Bot Captcha V3.1

[Charise Zelnick]

reCAPTCHAEnterprise offers up to 10,000 assessments per month at no cost and also provides additional features. Other features such as real time analytics provide the best place to start for most developers. Get started here.

Yes, you can use both reCAPTCHA (non-Enterprise version) and reCAPTCHA Enterprise. Typically the third party solution asks for your public key and either your secret key or your API key. Make sure to only provide your secret key and API key to trusted third parties.

To avoid stepping into the reCAPTCHA code while debugging other JavaScript on your site, add the reCAPTCHA script /recaptcha__.+\.js$ to your browser's ignore list. For instructions for Chrome, refer to Ignore a custom list of scripts. Similar features are available in other browsers.

The JavaScript API available for Invisible reCAPTCHA also works for v3. Simply use the JavaScript API to explicitly render reCAPTCHA with a v3 site key to access options such as repositioning the badge or changing the theme.

When rendering reCAPTCHA v3 with this method, remember to set the size parameter to 'invisible' and use the client ID returned by grecaptcha.render when calling grecaptcha.execute instead of the site key.

This typically occurs if the reCAPTCHA widget HTML element is programmatically removed sometime after the end user clicks on the checkbox. We recommend using the grecaptcha.reset() javascript function to reset the reCAPTCHA widget.

localhost domains are not supported by default. If you wish to continue supporting them for development you can add them to the list of supported domains for your site key. Go to the reCAPTCHA Enterprise console or to the reCAPTCHA console, as appropriate, to update your list of supported domains. We advise to use separate keys for development and production, and to only allow localhost on your development site key.

This is a focusing bug on Apple's side that we've reported to them. It affects users only on iOS 10 and only on some sites. If you are affected, a workaround is to move the reCAPTCHA widget higher or lower on the page, or use reCAPTCHA v3.

If you were directed to this page from the reCAPTCHA widget, you would have seen a message that said "We're sorry, but your computer or network may be sending automated queries. To protect our users, we can't process your request right now."

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Now I have the problem that e.g. VPN IPs or static company IPs seem to be blacklisted and only get a score of 0.1 even when the browser profile itself is fresh and has no adblocker and other privacy tools installed. Using a mobile internet connection, I get up to 0.7.

Logging into a Google account improves your score quite a lot, but this also means that Google learns what sites the account owner uses, both on the site with captcha and on sites with unrelated Google services, which use the fact that you are logged in. So it would be good to increase the score without logging in.

Nobody knows exactly how it works yet. However it seems tied to cookies and tracking scripts. Clearing cookies and setting the browser to not accept third-party cookies seems to lock it to 0.1. Try logging into gmail in the browser, and visiting a few other sites, some people have reported success with soundcloud. Also, if you solve a legacy captcha (v1) it seems to lock you to 0.1 for a few minutes. It also strongly prefers google chrome and firefox, chromium forks such as ungoogled-chromium and brave seem to hover around the 0.1 to 0.3 range, and edge rarely gets above 0.5.

Disable tracking/third party cookies (via options , privacy and security , content blocking - custom - check Trackers and select all windows ; check Cookies select Third-party trackers) gives a score of 0.3.

Yes, there is a way. Log into one of Google's services if you can. During tests we were able to achieve a score of 0.9 when logged into Google, compared to scores between 0.1 and 0.3 using Incognito on Chrome.

Not sure why they added the test, it asked me every time for the traffic light and this test is easy to pass for bots. Maybe they measure the time how fast you click the button or track your mouse movements?

We are currently under attack by some pretty aggressive bots that come to our Marketo forms via Google Ads. I have implemented reCaptcha V3 integration, have Smart Campaigns running to recognize and delete suspicious leads, and am also using ClickCease fraud prevention for our Google ads account.

The bad leads keep on coming and I am going nuts! Have any of you implemented a more robust 3rd party Captcha solution to try to thwart these bad ole bots? Could you please share details of the solution and how it is implemented? I am trying to find something that integrates with Marketo forms but nothing is jumping out at me.

remember - reCaptcha doesn't stop the leads coming in. It just assigns them a confidence level of human vs bot. It's up to you do something with them (e.g. delete if confidence is below , refer to human for review if confidence between and , retain if above ).

Following this thread as I am currently implementing reCAPTCHA v3 and would like to hear about any other solutions.

We've also had some bots from Google Ads. Many of the responses all have "@mailinator.com" domain. Mailinator is an email/SMS workflow testing service so not sure if we got caught up in some workflow or if its spoofing their domain.

we solved it on two fronts, 1st with paid media team for optimizing ad targeting, and asked refund from Google for junks/false form fills which they did promptly. on the other hand we implemented reCAPTCHA on testing basis, found it helpful.

These bots pass the reCaptcha test for human! And they have no end to their creative email domains. Every iteration of "business" and "gmail" and "mailinator" you can think of. Like roaches - I add their domains to the global validation list, and they come back with something new!!!!

This is why we need a puzzle-based captcha program in place. Something with a 3d/4d puzzle. And yes, I have honeypots on our forms too - doesn't work at all!!!!!!!

SO again, what captcha solutions are you using on your websites? Not everyone is using Google reCaptcha, are they??????

We do not support the use of Captcha when using the v2 or v3 endpoints. However, if you wish to use Captcha services, you can have these embedded on the page itself, not using the HubSpot functionality and this will work fine as we do not process any validation for incoming data. It is only once the data has been received that we process validation and in this case return 400 errors with the following:

Also, to touch on the Forum post you linked, the Solution that is marked there does not confirm that this should work, rather it states that the v3 endpoint is more flexible in it's functionality but it would still require investigation.

@DavidVendia No unfortunately there isn't.. I believe that Hubspot is forcing us to not be able to do this because they'd rather have you do a follow up email through their Automation Workflows, which however you can only do if you have their Marketing Professional package ($800/month).

+1 to this.

This is also a problem we are seeing. Spent a great deal of time integrating the Form API into our site setup and when I enable a "follow up" email everything breaks because of the forced captcha.

The form on our site is not an embedded HubSpot form, it's a custom form that pings a backend that uses the hubspot form API to submit the form submission (for conversions) in hubspot.

Is there any way to use follow up email functionality while using the form API?

Hi @Willson

I'm having an issue that's related to this.

My issue is that I need my form to use the form API instead of the embeded one, and be able to use the follow-up email functionality. The problem is that to use the follow-up email functionality, it's required that we have reCaptcha enabled.

@Willson We're having this same issue where we want to be able to use the follow up email function but we have it setup through the Forms API, which doesn't work when reCaptcha is enabled. We don't need to have reCaptcha enabled on the Hubspot Forms side because we have it already going on our website so it's redundant to do it twice. Why is Hubspot forcing us to use reCaptcha when we don't even need it and not allowing us to use the forms api?

Thanks for the clarification with that, I am on the same page now.

However, this issue goes back to my original point. The Forms API does not support Captcha and this is a required step in order to use our Follow-up tool for Forms within HubSpot.

Likewise, since it is no longer necessary in reCAPTCHA v3, a form-tag generator button for the reCAPTCHA widget ([recaptcha]) does not appear in the Form tab panel. If [recaptcha] tags are used in your form templates they will be ignored and automatically replaced by an empty string, so it is not necessary to remove the tags manually.

3a8082e126