Avoiding Salesforce Web-to-Lead Spam

Earlier this week I attended the Denver Salesforce User Group meeting. One of the attendees was a new user and asked the group if others were using the web-to-lead functionality. Some were capitalizing on this functionality but, to my astonishment, not everyone.

Many of the folks that began discussing this topic expressed frustration over how to implement and concerns about spam. One of the respondents indicated that they went live with the functionality on one of their web forms but had to pull it down because they were receiving way too many spam leads. Another respondent indicated their web guy/team couldn't work with the code that was generated from Salesforce and they were left unable to roll out the functionality due to an inability to explain how the code worked and what within it was important.

Web-to-Lead is something that I think all Salesforce CRM businesses should use and I would like to take this post to explain how to prevent the possible spam submissions from a web form.

Although I won't go deeper into some of the pros of using Salesforce web-to-lead I would like to take a second to list them out. Maybe I will post some additional write-ups on these topics at a later date. Anyway, these are the reasons that web-to-lead is great:

  • Information from a customer/prospect gets loaded directly into Salesforce.
  • Auto-responses can be setup within Salesforce to email the form submitter to thank them for submission, provide additional information regarding submission or just plan let them know that their message was received by the business.
  • Lead routing can be setup within Salesforce to assign the Lead to a specific user or team.
  • Auto-notifications can be setup within Salesforce to notify the user or team that they have received a new lead.
  • All of the responses (internal and external) happen at the time of form submission so no time is wasted between customer/prospect web form interaction and sales/support follow up processes.

Now I can go on and on about why this is important and how easy it is to setup but I'll get to the point of this posting. You've bought into the web-to-lead functionality and have everything setup but now the leads being dropped into Salesforce are not always legitimate. You need a simple snippet of code to authenticate the form submission and maybe your web guy is not sure what to do or maybe you sometimes wear the "web guy" hat.

Whatever your situation you basically should always have the web form submission include the email address of the person making the submission. This field is the one you should use to do some simple validation that the email is legit and if it fails the inspection then the form fails. Or, more specifically, you let the form submitter know that the email is junk and the form cannot be submitted until it is fixed. This validation will help to trim the number of spam leads getting submitted and may prevent them entirely.

The email validation I am providing below is written in JavaScript but anyone familiar with another programming language could tweak this to work in PHP, .Net, ASP, etc. If you're not the technical guy then providing this code could assist the technical guy in getting the form up and running. So here's the script:

<script language="JavaScript" type="text/javascript">
//validate form
function validateForm() {
	var isError = ""; //tracks error messaging
	var email = document.getElementById("email").value; //grabs the text entered in the email portion of the form

	if (!checkEmail(email)) { //passes the amil variable to the checkEmail function and checks if the return was false
		isError += "\n- Email must be properly formatted."; //since it failed we should format some text to respond to the user
	} else { //otherwise, we passed the email format inspection
		if (email.length > 80) { //check of the length of the email is more than 80 characters
			isError += "\n- Email cannot be more than 80 characters."; //emails greater than 80 character in length cannot be entered into Salesforce so tell the user sorry...
	if (isError!="") { //if the checks failed
		alert("There were problems with your submission:\n"+isError); //alert the user so they can fix the problems and submit again
		return false; //tell the form that is cannot be submitted to Salesforce
	} else { //otherwise, we passed the inspection
		return true; //tell the form to submit the entry as a lead

//validates a passed text string for email format
function checkEmail(str) {
	var at = "@";
	var dot = ".";
	var lat = str.indexOf(at);
	var lstr = str.length;
	var ldot = str.indexOf(dot);
	if (str.indexOf(at)==-1) {
		return false;
	if (str.indexOf(at)==-1 || str.indexOf(at)==0 || str.indexOf(at)==lstr) {
		return false;
	if (str.indexOf(dot)==-1 || str.indexOf(dot)==0 || str.indexOf(dot)==lstr) {
		return false;
	if (str.indexOf(at,(lat+1))!=-1) {
		return false;
	if (str.substring(lat-1,lat)==dot || str.substring(lat+1,lat+2)==dot) {
		return false;
	if (str.indexOf(dot,(lat+2))==-1) {
		return false;
	if (str.indexOf(" ")!=-1) {
		return false;
	return true;					

Since all Salesforce web-to-lead submissions work the same way for standard Lead fields, there is no modification necessary to the portion of your code where the user actually enters the email address. However, invoking the code may require a bit more explanation.

First, you need to alter your form submission to use the code above prior to making the form actual submit anything to Salesforce. This can be done by simply altering <Form> tag in the code of the form submission. Also, as I explained earlier there is no need to alter the portion of the form that captures the email entry. The code below shows the altered Form tag as well as the line for the email address capture:

<form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST" onsubmit="return validateForm()">
<input id="email" maxlength="80" name="email" size="20" type="text">

As good practice you should probably include some other form validations where needed. Maybe checking the length of the name fields or the format of a phone number if you're requiring that on your form. However, I'll leave that validation for another time.

If you'd like to see a working example of this code you can simply go the Contact Us page on this website. That page uses the script from this post in addition to some additional validations to make sure that we do not receive spam web leads in our Salesforce org.

Automated Exchange Rates in Salesforce.com

Reduce Repetitive Tasks, Eliminate Errors & Free Up Your Administrators.

Birthday Reminders for Salesforce.com

It might lead to a sale. Or it might make you feel good.