Some tips for using Dream It:

Search: It's possible your idea has already been submitted and is collecting votes. Use the box to the right to search for keywords. Beware of duplicating ideas, since votes can get diluted between multiple submissions.

Create: Click here to create a new idea if your idea is not already submitted.

Browse: Use the links below to check out what's already been submitted, and don't forget to vote when you find something you want to see in Eloqua!

Oracle Eloqua

Protection Against Mass Form Submission — oracle-topliners

Discussions

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Protection Against Mass Form Submission

Richard TeaRichard Tea Posts: 10 Red Ribbon
edited July 29 in Dream It

Instead of relying on manual workarounds to create honeypots or manual forms with passthrough to get recaptcha to work.

There should be a feature that properly implements Google reCaptcha validation by making it appear when suspected to be bot submissions.

This is an ongoing risk of having forms on the web. The Eloqua form processing does not allow for complex back end logic/validation.

Post edited by Unknown User on
114
116 votes

For future consideration · Last Updated

Comments

  • Richard TeaRichard Tea Posts: 10 Red Ribbon

    This is an issue that Oracle definitely needs to address. Since implementing Eloqua forms, I'm having an increase of spam and bot traffic. Each form submit is forcing me to go in and manually scrub my contact list so as not to have these fake contacts eat away at my contact band.

    Yup, at worse we would need to find another solution for forms and just keep Eloqua as a back end processing / data repository / cross-channel campaign tool.

  • sgoswamisgoswami Posts: 1 Red Ribbon

    We need to set up our forms in Eloqua and not having the option of "out of box" reCaptcha configuration solution is a big show stopper.

  • Cathy DanahyCathy Danahy Posts: 61 Silver Trophy

    Are you using the new Validation defaults in your forms that prevent URL's from being submitted and maintains a valid number of characters?  http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAA/#Help/Forms/Tasks/ConfiguringFormFields.htm#Configur2

  • Tom SchreursTom Schreurs Posts: 22 Blue Ribbon

    Are you using the new Validation defaults in your forms that prevent URL's from being submitted and maintains a valid number of characters?  http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCAA/#Help/Forms/Tasks/ConfiguringFormFields.htm#Configur2

    This only partly solves the problems described above with bots. Fake contacts can still be created by bots as well as form submits. It will only prevent from websites to be submitted.

  • Chris SeepeChris Seepe Posts: 16 Bronze Badge

    We've had problems where vulnerability scans were performed against our landing pages, resulting in tens of thousands of submissions in the span of a few hours. At the very least, there should be some kind of optional, server-side rate-limiting for form submissions on a per-form basis (so it doesn't affect Form Submit CloudApps where a high volume is expected).

  • bkhayesbkhayes Posts: 80 Silver Badge

    We've had problems where vulnerability scans were performed against our landing pages, resulting in tens of thousands of submissions in the span of a few hours. At the very least, there should be some kind of optional, server-side rate-limiting for form submissions on a per-form basis (so it doesn't affect Form Submit CloudApps where a high volume is expected).

    If you experience spam, you may want to consider switching to external forms that submit to Eloqua's API. This allows for server-side form validation. Much harder to bypass.

  • Richard TeaRichard Tea Posts: 10 Red Ribbon

    If you experience spam, you may want to consider switching to external forms that submit to Eloqua's API. This allows for server-side form validation. Much harder to bypass.

    Are your hard coding them or do you have another tool that does it?

  • Chris SeepeChris Seepe Posts: 16 Bronze Badge

    If you experience spam, you may want to consider switching to external forms that submit to Eloqua's API. This allows for server-side form validation. Much harder to bypass.

    Agreed that's possible, but it's another point of failure, another system to maintain, another manual edit that marketers need to remember to do properly, another unnecessary workaround for something that should be standard... Plus it's really only practical for HTML landing pages, not WYSIWYG pages.

  • Ken LagueKen Lague Posts: 48 Blue Ribbon

    Fantastic idea. I wish more people would vote this up, spammers are always upping their skills and we need to be able to counter this.

