function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

web to lead SPAM

We've started to get spam leads from our web-to-lead capability added to our corporate web site. I suspect our 'contact us' web form has been scraped and is now falsely being posted with bogus information. I may need to disabled this capability for the time being to get this siutation under control but what safe guards can Salesforce offer for this issue? It seems a form of CAPTCHA (completely automated public Turing test to tell computers and humans apart) would be the best solution. Anything to can offer? Please help. Regards, -- Mark
Somebody really has way too much time on their hands or does not like you at all.
I no solution to offer you at the moment.
But there are a couple of things that could do.
1. Within an organization's sfdc record, store a list of permitted web sites (and/or IP addresses) that it will accept web-to-lead and web-to-case from. If the http request does not come from an approved address, it is just dumped. This would make web to lead a little harder to manage, but it would stop the problem.
2. If sfdc can't implement checking of the referrer, provide access to the web-to-lead via the api and developers can do their own checking.
Just ideas.
I was thinking about your problem, and I came up with another approach.
Instead of placing the OID value as a hidden input on the form page, send the form result to a hidden page on your web site. There you can verify a correct referring page, add the OID value, and send it on to sfdc.
You may have to do something with sfdc to get a new OID generated for your organization.
I just created a PHP script that acts as an intermediary between your web to lead form and  It takes the data, sends it to Akismet for a spam check and then processes a web to lead with the Akismet result attached to it (true or false whether it thinks it's spam). Check it out here.
We have implemented a solution for this with Relational Junction that gets rid of 100% of the spam with no false positives. Contact me directly at for more information.
Spamming is a major problem when implementing a web-to-lead solution. 
the default Salesforce web-to-lead utility does not provide any anti
spam functionalities yet, which might prevent some Salesforce user to
successfully implement an effective Web-to-Lead strategy.
anyone willing to fill the gap between their website and Salesforce
without worrying about spam, I suggest using FormVester (available form
the AppExchange).
FormVester generate leads form any of your
existing online forms, without the hassle of reprogramming them…and it
is spam-free. The reason is that, it works by adding a snippet tracking
code into your website pages (that will execute a hosted script), so
that, no OID number is ever exposed in the source code of the page.
Spam bots are then not able to take advantage of this number ensuring a
clean spam-free lead generation.
An interesting other thing about
FormVester, as opposed to the default Salesforce Web-to-Lead utility,
is that it always checks if a lead already exists in Salesforce before
creating/updating it (using a 6 rules based filter) so that it will
never duplicate the lead.
Give it a try! FormVester for AppExchange
Hope it will help!
Michael GoldenbergMichael Goldenberg

Does anybody know how to redirect the web to lead "return URL" so when spam is caught by my validation rule it will not affect my Google ad words analytics reporting but redirecting the spam to a fake return URL?