Stopping Web to Lead Spam

Check out a more recent post about stopping web to lead spam. I was able to integrate Akismet into the process and have scripts available to download.

Over the past week, I have had an ever-increasing number of web-to-lead spam entries come into my Org. It gets to be VERY frustrating! Unfortunately, does not have any sort of anti-spam functionality for web-to-lead (want them to? Vote for it).

What would be great is an add-in to that evaluates a Lead’s content prior to getting in the Org. Blog software has this for comments. For example, I use Akismet on this blog to take care of the non-stop comment spam I get. It is incredible. It catches 99% of it. If Akismet didn’t exist, I probably would stop allowing comments on this blog.


If you use a tool like Form Assembly or Clicktools for web-to-lead forms, they have functionality to help you. However, what if you don’t?

I discovered that Validation Rules work pretty well. If you can determine any consistencies with the spam you are getting, create a Lead Validation Rule to stop it. For example:

ISPICKVAL(LeadSource , "Web"),
CONTAINS( Description , "mortgage") ,
CONTAINS( Description , "diploma") ,
CONTAINS( Description , "auto loan")

The Validation rule above will cause an error for any lead with a Lead Source of “Web” AND the Description contains any of the following: “mortgage”, diploma”, “auto loan”. You can make the message of the validation rule say “This is Spam”.

Web to Lead records do not get created if they don’t pass the Validation Rule. However, you will get an email from Salesforce Support with a subject of “Salesforce Lead Alert” with the Lead information in it. What I did was to create an email rule that label emails meeting the following criteria (another alternative would be to delete them):

  • From Salesforce Support
  • Subject of “Salesforce Lead Alert”
  • With “This is Spam” in the message body

If you go this route, be careful not to make your Validation Rule too generic. You could end up stopping a good lead from coming in. If you do happen to neutralize a good Lead, the lead’s information will be in the “Salesforce Lead Alert” email you received. It’d be a good idea to review those emails from time to time.

This is not a long term solution, but can help alleviate some pain.

An alternative approach would be to do something similar with Workflow Field Update Rules or Lead Assignment Rules and to auto-set the Lead Status to “Spam” or to assign it to a “Spam” queue. Doing this will capture the Lead in the database, but will help segment it out of your way.


  1. JRoe Said,

    February 20, 2007 @ 11:09 am

    This is a great idea. This type of spam nearly shut down one site on which I had salesforce deployed.

    I entered your validation script and for some reason I keep getting a syntax error in the first 2 lines. Any thoughts as to why?

  2. Scott Hemmeter Said,

    February 20, 2007 @ 11:43 am

    I forgot to put < code > tags around the code in the blog post. Without it, WordPress rendered the double-quote characters as a more readable double-quote character. When you copied it into Salesforce, it saw an error because the double-quote characters were invalid.

    Try copying it again. It should work.

  3. Marco Casalaina Said,

    May 2, 2007 @ 4:45 pm

    Here’s an additional idea:

    Assuming these spammers are not submitting via your form really, but just capturing your orgId and submitting forms directly to SFDC, you can add a custom field to Lead (or Case in Web To Case) — let’s call the field NoSpam. Then add the NoSpam field to your Web To X page as a hidden input field. Add an OnClick to the submit button which triggers some Javascript that fills that field with a set value (like “nospam”) (but come up with something else at random so spammers don’t just figure it out). Then you can easily detect if a human actually clicked the Submit button — only humans will have the expected value in the NoSpam field! So your validation rule would just be:

    AND (ISPICKVAL ( Origin , “Web”) , NoSpam__c”nospam”)

    This won’t defeat the most dedicated spammers who actually automate clicks on your forms, but it will work against spambots that just blindly submit form data without respect to form contents and Javascript. You could use this in concert with the validation rule described above to get a decent decrease in overall spam volume.

  4.   Salesforce spam: fixing web-to-lead by tins ::: Rick Klau’s weblog Said,

    September 4, 2007 @ 6:01 am

    […] at Arrowpointe for their suggestions over at Perspectives on Salesforce blog. Two weeks ago, they documented their approach, which is conceptually what we’ve […]

  5. AND( ISPICKVAL(LeadSource , "Web"), OR( CONTAINS( Description , "mortgage") , CONTAINS( Description , "diploma") , CONTAINS( Description , "auto loan") )) Said,

    December 19, 2008 @ 1:30 am

    This one stopped spam for me:
    ISPICKVAL( Status , “open”),
    CONTAINS( Questions__c , “mortgage”) ,
    CONTAINS( Questions__c, “diploma”) ,
    CONTAINS( Questions__c, “auto loan”),
    CONTAINS( Questions__c, “viagra”),
    CONTAINS( Questions__c, “levitra”),
    CONTAINS( Questions__c, “cialis”),
    CONTAINS( Questions__c, “phentermine”),
    CONTAINS( Questions__c, “href”),
    CONTAINS( Questions__c, “[URL=”)

  6. Jenna (@RatherGeeky) Said,

    March 18, 2013 @ 10:27 am

    I implemented this and the rule works great for preventing the leads being created. However, I never get an email notification when the lead is not created because of the val rule. I’ve checked our filters, my spam and trash and nothing. Any suggestions?

  7. Scott Hemmeter Said,

    March 18, 2013 @ 11:15 am

    @Jenna, honestly I don’t know. The post is quite old so maybe Salesforce changed the way they notify. I always thought they’d email you when a web to lead failed.

  8. Jenna (@RatherGeeky) Said,

    March 19, 2013 @ 9:10 am

    @Scott, actually it does work. I was assuming that I would get the notifications since I’m the admin. But, my boss has been getting the web-to-lead fail notifications because he is the org POC I guess.

    So, this technique does still work. Thanks for sharing – this is saving us a lot of time!

  9. Scott Hemmeter Said,

    March 19, 2013 @ 9:35 am

    @Jenna, I want to say the emails go to the person identified in the Lead Settings. It’s either the Default Lead Owner in the Lead Settings or the Default Lead Creator in the Web-to-Lead settings.

  10. Jenna (@RatherGeeky) Said,

    March 19, 2013 @ 10:11 am

    @Scott: Ah, got it. That makes sense. Thanks!

RSS feed for comments on this post