeded
• Numerical values fall within the configured minimum and maximum values

Submissions to Marketo Engage forms that fail validation will return an error with the offending field highlighted with an error message. 


Frequently Asked Questions:


Can my business define its own custom logic for rejecting form submissions based on submitted field values?

Unfortunately, not at this time.


Should my business continue to use CAPTCHA, honeypots, or Javascript validation on our forms?

We anticipate these enhancements will reduce the need for solutions such as CAPTCHA or honeypots, but they can still serve as an additional layer of security against bots for your forms. Custom Javascript validation will continue to give your business granular control over form field validation on your landing pages and web pages.


Will you block specific IP addresses we commonly see associated with spam?

IP addresses on the internet are often dynamic and are recycled by ISPs to be used by multiple devices. Blocking an IP address could result in legitimate visitors unable to fill out your forms. It is also trivial for an attacker to switch to a different IP address or use a distributed network of IP addresses to spam your forms, which makes IP address blocking an ineffective long-term strategy.