Salesforce spam: fixing web-to-lead

For more than 3 years, I’ve been a very happy user. Unlike more bloated CRM applications that require training, lengthy implementation cycles and user revolt, is in the sweet spot of sophistication and simplicity. For us at FeedBurner, it’s been a great way to scale our lead management and is taking a growing role in proactive communication with customers and partners. Its web-to-lead feature, which lets you connect a web form to your install to seamlessly create leads within, is great.

Over the last 9 months, however, we’ve been plagued by a phenomenon all too common with weblog publishers: spam. The exploit is simple: spammers scrape your lead intake form, capture your OID number, and then use that to bypass your form and hit the lead submission script directly. The result? Thousands upon thousands of bogus leads cluttering up our system, and very annoyed users at FeedBurner. Not Good. (And not new either.)

I assumed we were missing a simple fix, so I submitted a case to support. No dice: “Find a way to secure your form, and the problem will go away.” Nice try, guys, but the problem’s not our form: we use Javascript to force the selection of a value in several fields, so someone trying to auto-submit our form would be blocked from submitting. No, the problem was that they were bypassing our form and submitting the data to directly. After several calls and twice escalating the case to Level 2 support, wouldn’t budge: Not their problem.

As I see it, this is absolutely a problem. And hopefully they’ll recognize that. (As I mentioned in the IdeaForce post linked above, simply hooking up to Akismet would be a huge step forward.)

But until they do, I figured I’d document what we’ve done to stem the tide of Cialis, Viagra, Phentermine and Online Casino leads that have been polluting our system for months. Thanks to the good folks at Arrowpointe for their suggestions over at Perspectives on Salesforce blog. Two weeks ago, they documented their approach, which is conceptually what we’ve done.

This requires using Validation Rules (click “Setup” then “Customize” then “Validation Rules” (under “Leads”)). Click New to create a new validation rule, and then enter in your rule. Here’s ours:

ISPICKVAL( ourfieldname , "ourwebtoleadfieldvalue"),
CONTAINS( Description , "mortgage") ,
CONTAINS( Description , "diploma") ,
CONTAINS( Description , "auto loan"),
CONTAINS( Description , "viagra"),
CONTAINS( Description , "levitra"),
CONTAINS( Description , "cialis"),
CONTAINS( Description , "phentermine"),
CONTAINS( Description , "href"),
CONTAINS( Description , "[URL=")

What it does: in a field that identifies the lead as created by Web to Lead (“ourfieldname” and “ourwebtoleadfieldvalue”), it looks for any of the text in the description fields that matches the strings in quotes. In addition to the popular pills, I threw in strings that don’t get submitted in valid leads but are almost always included in spam submissions: hyperlinks (formatted in either HTML or in popular bulletin board markup, [URL=]).

When a lead matches this rule, it effectively aborts the lead creation process (computationally intensive for Salesforce, but as they pointed out, this isn’t their problem!) and triggers an alert message to the default lead owner. Eric is the designated default owner, so he now has a rule in Gmail that traps the alert message and throws it away.

We’re keeping an eye on things. So far, it appears to have been largely successful. It’s already blocked dozens of spammy leads, while letting legit ones through. If it starts missing spam leads, we can tweak our rules to match to other criteria (there are a handful of names that appear to be pretty popular), so this should be flexible enough to keep up with the arms race that is form hijacking by spammers.

(For those that wonder why they’d do this, my best guess is that they’re simply trying to submit to the form to capture as many valid e-mail addresses as they can by seeing what auto-responder rule gets triggered by when a lead is submitted. They can then add that e-mail to their spam list, which they’re presumably selling to others. Anyone have any other ideas what they might be up to?)

Are you using Are you seeing similar spam problems? What are you doing to tackle them?