Bot's getting through even after blocking the domain

Forum|Forum|3 years ago
January 4, 2023
1 reply
2945 views

We have blocked a domain via a javascript that is still getting into our Marketo database.

We cannot replicate the behavior because each and every time we have tried to submit the same form using any email address that they submitted we receive an error that we cannot submit with this domain.

So behavior is:

Form submits are getting through to the database in Marketo and they are a combination of numbers @qq.com
QQ.com has been blocked via javascript and attempts on our part to submit the form using one of the email addresses that made it through are blocked.

Help please + thank you!

Marketo

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by SanfordWhiteman

@sanfordwhiteman thank you.

I don't suppose there are ways to stop them?

I don't suppose there are ways to stop them?

You want a combo of

reCAPTCHA (to stop machine-submitted forms from being accepted)
JS and/or native HTML validation (to stop non-malicious and/or non-skilled humans from submitting unwanted domains)
server-side validation (to stop malicious humans from submitting unwanted domains, having skipped around client validation)

However, gaps will always remain.

For example, server-side email validation detects email addresses that cannot receive mail, period. It can also detect well-known domains that give out disposable addresses. But it can’t detect domains that aren’t known for providing disposable emails — even if everything sent to those domains is deleted immediately.

Darshil_Shah1

Community Manager

Are you able to provide the JS (or better a webpage with the JS and form on it) so that we can have a look? Also, if you're using the formsubmit API anywhere, it might be the case that the form was submitted by an API call instead of the real form submission on the webpage (probably a long shot, but thought of checking it once).

J

jengcalendlyAuthor

New Participant

Sure the form is here: https://calendly.com/resources/ebooks/how-to-guide-teams

Code basically is :

// prevents form submission and displays error if email uses free domain
form.onValidate(() => {
   const email = form.vals().Email;
   if (email) {
      if (!isValidEmail(email, allowFreeEmailDomains)) {
         form.submitable(false);
         const emailElement = form.getFormElem().find('#Email');
         form.showErrorMessage(allowFreeEmailDomains ? 'Domain not allowed' : 'Must be a business email', emailElement);
      } else {
         form.submitable(true);
      }
   }
});

const bannedDomains = ['qq.com'];
const isValidEmail = (email: string, allowFreeEmailDomains: boolean) => {
   if (!allowFreeEmailDomains && freeEmailDomains.some(domain => email.includes(`@${domain}`))) {
      return false;
   }
   if (bannedDomains.some(domain => email.includes(`@${domain}`))) {
      return false;
   }
   return true;
};

J

jengcalendlyAuthor

New Participant

@darshil_shah1 ^^

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded