Spammers submitting the form even with ReCaptcha

We are also having issues with using google recaptcha v2.0. where we are getting a lot of spams going through.

Do you support recaptcha V3.0? I have tried and doesn’t work.

@mordekai – How do you know which version of recaptcha you are using? I only see the 2 options in Brilliant Web-to-Lead for Salesforce of the Captcha type:

1. Built in
2. Google ReCaptcha

How do you get a different version?
Thank you.

Google ReCaptcha = v2

v3 is not supported yet

Spam though the form or spam direct to Salesforce Web to Lead?

Hi Nick, it is spam direct to the Salesforce Web to Lead when the form is submitted. Hope this helps. Thank you.

Ok, so. The Web to lead API is open and requires no authentication. If they know your OrgID (i.e. you ever used the Salesforce generated form) they can send spam direct to Salesforce all day long, bypassing the plugin/form.

If you’re also getting email notifications of form submissions, then they are bypassing Google ReCaptcha as well.

ReCaptcha v3 just is “transparent” (no box to check) but uses the same heuristics so if they are defeating v2, v3 isn’t going to stop them either.

• This reply was modified 3 years, 3 months ago by Nick Ciske.

Hi Nick,
Maybe I am misunderstanding. I created the forms in WordPress via the plug-in and linked our Salesforce ID to it. I am using the shortcode: [salesforce form=”#”] on our page and letting the plug-in do the rest of the work. Is this something different? and is there a way to close the API so that they do not bypass the plug-in/form?
I will double check about the emails, as they do not come to me. Thank you for your reply.

Hi I am getting the same issue, the google recaptcha is showing but spammers are bypassing it a lot. The org id is not leaked from anywhere else, it only started happening after installing this plugin

Some form URLs would be helpful – I can’t troubleshoot what I can’t see.

https://zentso.com/contact-us

I noticed the “Require reCAPTCHA Verification” was not enabled in salesforce. after I enabled the form stopped working with no errors, leads don’t get created

You should not enable the recaptcha setting at Salesforce – that’s for their form generator tool that used their recaptcha keys.

Enabling that will cause all lead generation to fail.

Ok I disabled it again, but the spam issue still applies I only enabled it after to try to stop it.
Why don’t you use the salesforce recaptcha and just hide the oid?

I’ve considered it, but as the plugin then cannot validate the captcha is valid (as it doesn’t have the secret) before sending to SF… you end up with zero feedback to the user that a failed recaptcha caused their lead to vanish into thin air… and possibly none to the site owner either.

So it’s kind of a catch-22.

Ok, do you intent to find and fix the bug with recaptcha? Otherwise I have to move to another plugin soon.
Thanks

Which bug are you referring to?

The issue with Salesforce’s lax security causing spam issues for many years (which is part of why this plugin exists)? I can’t fix that — it’s a Salesforce issue.

The issue where I can’t use Salesforce’s recaptcha key? As I explained: that’s not really fixable as they hold the secret key.

The issue where some spammers appear to be getting around recaptcha? If they get around one, they can get around Salesforce’s.

Would a blacklist help? Maybe, but then you have moderation, false positives, etc. they are challenging to keep current when the spammers move so quickly these days.

Would an Akismet or similar integration help? Maybe but then you have moderation, false positives, etc. If someone wanted to fund development of that, that’d be great, but outside that, it’s unlikely.

It’s a free plugin and a free country… do whatever works for you.