Annoying form SPAM from "smart" bots


#1

Hi guys, 

I accidently came across some pretty “smart” SPAM bots on one of the pages I’m consulting on. Maybe they are finding ways around the “Reputator” and “the Bear Trap” the Unbounce team has put in place. 

Background: A few landing pages created for PPC traffic targetting different verticals. So far nothing out of the ordinary. We’ve copied these pages with unique URLs to drive organic traffic from the client’s blog in order to keep the statistics nice and neat.   

Problem:  One of the copied pages is performing/converting really well but with just 35 or so conversions, I didn’t think much of it until today. I got a notice from the client that the page wasn’t recording one of the drop down fields. So, I went into the editor, webhook settings, form field labels, etc. Everything that I could think of and yet nothing seemed out of the ordinary. Submitted a form and all the fields got recorded and the webhook fired OK. 

I was just about ready to give up, choke it to a weird bug and keep my eye on it for the next few days… until I decided to open up the leads list and learn a bit more about the leads that didn’t record this particular drop down. 

On first glance, the list looked like an ordinary leads list but I had a feeling something was off… 

The “smart” SPAM bot:

  • A few leads per day (3-4). 
  • Seemingly different IP addresses, no repeats on a given day BUT addresses in the same range. When I checked about a dozen of the IP addresses all of them were from Buffalo, NY. [first red flag]
  • “Company Name” is one of the fields on the form. Every lead had it filled in but with some very strange names ending in Gmbh (typical for German companies), Ltd. (Europe), AG, LLC, etc. [second red flag]
  • “Email Address” - All the leads had an email address @yahoo.com Small sample size but still highly unlikely. Plus, a lot of them were a combination of first name, last name plus a random number. Some of the leads had different information except for the same email address.  [third red flag]
  • UTM hidden fields - We have a few utm hidden fields that didn’t get filled in.[smart]   

Finally, I did a google search on some of those email addresses and they came out associated with SPAM activities on different sites/forums that apparently track these. 
   
Solution: Since, I’m not a big fan of captcha, I’m thinking of adding one more hidden field that would look ordinary to this smart bot (ex. city or street) and see if it gets filled in.  

Anyone else tried or tested something better? How do you deal with form SPAM?


#2

Hi Hristian,

The short answer for me is no, not had any issues. I’m assuming that the client has not been able to.contact any of these leads?

Have you tried to use some kind of data validation tool before? There are a few put there that will check email addresses for existence and to see if they are blacklisted before allowing the form to be submitted. I’ve been looking at data8 for a client atm. It had some jquery integration and works with Unbounce. It’s never a bad thing to ensure clean and high-quality data so might be worth a try.

I can understand why you might not be a fan of captcha, it can be annoying as both a user and developer/tester. If implemented well though it shouldn’t be too much of a trade off.

Strange scenario, I’d be interested to know how it pans out for you.

Goosd luck


#3

Hi Hristian,

The short answer for me is no, not had any issues. I’m assuming that the client has not been able to.contact any of these leads?

Have you tried to use some kind of data validation tool before? There are a few put there that will check email addresses for existence and to see if they are blacklisted before allowing the form to be submitted. I’ve been looking at data8 for a client atm. It had some jquery integration and works with Unbounce. It’s never a bad thing to ensure clean and high-quality data so might be worth a try.

I can understand why you might not be a fan of captcha, it can be annoying as both a user and developer/tester. If implemented well though it shouldn’t be too much of a trade off.

Strange scenario, I’d be interested to know how it pans out for you.

Goosd luck


#4

Can you look at Google Analytics or any other analytics data to see what traffic source(s) drove the spam leads? Sounds like they didn’t click any of your PPC ads (hence no UTM values) but perhaps there are commonalities in their source/medium data? Other clues: geographic area, device type, OS, browser, screen resolution, etc.

Worst case scenario, you might just need to change the page URL and update your PPC ads with the new destination URLs to avoid the spammers mucking up your data.


#5

Hi Stuart,

Data validation is a great idea and I would look into it.

Might take a while to setup due to the particulars about my client but definitely something to research for our next cycle (the pages are for an event held twice a year).

Thank you,
 


#6

Hi Andrew,

Maybe, my description wasn’t very clear but the problem is isolated only to landing pages that get their traffic from the client’s blog.
Thankfully the PPC campaigns are not affected. 

The overall traffic/conversions the “blog” LPs would usually bring is not really significant when compared to the PPC pages but still it annoys and bugs me.

My understanding of bots is pretty limited but from what I’ve researched, they would fill in any/all fields when presented with a form, even if some of these fields are actually hidden. 

That’s why I was thinking of adding a couple of hidden fields like City or Zipcode, although these are not really need. If they get filled, I can filter these entries at the end when doing my analysis.