Archive for Wish List Category Feed

Fight Web to Lead Spam w/ Akismet

This functionality has been improved, runs native on and released on the AppExchange. Learn more on our website.

Back in January, I posted about a way to help combat web to lead spam. That type of solution works well, but is not scalable. Also, it is a reactive approach rather than a proactive one.

I decided to try and see if I could incorporate Akismet into the web to lead process and I was successful in doing so! I created a set of scripts for you to download if you’d like to leverage Akismet with your web to lead forms.

Akismet is the best spam tool I have ever used. When I posted in January, it had captured 7,680 spam in its existence on this blog. Less than 4 months later, the spam count is up to 23,994. Needless to stay, spam is an exponentially increasing problem and will plague your environment eventually. I feel that needs to include a spam filter in their product for web to lead (vote for it).

Until then, leveraging Akismet could help you significantly.

About the Solution

The scripts are intended to be proof of concept for you to use and apply to your own environment. The code and downloads are now being officially hosted at Arrowpointe’s Open Source Project at Google.

To use this solution, you’ll point your web to lead forms to this script rather than to the standard Salesforce Web to Lead page. The script accepts the data from your web to lead form, passes it to Akismet to determine whether it’s spam or not and then passes the data to’s web to lead page with the Akismet result appended to it.

In Salesforce, you’ll need to add checkbox field (e.g. “Akismet marked as spam”) on your Lead. If Akismet thinks it’s spam, that field will be set to TRUE. You would then need to add assignment rules or validation rules to do whatever you need. For example, you could have a lead assignment rule looking at that one checkbox field and put leads into a special queue if they are marked as spam.

The script leverages the Akismet PHP5 Class to handle the core communication with Akismet. I found this class from the Akismet Development page.

This script will only work on PHP5 and requires the cURL module to be enabled. cURL is enabled by default in most PHP installations. The PHP5 requirement is a limitation of the Akismet PHP5 Class. If you are on another platform (PHP4, Ruby, Java, etc.), I don’t see any reason why you couldn’t use these scripts and integrate a different Akismet toolkit into it. Additional toolkits are available from the Akismet Developer Page.


You’ll need a server running PHP5. If you have a server already setup, then hardware should cost you nothing.

Akismet is free for personal use, but has a small license fee for commercial use. If you will be using this in production, you should purchase an Akismet Commercial License Key. During development, I am sure you could use a personal key to make sure it works.

The scripts themselves are free and licensed under the GNU General Public License v3. I did this as a proof of concept for the betterment of data quality everywhere.

Getting Started
  1. Add a checkbox field to your Lead Object that will hold whether Akismet thinks it’s spam or not.
  2. akismet_marked_as_spam.png

  3. Download the scripts. Three files will exist in the zip file:
    • index.php: The main script that handles the incoming data, talks to Akismet and posts the data to Web to Lead.
    • constants.php: You will need to go into this file and edit some variable values based upon your own organizational setup. See the next step.
    • Akismet.class.php: This is the Akismet PHP5 class I was talking about above.
  4. Edit the constants.php file:
    • Enter your WordPress API key where it says ENTER_WORDPRESS_API_KEY. Get a personal or commercial key if you don’t have one.
    • Enter your company URL where it says ENTER_YOUR_COMPANY_URL.
    • Enter your company’s Org ID where it says ENTER_YOUR_SALESFORCE_ORG_ID. This is actually optional. Doing this allows you to remove the OID from your public web to lead forms so spammers don’t know your Org ID. Doing this will reduce the amount of spam you actually need to process.
    • Generate a web to lead form in your Salesforce setup. Find the new Salesforce field you created in step 1 and copy the id value from the HTML form and put it in the constants.php file where it says ENTER_THE_W2L_CUSTOMFIELD_NAME. This step is required so that your Salesforce org is actually populated with the Akismet result.
    • PHP Advanced: The $Akismet_noPass array holds the names of fields that should not be included in the content passed to Akismet. Feel free to add/remove values from this array. The values in the array are referring to the names of form fields in your web to lead HTML form. I have no idea if this helps/hurts, but it seemed like a practical thing to add into the script.
  5. Upload the scripts to your web server and note the fully qualified URL for that directory (e.g.
  6. Update your web to lead forms to have them post to the location of the files from the previous step (e.g. – make sure to put the / at the end of the URL. Not sure why, but I wasn’t able to get it to work without it)
  7. Test your form to see if it works. The script acts as an intermediary between your form and Salesforce web to lead. The end-user experience should be the exactly the same with or without the scripts.
  8. Once you know it works, you should add a lead assignment rule into Salesforce as rule #1 that looks to see if this field is checked. If so, then route the lead to a “Potential Spam” queue or something of that nature. Another option is to create a validation rule that doesn’t even allow the lead into the system.
  9. Make sure your Auto Response rules don’t email a reply to leads marked as spam. If you allow this, then those spammers have an email address to try.
  10. Update some/all of your web to lead forms to post to this new page. If desired, remove the “oid” field from the HTML form for each of these since the script will pass your Org ID to Salesforce automatically.
Other Stuff

These scripts are a proof of concept. I am not officially supporting them, but am happy to help people out informally. Post comments here if you have questions/comments/criticisms.

I have only tested this with leads that were either real or very obviously spam. It worked well. From Akismet’s perspective, the data it checks looks just like a blog comment and I can attest that Akismet is amazing at identifying blog comment spam. So it should work well for web to lead.

I am going to update my existing web to lead forms on this site and see how it works and report back to you. I encourage you to do the same and let me know your experiences with it or recommendations on how to improve the scripts.


