samj06012008 2008-11-06T07:03:31Z It's interesting that this issue has been open for over two years now, and yet it doesn't appear that any attempt has been made to fix it. rick_razzano 2008-10-27T14:21:21Z What is it going to take so that someone at saleforce weight in on this topic? brenwyn99 2008-10-14T17:27:20Z I have been dealing with the spam problem for years. I am also outraged that it continues to not be dealt with. stopthespam 2008-07-25T13:31:28Z I do not want to deal with spam, so will be using another lead tool until Salesforce fixes this! So, please, fix this problem! cb4 2008-06-24T10:49:47Z The only reasonable solution seems to be running all the input through askimet, which is gonna cost $50 per month for a commercial license: http://akismet.com/commercial/ Also, you need to be running running PHP5. Most of my leads contain duplicate first and last names like the following 3 examples: "ins05 ins05" , "blackjack blackjack" , "online casino online casino" etc. Are others seeing the same type of spam? Could this be the work of a handfull of spammers using scripts and cycling through random OIDs? CameronS 2008-05-30T09:13:00Z This is by far the most annoying feature of SalesForce that makes me want to switch to something else. I have long since secured my OID in my login form (using C#) - but that doesn't matter - spammers know my OID and bypass the login form and programmatically create cases. I only want cases to come from my customer login form page on my web site. The validation rule work around Salesforce recommends is too limited, and the various other work arounds Salesforce suggest are not solutions. Spam will still get in because people can submit it with only the barest essential fields. You also cann't change your OID, Salesforce told me there was no way to do this. All in all - this is disappointing how Salesforce does not take security seriously. I submitted multiple cases about this and was not given a secure solution that would eliminate the chances of receiving web to case spam. saariko 2008-05-15T21:57:26Z I want to add my note on the CAPTCHA option. It's very important to include a Humanized test during the filling/posting of the process. Can a SF representative comment on this? hemm 2008-01-30T10:59:27Z An update on my free PHP script located at http://sfdc.arrowpointe.com/2007/05/24/fight-web-to-lead-spam-w-akismet/. The script uses an anti-spam service called Akismet, which rocks. I implemented it in July 2007 on my websites. It is now January 30, 2008 and today was the FIRST TIME that the script allowed a piece of spam through. Up until today, I had never had a false positive (something marked as spam that shouldn't have been) and never had a spam lead come through and not be identified as spam. That's a pretty good track record. Everything you need to implement it yourself is located at http://sfdc.arrowpointe.com/2007/05/24/fight-web-to-lead-spam-w-akismet/. I'd suggest you check it out. It works really well. kpmooney 2008-01-23T14:16:36Z We have seen spamming or even "key pound" entries as a problem when implementing a web-to-lead solution. Unfortunately the Salesforce web-to-lead system leave you exposed to the spam of multiple methods. If you are interested, Predictive Response has released FormCheck to not only eliminate spam worries, but also hides the OID, provides enhanced filtering, lead validation, and catagorization on input to Salesforce using your exhisting Salesforce Web-to-lead forms. FormCheck is available on AppExchange as a get it now solution. http://www.salesforce.com/appexchange/detail_overview.jsp?NavCode__c=a0130000006P6IoAAK-e3&id=a0330000003hr4TAAQ bondtracvp 2008-01-10T09:12:18Z The CAPTCHA option seems like a good solution. Salesforce has already implemented it on their forms. So they have the ability to provide it to us. rglazer@tacoda.com 2007-12-06T17:17:44Z We are also experiencing the SPAM issue and would like to see an official solution from Salesforce.com. Thanks andysernovitz 2007-12-06T17:17:43Z Spam protection is a basic responsibility of any hosted software vendor. It is obscene that Salesforce has ignored this urgent problem for more than a year. At the very least, they could implement a simple captcha option. diegarte 2007-12-06T17:17:26Z Spamming is a major problem when implementing a web-to-lead solution. Unfortunately the default Salesforce web-to-lead utility does not provide any anti spam functionalities yet, which might prevent some Salesforce user to successfully implement an effective Web-to-Lead strategy. For anyone willing to fill the gap between their website and Salesforce without worrying about spam, I suggest using FormVester (available form the AppExchange). FormVester generate leads form any of your existing online forms, without the hassle of reprogramming them…and it is spam-free. The reason is that, it works by adding a snippet tracking code into your website pages (that will execute a hosted script), so that, no OID number is ever exposed in the source code