I currently have a script for blocking non-business email addresses on my website form (Marketo) yet bots are still finding a way to bypass it. Today I got another "gmail" and "hotmail.fr" submission. Whenever I test my form it works but the bots are finding a way to bypass the script. I have also tried the honeypot method but it has not worked. They are also submitting with two-letter names, the past month has been really bad and I am desperate for help, I am not very good in JS so any help would be very much appreciated.
This is my script:
(function (){
// Please include the email domains you would like to block in this list
var invalidDomains = ["@gmail.","@yahoo.","@hotmail.","@live.","@aol.","@outlook.","@icloud.","@zoho.","@hubspot.","@gmx.","@yandex.","@mail.","@email.","@tutanota.","@trashmail.","@lycos.","@tutanota.","@protonmail."];
MktoForms2.whenReady(function (form){
form.onValidate(function(){
var email = form.vals().Email;
if(email){
if(!isEmailGood(email)) {
form.submitable(false);
var emailElem = form.getFormElem().find("#Email");
form.showErrorMessage("Must be Business email.", emailElem);
}else{
form.submitable(true);
}
}
});
});
function isEmailGood(email) {
for(var i=0; i < invalidDomains.length; i++) {
var domain = invalidDomains[i];
if (email.indexOf(domain) != -1) {
return false;
}
}
return true;
}
})();
</script>```
Some bots when they run, they don't even execute the JavaScript on the page. They just take the fields, find the post request the form is submitting, and submit the fields to them with pre-defined values. Thus, ignoring your validation completely.
So now the solution would be checking the post request values on the backend. Some people use the fact that some bots are dumb, and they include a honeypot field in their fields. They mark it hidden with CSS on the frontend, but again, some bots are dumb, and they will fill it out regardless and send it in the post request. Now you can have your sever throw that out right away.