Comments (61) comments feed

Stopping Web to Lead Spam

Check out a more recent post about stopping web to lead spam. I was able to integrate Akismet into the process and have scripts available to download.

Over the past week, I have had an ever-increasing number of web-to-lead spam entries come into my Org. It gets to be VERY frustrating! Unfortunately, does not have any sort of anti-spam functionality for web-to-lead (want them to? Vote for it).

What would be great is an add-in to that evaluates a Lead’s content prior to getting in the Org. Blog software has this for comments. For example, I use Akismet on this blog to take care of the non-stop comment spam I get. It is incredible. It catches 99% of it. If Akismet didn’t exist, I probably would stop allowing comments on this blog.


If you use a tool like Form Assembly or Clicktools for web-to-lead forms, they have functionality to help you. However, what if you don’t?

I discovered that Validation Rules work pretty well. If you can determine any consistencies with the spam you are getting, create a Lead Validation Rule to stop it. For example:

ISPICKVAL(LeadSource , "Web"),
CONTAINS( Description , "mortgage") ,
CONTAINS( Description , "diploma") ,
CONTAINS( Description , "auto loan")

The Validation rule above will cause an error for any lead with a Lead Source of “Web” AND the Description contains any of the following: “mortgage”, diploma”, “auto loan”. You can make the message of the validation rule say “This is Spam”.

Web to Lead records do not get created if they don’t pass the Validation Rule. However, you will get an email from Salesforce Support with a subject of “Salesforce Lead Alert” with the Lead information in it. What I did was to create an email rule that label emails meeting the following criteria (another alternative would be to delete them):

  • From Salesforce Support
  • Subject of “Salesforce Lead Alert”
  • With “This is Spam” in the message body

If you go this route, be careful not to make your Validation Rule too generic. You could end up stopping a good lead from coming in. If you do happen to neutralize a good Lead, the lead’s information will be in the “Salesforce Lead Alert” email you received. It’d be a good idea to review those emails from time to time.

This is not a long term solution, but can help alleviate some pain.

An alternative approach would be to do something similar with Workflow Field Update Rules or Lead Assignment Rules and to auto-set the Lead Status to “Spam” or to assign it to a “Spam” queue. Doing this will capture the Lead in the database, but will help segment it out of your way.

Comments (10) comments feed

Is “Platform Edition” a reality?

In April of 2006, I blogged about the need for Salesforce to adopt a new licensing scheme to accommodate a license to the platform only. In that post, I described what I felt to be the necessary components of the platform in that licensing model.

I remember hearing people at Dreamforce mention that this could become a reality soon, but I don’t recall hearing anything specific about it actually being deployed. However, I am seeing some hints in the application now that it’s been upgraded to Winter 07 that elude to it being a reality.

  • There is a field called License Type on the user record. This defaulted to “Salesforce” for all users (as far as I know). The Help explains that there are now 3 potential values here.
    • Salesforce License: Designed for users who require full access to standard CRM and AppExchange apps
    • Apex Platform Licenses: Designed for users who do not need standard CRM functionality. Users with an Apex Platform user license are entitled to use custom apps developed in your organization or installed from the AppExchange. In addition, they are entitled to use core platform functionality such as accounts, contacts, reports, dashboards, documents, and custom tabs.
    • Apex Platform One Licenses: Designed for users who are entitled to use only one custom app developed in your organization or installed from the AppExchange. The app is restricted to five custom tabs. In addition, they are entitled to use core platform functionality such as accounts, contacts, reports, dashboards, documents, and custom tabs.
  • There is a new standard App called Platform. This includes the Accounts, Contacts, Reports, Dashboards and Documents tabs.
  • In the Company Profile screen, there is now a list of Licenses for your organization. A record exists for each of the 3 license types I mention above.

I cannot find very much information on how one can buy an org with Apex Platform Licenses only. The ability to purchase a platform-only license like this would be huge. It would obviously provide a platform for companies to build apps on even though they aren’t interested in CRM (yet). It would also instantly provide a very solid, configurable back-end to a web application. This would compete with the MySQLs, Oracle’s, etc. of the world. A benefit over those guys is that you have an instant user interface and robust reporting tools to manage your application’s database.

Does anyone out there have additional information on this licensing model? If so, what capabilities are included? Suppose this license type was added to the’s edition comparison chart, how would it look?

Comments (5) comments feed

API Authentication List

I submitted an entry on IdeaExchange today about adding more authentication to the API to avoid rogue applications/people from wreaking havoc in your system and to provide a means of tracking the applications that modify your data.

Someone with average programming skills could cause some destruction via the API if they wanted to and I think some mechanism of locking it down further would be good. Also, since so many applications will be accessing/manipulating data via the API, it’d be good to limit what an app can do (e.g. only access specific objects, read vs. write) and also to track the application that is making changes to records. It’s like having application-specific profiles. When a user logs into Salesforce via a external application, they only get the permissions where their user profile and the application’s profile match (maybe they have delete Account rights in their user profile, but the application profile doesn’t allow deletes. They won’t be able to delete Accounts when using that application).

I don’t have the design all figured out, but it’s the idea I wanted to get across. I am interested in what you all think. If you have an opinion (agree or disagree), please add your comments to the post on IdeaExchange.

Comments off comments feed

AppExchange 2.0

The IT Redux blog has a nice write up on their suggestions for what they call “AppExchange 2.0”. They are mostly suggestions on what should be done to increase the capabilities of the overall Salesforce platform like server-side scripting and a business process manager.

View their blog post

Comments (1) comments feed

« Previous entries