of the page. Spam bots are then not able to take advantage of this number ensuring a clean spam-free lead generation. An interesting other thing about FormVester, as opposed to the default Salesforce Web-to-Lead utility, is that it always checks if a lead already exists in Salesforce before creating/updating it (using a 6 rules based filter) so that it will never duplicate the lead. Give it a try! <a href="http://www.salesforce.com/appexchange/detail_overview.jsp?NavCode__c=&amp;id=a0330000002YXhxAAG"> FormVester for AppExchange</a> StrataSteve 2007-12-06T17:16:55Z Solution 00006228 does not help once your OID has been discovered by these spammers. Per support, SF will not change your oid, so you are stuck receiving the spam. We are using a simple validation rule since our spammers are using same first/last name, but I do not want to have to analyze every piece of obscene garbage that makes it in to write a new rule for it. Please set up whitelisting of domains. I know it isn't perfect, but it will surely make the web to lead process work for us again. JMcLeodFEWA 2007-12-06T17:16:50Z I am currently implementing my associations Web-to-lead form. Obviously i've been looking at potential problems, it seems spam is a very real problem with web to lead. Is it possible that you could incorporate a word-verification or visual verifical field like GMail or any email host uses to fight the account spam? I've been researching this, i am just unsure on how to implement it. Would it solve anything? Is the real problem OID and that would bypass any field requirement like the visual verification? glowitz 2007-12-06T17:16:47Z This is a very important area (Spam Prevention). We recently switched to SFDC specifically because our site had gotten circulated as an easy target for unsolicited content. We don't want to create another management chore of parsing through the data. Hopefully the temporary workaround noted by "benjasik" on Feb 13 will allow for forms to be submitted from different pages on the website, since we use the web-to-lead and web-to-case forms on various pages depending on the context of the content. Presumably this would also work for Web-to-Case? Coincidentally, I just sent a support ticket earlier today on this very subject but didn't know to ask about 00006228 solution ID. I will append my ticket to request that info. Thank you. Kumar,_Sena 2007-12-06T17:16:40Z Yes. We're also receiving spam data from one of the web-to-lead forms. Looks like a spammer caught the html code and sending automated messages. Please add a feature in such a way that is will filter the spam data leads. Kumar hemm 2007-12-06T17:16:32Z I created a PHP script that you can use to post your web to lead forms to. Prior to passing the data to Salesforce.com web to lead, it uses the Akismet spam detection service to check whether it's spam or not. It will then set a Salesforce field to true/false depending upon the result. You then have the power of Salesforce to process leads based upon values in that true/false field. Check it out at http://sfdc.arrowpointe.com/2007/05/24/fight-web-to-lead-spam-w-akismet/. benjasik 2007-12-06T17:15:56Z We're aware of this issue, and have created a solution that leverages validation rules for short-term relief until we can address it in the core product. <br /><br />Ask support for solution 00006228. We're working on making it public, but here's the basic idea:<br /><br />It involves using javascript to set a hidden field to the document location, and then using validation rules to check for this. It’s basically obfuscating a shared secret, with the assumption that most bots won’t set the document.location property and fill in the hidden field. This trick also involves allowing regular users to create leads in the UI, which involves passing another hidden field that’s always set in the web2lead form. RickKlau 2007-12-06T17:15:55Z This particular issue is an incredible frustration for us. I just deleted better than 10,000 spam leads generated using this script exploit. What's worse, Level 2 support at Salesforce claimed it was my issue and that there was nothing that they could do about it. Salesforce should leverage the open source Akismet system (originally developed for use by weblog apps) - it's designed specifically to block successful form submission by automated bots like those that are currently rendering web-to-lead a huge annoyance for us. ForceForSale 2007-12-06T17:15:31Z Or alternatively create a PHP validation script as a standard feature that includes the form web2lead. Salesforce should have some advise on hiding you oid and hidden fields shapoor 2007-12-06T17:15:26Z One customer suggested we allow an option to filter the record submission based on IP address of webservers hosting the Forms as well - although still not secure the flexibility to add these types of restrictions would make it more challenging to SPAM the target. NetGenIT 2007-12-06T17:15:25Z We are having this SPAM problem also. Would like to see some kind of solution...