Last Updated: January 8th, 2017 by Dan Astriden
This article will describe why you are receiving Salesforce spam and how to stop it. The first thing to check is the source code of the web page where you have a web form that goes to Salesforce. If you have a hidden field named “OID”, this is the source of the problem. Spammers now have your Salesforce account number and can send spam directly to Salesforce. Even if you remove the website form you will still receive spam in your Salesforce account. Salesforce will not issue a new OID number for your account. To avoid this issue in the future, you can remove the hidden field with the OID number and pass it in server side coding before sending the information to Salesforce. This can be done in any scripting language such as PHP. To stop the spam that is currently going to your Salesforce account you can setup Lead Validation Rules within Salesforce that will check input data and flag anything with specific words or characters.
<form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST"> <input type=hidden name="oid" value="0hxx0TRgyZ0xxxx"> <input type=hidden name="retURL" value="http://example-domain.com">
The following rule would stop any submission with FieldName containing the words “bad word” or if the length of the FieldName is greater than 20 characters.
AND( OR( ISPICKVAL(FieldName,”bad word”)), OR( LEN(FieldName) > 20) )
If your OID isn’t in the HTML source code and you are still receiving spam, there are many methods to prevent the spam without using a spam filter. You will need some programming added to your form processing application. Captcha isn’t recommended since it’s annoying for most users and many of the open source plugins don’t effectively stop spam.
So, why are you receiving spam in the first place? It’s a good idea to check the mail logs on the server to make sure you don’t have insecure code and are victim of email injection. If this is the case, your server could be sending spam to other people.
Bonus. If you made this mistake on your website you may have other issues too. I review a lot of websites and most are not CASL compliant, using structured data properly and have poor website architecture. I’m offering a free website audit for a limed time. Contact Dan to get started.