Preventing Spam Leads Using Web Forms and SalesForce

Lead SPAM in SalesForce can be very costly for businesses, as it wastes time and effort tracking down bogus leads. We came up with a solution below which has stopped a signifcant amount of robotic SPAM within SalesForce.

First we need to setup a new form field in Salesforce. I called mine “SUPERSPAM_KEY” to make it easy to recognize. Take note of the API field (should have __c), because this is what you’ll use for your validation code below. Now, for your HTML form, you are going to need the special form field input idy that Salesforce refers to your new field. To get it, go to App setup -> Leads -> web-to-lead. Create a new form and add your new field. When you get the code, you’ll see a weird field that says “SUPERSPAM_KEY” and the actual input box will be a string of numbers. That string of numbers is what you’ll need to set to be your new key that Salesforce will key off of. Now on your actual HTML forms, setup your captcha and other information fields you want to collect and send to Salesforce. Do NOT include your OID or SPAMKEY info number at all. We will programmatically send that behind the scenes, so the user cannot see it. Once you validate the form via regular means, pull all of the post information into an array and submit the field to SalesForce. We used a lot of the code from ArrowPoint’s code seen here We then prepare our array and add our OID and LEAD SOURCE variables. Also, use the “string of numbers” before and set it to be your super secret handshake key that SalesForce will use to validate your form.

//0123123123 is the ID that Salesforce gives us for the HTML form field id for our SUPERSPAM_KEY
	$cleanPOST['0123123123'] = "MeSuperKey@19123";  //make sure these exist on the lead forms.

Now, go back into SalesForce and setup your SalesForce validation key. Create a new “Lead Validation Rule” by going to App Setup->Customize->Leads->Validation Rules. Create a rule and add the following Error Condition Formula.

AND (
  OR (
	ISPICKVAL(LeadSource,"Me Lead Form 1"),
	ISPICKVAL(LeadSource,"Me Lead Form 2")
   ),
  	 SUPERSPAM_KEY__c <>""MeSuperKey@19123"
  )

The rule stats that if the lead source is either “Me Lead Form 1” or “Me Lead Form 2” AND we DO NOT match our agreed key, the lead will fail. Once your lead rule is setup, make sure you test your HTML form to ensure that actual leads are coming in. Please note, that while this should prevent spammers from getting to your forms, you will still get emails from all of the “Failed” attempts. The subject line will be ” Salesforce Could Not Create This Lead”. There does not seem to be a way to shut off these messages per a validation rule, like the one we just setup, so you will continue to receive these messages. Its important to always keep your OID values secret and never expose it plain site. Once a spammer has that, they technically do not even need to use your form to submit bogus contacts. Using a combination of the “Lead Validation Rule”, the HTML form CAPTCHA and the behind the scenes post to SalesForce, you should help keep your spammers down to a bare minimum.

If you need any professional help in locking down your SalesForce forms, do not hesitate to Contact Us for more information.