Terry Collins - 7 years ago
There is a pretty easy fix for this. Set up a validation rule in the Setup/Leads/ Validation rules.
If you look at the spam there are probably some common features. For example there is a url in an inappropriate field. A rule could look for words like viagra and reject them based on that.
When the spam bot fills out the form it will be rejected by SF and you will get emails notifying you of the errors. Just have the emails dump into a special folder or spam folder and delete them all at once.
Skip Howard - 7 years ago
Spam is really only part of the problem. As long as I have a OiD, I can easily create my own HTML file on my computer and perform "lead record injection" all day long. I can spoof my IP so I can seem to come from different sources. If I was malicious, I could seriously render any salesforce instance useless that way. It doesn't matter if a company is using a web2form or not. I only need the oid and because there is no way to turn off web2form, damage can be done on any salesforce.com account.
I think you can offer the users an option though. If you have the ability to turn off web2 form plus give them a more secure form option (You have to provide a source IP address that the form can submit from), that should be a great secure work around. It’s not going to work with web2form, because technically those are all hosted by salesforce, but in our case, we built a .NET contact form that submits the info into sales force programmatically so only allowing submission from a single IP access would work great. Thanks and Please keep us updated as progress is made.
Sorna S - 7 years ago
Also, some of my team members raised a concern that what if an intermediator hacks the thank you URL and send the user to some other page after creating the lead (some page where they can collect some user info like user name, pwd...). I am not even sure whether someone could hack the thank you url. any ideas?