3

Hi I have a pardot form handler set up on a website for a client and it is receiving a lot of spam submissions. We set up a honeypot and recaptcha and while they are working, they not seem to be effective in stopping the spam.

We now think the spam submissions are coming from outside our site. I set up a field on our site that sends the url of the page to Pardot when the form is submitted. The ones we sent from our site have the correct url, while the spam submissions don't have the field filled out at all.

Has anyone come across something like this and how did you stop the spam?

Brianne Hostutler
  • 123
  • 3
  • 8

3 Answers3

2

I just stumbled across this question now so you may have already got a solution. If not...

There are bots out there that will be looking for forms that post to Pardot and spamming them. The bot will hit the Form Handler URL directly (e.g go.pardot.com/l/2232) - it will not actually fill in the form on your site. It seems like you may have already tried to use the Pardot honeypot technique: https://help.salesforce.com/articleView?id=pardot_forms_add_honeypot.htm&type=0

Alas, this won't really work as the bots aren't filling in those fields.

Some possible solutions:

  • Use a Pardot Form, instead of a Pardot From Handler, if you can. These forms have additional spam protection.

  • Instead of your form posting directly to Pardot, send the information to another service first and try to detect spam there. For example, we use Wordpress forms and we clean out spammy enquiries within the Wordpress code before sending it on to Pardot (using CURL). You'll need your web developer to help with this though.

  • Lastly, use unique "External Field Names", combined with the Honeypot technique listed above. So instead of fields names such as "firstName", "phone" etc, use "web_first_name", "web_phone".

Mark
  • 103
  • 8
1

I have come across the same issue - Bots attack Pardot Form Handlers and their URLs.

A bot is scraping our website, looking for the form URL. The later they target precisely this URL separately and that's why captcha or honey pot or anything done on the actual website is not helping!

How did I solved this?

Instead of the form posting to the Pardot Form Handler URL, I changed so that the form is posting to our own server side. Then from our server side we're posting to the Pardot Form Handler URL, but only if the visitor is not a bot.

Ivan Petrov
  • 35
  • 7
0

I've removed the url from the form action and set it dynamically once the submit button is being clicked. That moment, I am combining the url in several steps, e.g.

let actionURL = "https://":
actionURL += "go.company.com";
actionURL += "/1234445457/deeger";
actionURL += "/sdfsddffffd";

$('#subscribeForm').attr('action', actionURL);
$("#subscribeForm").submit();

This prevents the bot from scanning the url on the form in plain text.

If the endpoint url is already compromised, you have to create a new form handler first.

JonSnow
  • 573
  • 14
  • 48