Skip to content

Fighting Salesforce Web-to-Lead Spam

I was recently tasked with fighting spam coming from contact forms on a website that uses Salesforce web-to-lead feature.

The contact form in question had previously posted to another PHP page which checked for a hidden field with a known value and, if the received value matches the known value, emailed the lead to the team. This is a very basic but effective spam deterrent, as bots tend to change the value of the field. But then the form was redone to post directly to Salesforce with all the data Salesforce needs to create a lead. While this resulted in a much simpler lead-creation process, it also resulted in a lot of spam as the “spam detection” facility was no longer used.

As I was rolling up my developer sleeves to write a simple PHP proxy to do spam detection and then post from PHP to Salesforce, I stumbled on this bit of documentation from Salesforce on their web-to-lead feature:

Salesforce runs field validation rules before creating records submitted via Web-to-Lead and only creates records that have valid values.

Inspired, I decided to try a pure-Salesforce spam deterrent hack. Add a field like this to your web form:

<label for="spam" style="display:none; visibility:hidden">
    Don't change the value of this field or it won't be processed!
    <input type="text" name="spam" value="notspam" />

Now in Salesforce we setup a field validation rule that checks for a field called “spam” to be equal to “notspam”. When a bot changes the contents of this field, Salesforce will see that the incoming web data violates this rule and won’t create the lead record. While its not perfect, I hope its good enough.

We can take the field validation rules a step farther. Assuming you have some front-end validation (e.g., some fields are required, some like email must have a certain format, etc.), you can replicate this validation on the backend via Salesforce field validation rules. This assures that any records meet the minimum criteria your UI requires before accepting them.

Now, if only we could just do a referrer check before saving a record…

For those of you who want something a bit more advanced, if we discover this method isn’t good enough I’m going to try adding akismet into the web-to-lead process.

What techniques do you use to fight Web-to-Lead spam?

Posted in Tutorials.

4 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Kristen says

    How I you set up the field validation in salesforce that checks for a field called “spam” to equal not “notspam”? I have added the html code to my form. Sorry – I’m a salesforce newb.

    I see where I add the field validation rules, but not sure what code to input to achieve this. Also, is there a way to test this? Or is it just wait and see if you we get less spam?

    • codyaray says

      Unfortunately, I just worked with our salesforce expert guy to create the field validation rules. I don’t remember where they were or have access to Salesforce myself to retrace the steps now. But once you have Salesforce setup, you can test it by manually submitting the form using something like curl, but that’ll take someone with a bit more dev experience to help. If I recall, we actually found that the hidden field didn’t help as much as just adding salesforce validation rules to match those enforced by your form itself (i.e., certain fields required, email to have a certain format, etc.) Its not much to go on, but I hope it helps.

  2. Kristen says

    Okay – thank you for your response! We’ll tinker with those validation rules some more.

  3. Frank says

    I found the source of why I was getting spam, the website below explains the problem. Remove the salesforce account number from the html code and you won’t need to mess around with validation rules or other spam fighting techniques.

Some HTML is OK

or, reply to this post via trackback.


Log in here!