Salesforce Web-to-Lead Spam

If you have a Salesforce Web-to-Lead form up on your website, then you have probably experienced the headache of Salesforce Web to Lead Spam. Be it Viagra, mortgages, or mobile phones, someone must be convinced that Sales and Marketing would rather visit innaprioriate sites then do their work.

(OK, maybe not so far fetched)

Salesforce usergroups are full of people complaining about it, but Salesforce has yet to do anything. But how do we get rid of it?

Remove your OID from your Web to Lead Form

A standard Salesforce Web-to-Lead form contains your Salesforce organisation ID, or OID. If a spammer harvests this off your website, they can submit spam forever, even if you remove all forms or add capthas. If someone has your OID, the only way to stop people spamming you directly is to turn off the Web to Lead functionality and add leads through the API. How do you obscure the OID? Well, most of the plugins that help you connect to Salesforce do this, be they a CMS plugin or Landing Page / Form suite. Or your can get your web admin to write a custom php script that obscures the OID. This is the first step to getting rid of Web to Lead Spam, and is perhaps the most important, as people who know your OID can bypass your Captcha.


Personally, I hate them, and if you work hard to generate leads, then don’t turn people off with a Capthca. There are ‘cute’ ways to replicate the functionality of Captchas, some as simple as asking people to add 1 + 4. But if I have to squint to fill in a Captcha, or if my mother can’t do it (she usually can’t), then it’s not a good solution. That said, many of the form tools out there provide captcha’s as a feature. So if you must, use them, but if you value generating leads, don’t.

Stopping Salesforce Web to Lead Spam with Daddy Analytics

Salesforce Web to Lead SpamDaddy Analytics is one solution for stopping the bulk of it. With most spam filled in by automated programs that don’t have Javascript enabled, and with 98-99% of genuine visitors using Javascript, simply having Daddy Analytics turned on will give you nearly perfect rates for identifying good leads. Anyone with Daddy Analytics tracking info is near-guaranteed to be genuine.

Granted, 1-2% of your visitors will have JavaScript turned off, so you’ll have to check the list of Leads without Daddy Analytics info for possible False Positives. But mainly, your work will be done for you, and you’ll have deep insight into where your Leads came from, and what marketing efforts attracted them.

We’ve written up a technical explanation of how to do this.

Other solutions to Salesforce Web to Lead Spam

There are other paid solutions that try to reduce your Salesforce Web to Lead spam, but that’s all they do – reduce your spam – and don’t provide any additional info. You’ll find a few of these on the Salesforce AppExchange, such as ArrowPoint’s Spam Check ($40 USD / month), and CloudLogistx’s JunkIt (free).

There are also some homegrown solutions on the web, including this simple yet elegant solution by Oliver Jobson, and this more complicated solution that requires a bit of JavaScript skill, by Greg Hacic.

Another solution that is strictly on the Salesforce side, using Validation Rules, is described by Scott Hemmeter. The advantage of Scott’s solution is that it doesn’t really on the website to filtering out Web to Lead spam. Once a spam bot knows your organization ID (the oid field that’s on your web to lead form) it can submit spam directly, without even needing your website. The downside of Scott’s solution is that you have to focus on the dozen or so key words your spammers are using – which will capture a lot, but not all.

In the end, we still like our solution of using Daddy Analytics to help filter your Salesforce Web to Lead spam. 99% of your genuine Leads get through every time, and the 1% that don’t can still be checked occasionally.

There’s a couple ways to tweak this. You can setup a Spam queue for all Leads that don’t have the Daddy Analytics token filled in that come through your Web-to-Lead forms. Or, along the lines of Scott’s suggestion, you can make a validation rule that prevents Leads from being created if they have a Source value of Web and no Daddy Analytics token field.

Whatever you do, good luck with your Salesforce Web to Lead Spam!

Leave a Reply