Preventing Web-to-Lead Spam Entries
Overview
The Web-To-Lead-Form is placed on a public website where you generate leads from prospective customers who visit the site. It just so turns out, spam bots love your site as well. How to fix the this issue without modifying the Sugar source code.
Resolution
This solution comes from a forum post from one of our community members. Kudos to the author of this post:
1. Remove the Javascript from the page the form is on and link to it instead. In other words, the Javascript should be placed in its own file and then linked to in the header of the page. For the formvalidation.js example, please be sure to not include the HTML tags when copying the code to your JavaScript file.
Example WebToLeadForm Page
<head> <script language="JavaScript" src="formvalidation.js" type="text/javascript"></script> </head> <body> <!-- this is where your WebToLeadForm is with NO javascript directly on the page --> </body>
Example formvalidation.js
<script type="text/javascript"> function submit_form(){ if(typeof(validateCaptchaAndSubmit)!='undefined'){ validateCaptchaAndSubmit(); }else{ check_webtolead_fields(); } } ---------------more code-------------- //All this code should have just been copied and pasted from your form page to this javascript page </script>
2. Remove the action="http://somewebsite.com/crm/index.php...bToLeadCapture" from the form line. Our Spam bots didn't care for the Javascript validation and were just submitting the form directly to the source. Example:
<form name="WebToLeadForm" method="POST" id="WebToLeadForm">
3. Add the following Javascript to your Javascript file (formvalidation.js) document.WebToLeadForm.action = "http://somewebsite.com/crm/index.php...bToLeadCapture"; Example:
<script type="text/javascript"> --------------some code---------------- if(req){ document.WebToLeadForm.action = "http://somewebsite.com/crm/index.php?entryPoint=WebToLeadCapture"; document.WebToLeadForm.submit(); return true; } else{ alert('Please provide all the required fields'); return false; } return false } else{ document.WebToLeadForm.action = "http://somewebsit.com/crm/index.php?entryPoint=WebToLeadCapture"; document.WebToLeadForm.submit(); } ------------------email javascript code----------- </script>
4. Further Prevention of Spam. Step 3 took care of bots submitting to the form action, this step will take care of bots completely (hopefully). Add a hidden form field to your form called "human" or what ever you will and set it's value to 0. Example:
<input type="hidden" id="human" name="human" value="0">
Add a Javascript function to your Javascript file which will detect browser activity and change this value from 0 to something else. (I.E. when someone clicks on your form and begins to fill out their last name, the human value will change from 0 to something else seeing as it is a person filling out the form and not just a bot.) Example Javascript Function:
<script type="text/javascript"> function validateHuman(){ document.getElementById('human').value = "55"; } </script>
Now add the following code inline in the "req" validating to prevent the form from being submitted if the "human" value hasn't been change to what you require. && document.getElementById('human').value == '55' Example:
<script type="text/javascript"> --------------some code---------------- if(req && document.getElementById('human').value == '55'){ document.WebToLeadForm.action = "http://somewebsite.com/crm/index.php?entryPoint=WebToLeadCapture"; document.WebToLeadForm.submit(); return true; } else{ alert('Please provide all the required fields'); return false; } return false } else{ document.WebToLeadForm.action = "http://somewebsit.com/crm/index.php?entryPoint=WebToLeadCapture"; document.WebToLeadForm.submit(); } ------------------email javascript code----------- </script>
Now all you need to do is activate the function when someone types into one of your required fields such as "last_name" Example:
<input id="last_name" name="last_name" onchange="validateHuman();">