Last Updated: May 21st, 2023.

Stop Salesforce® Web To Lead Spam

Salesforce spam

This article will describe why you are receiving Salesforce spam and how to stop it. The first thing to check is the source code of the web page where you have a web lead form that goes to Salesforce. If you have a hidden field named “OID”, this is the source of the problem. Spammers now have your Salesforce account number and can send spam directly to Salesforce. Even if you remove the website form you will still have a problem and receive spam in your Salesforce account. Salesforce will not issue a new OID number for your account. To avoid this issue in the future, you can remove the hidden field with the OID number and pass it in server side coding before sending the information to Salesforce. This can be done in any scripting language such as PHP. To stop the spam that is currently going to your Salesforce account you can setup Lead Validation Rules within Salesforce that will check input data and flag anything with specific words or characters.

Salesforce web-to-lead security

Diagram of how to stop spam going to your Salesforce account

Steps to stop the spam

  • 1. Remove Salesforce account number (OID) from the HTML code.
  • 2. Pass the OID using PHP or other programming script.
  • 3. Setup validation rules within Salesforce to stop current spam.

Web_to_lead form example that can cause spam to enter Salesforce database.

<form action="" method="POST">  
<input type=hidden name="oid" value="0hxx0TRgyZ0xxxx">  
<input type=hidden name="retURL" value="">

Salesforce web-to-lead validation rules examples.

The following programming validation rule for stopping any form submission with FieldName containing the words “bad word” or if the length of the FieldName is greater than 20 characters. This spam filter limits invalid data from entering Salesforce via api.

ISPICKVAL(FieldName,”bad word”)),
  LEN(FieldName) > 20)

Salesforce’s web to lead captcha

If your OID isn’t in the HTML source code and you are still receiving spam, there are many methods to prevent the spam without using a spam filter. You will need some programming added to your form processing application. Captcha isn’t recommended since it’s annoying for most users and many of the open source plugins don’t effectively stop spam.

Hint. Many posts on the web suggest to use CSS to hide a form field on the website form and kill the form processing script if text is detected in this field. This is no longer effective against spam and a better method is to use javascript or jquery to add / remove / modify form content before the form is submitted and then check in the form processing script to make sure the content matches. You can look into Google invisible recaptcha v3 and api key pair implementation.

So, why are you receiving spam in the first place? It’s a good idea to check the mail logs on the server to make sure you don’t have insecure code and are victim of email injection. If this is the case, your server could be sending spam to other people & communities.

Web forms are a problem with people spamming with a fake website lead. This spam leads to Salesforce leads being filled with from spam. The trick is ensure your web form can detect spamming techniques and not let spammers pass the data to Salesforce.

Get Your Problem Solved Today!


Need Help? Get your problem solved today. I’m currently offering a limited but free website audit. See if you qualify.

How to stop salesforce’s web-to-lead spam

Author Bio

Avatar for Dan Astriden

Dan Astriden Web Developer | Author Bio

Hello. I'm a senior web manager located in the Bay Area, California. I've been managing the web properties of several Silicon Valley tech companies for many years. Contact me for a free website audit online and see how I can improve your business.

PayPal Payments Accepted Protection Status

Santa Cruz, CA 95060
(831) 291-5014
Hours: M-F, 9:00 am - 5:00 pm