Dealing with Spam or Bot Form Fillouts

We've added a script from BriteVerify Email Verifier and it works to block disposable domains, and validates all domain submissions. As an email is entered in the form it is verified and accepted or rejected. Fraud prevention is in place too, after 5 attempts, the IP is blocked temporarily and the user is asked to check their email inbox and click on the verify email address CTA.

We're currently testing it on a single landing page and are impressed with the results.

I've been told by our own product team that if the bot already has the URL, then reCAPTCHA won't stop it.

Seems they don't understand how ReCAPTCHA works!

First, ReCAPTCHA doesn't stop the form post from going on the wire (nothing can).  It allows you to detect whether the posted data was spam, by comparing the unique ReCAPTCHA signature -- if there is one, if no sig at all, it's obviously spam -- with the correct human response.

So even if a bot knows your URL, if you enforce the rule that anything posted to that URL must have a valid ReCAPTCHA response, you will easily tell what's spam.

If we put reCAPTCHA on the form that's currently being flooded, will it stop the spam? I've been told by our own product team that if the bot already has the URL, then reCAPTCHA won't stop it.

Of course, the visible form isn't used to process the bot submissions.  If you delete the form then the form ID will no longer exist.

If you're saying this is why not to use ReCAPTCHA, no, that's exactly why you do use ReCAPTCHA, because it's intended to require a human hand in the process.

The form is down (removed from the landing page) and we are still getting submissions/records created. 400+in the last 10 minutes.

We're trying to avoid reCAPTCHA.

Because... ?

Has anyone figured out how to prevent record creation based on criteria, or at least prevent syncing to SFDC based on criteria?

Persons don't automatically sync to SFDC unless you're adding them to a synced Marketo Campaign. You always have control over this in a flow. So yes, you can always prevent syncing to SFDC by not calling Sync to SFDC or by not adding them to a campaign.

We've been under a bot attack for the last 48 hours straight and client-side solutions like honeypots and preventing specific email domains from submitting simply doesn't work. We're trying to avoid reCAPTCHA.

Has anyone figured out how to prevent record creation based on criteria, or at least prevent syncing to SFDC based on criteria? Our immediate issue is that Marketo has maxed SFDC's API limit and since this is a continuous attack, we have no way of stopping it other than removing the sync between SFDC and Marketo.

We were dealing with the same thing. Tried the the honeypot Implementation and it didn't stop the submissions. We couldn't have the reCAPTCHA on the form so I made a smart list to filter out the spams from our DB (using their domain as unique identifier) monitored it for a while when I was 100%  that it only filters out the spams, I created a program to automatically delete the spams from DB. There are anomalies though because sometimes they do hit us with a random domain but its still better...

Juliet, a few tips when using the ReCAPTCHA (if you haven't figured this out on your own):

• ReCAPTCHA responses can only be verified once on the server -- after that, they will always return false (this is a security mechanism).
• Store ReCAPTCHA pass/fail as DateTime fields, not Booleans (Last ReCAPTCHA Success, et al.). This is far better for later visibility.
• Make sure you don't treat existing leads the same as new leads. You don't want to delete a legit lead because somebody failed ReCAPTCHA with that lead's Email Address.

We're dealing with the same thing right now.  Put in the honeypot field and it didn't stop the submissions.  Working on the reCAPTCHA now.