    Eloqua 9 Forms used to have server-side validation. We could apply rules for match keywords (including URLs).  While somewhat cumbersome, it was effective.  It's a mystery to me why we lost that key functionality with the move to Eloqua 10.

    I certainly like the idea of leaping ahead, making this a simple interface change on the Form Settings "Don't allow an individual to submit this form more than [X] per hour/per day"  and "Don't allow these keywords".

    Until this is in place, we have to apply validation upstream, on the external web site forms and can only repost to Eloqua Forms (we authenticate with PHP, etc. which Chris rightly points out are all fail points). We cannot risk using Eloqua Landing Pages that contain Eloqua Forms without the possibility that they will be flooded with spam.

  • Wren Ludlow-OracleWren Ludlow-Oracle Posts: 47 Employee

    We are looking into adding a captcha option natively into Eloqua forms. Also, a trick our internal team uses: you can add a hidden field and call it "Address 3". Bots will see it and fill it out. Real people won't. You can simply filter your submits by that field and delete the infringing submissions. But captcha and server validations are more proactive. I like the idea of limited form submits and key word blocking. Something we can explore.

    Wren Ludlow

    Oracle Product Management

  • Ken LagueKen Lague Posts: 48 Blue Ribbon

    Wren, CAPTCHA is universally despised by every webmaster I've ever met and is mostly used as a "method of last resort" to block botspam -  I would deprioritize this as it won't help us make Eloqua easier to adopt.

    Instead, is there any chance Oracle will be bringing back the Form Server Side Validation?   This is old Eloqua 9 stuff but it was a real gem.

    Otherwise, as it stands today if an Eloqua user wants to employ the hidden form method (your "Address3" per above) they are stuck assigning conditional update rules to every form processing step so that they don't process any botspam.  And they still have to clean out the spam from their form data reports.

    Thanks for sharing your perspectives on this.

  • brettgbrettg Posts: 14 Blue Ribbon

    The Address3 idea is a good one that we've implemented, but many, many, many, many, many, many, many, many, many other form submissions get through with seemingly legitimate data. Is it possible to prevent form submissions from a list of email addresses?

  • Shivangi_AwasthiShivangi_Awasthi Posts: 33 Silver Badge

    Can Oracle please consider this? Impacting our system badly. Sender score has decreased because of these.

    We got 2000 submissions in 3 days.

  • Thamina Christensen-OracleThamina Christensen-Oracle Posts: 167 Employee

    Can Oracle please consider this? Impacting our system badly. Sender score has decreased because of these.

    We got 2000 submissions in 3 days.

    We are in the process of architecting multiple options to solve this problem.

  • FleurFleur Posts: 1 Red Ribbon

    We are in the process of architecting multiple options to solve this problem.

    Hi Thamina, do you already have an ETA for this solution?

  • Hi Thamina, do you already have an ETA for this solution?

    We are in the process of building out (not just architecting) a solution and the hope is to deliver it GA the first part of 2021.

  • dekeyzes_bpostdekeyzes_bpost Posts: 21 Red Ribbon

    Hi @Thamina Christensen-Oracle do you have news about this solution. We are also victim of spam bot submission?

  • @dekeyzes_bpost We are currently working on delivering a solution in February's 21A release (Safe Harbor). This will not specifically bring Google Captcha but a more robust functionality to stop form spam from being processed within your system.

  • dekeyzes_bpostdekeyzes_bpost Posts: 21 Red Ribbon

    @Thamina Christensen-Oracle thank you for the info. I assume this solution will prevent form submission from bots nd not a kind of work around to not use the data submitted by bots.

  • User_15QP5User_15QP5 Posts: 4 Red Ribbon
    edited November 19

    Hello @Thamina Christensen-Oracle , any ETA on this, we used Honeypot before and it was working, however we just relaunched our site and getting hit super bad....HELP.

Sign In or Register to comment.