Skip to main content


Digital marketing is an ever-evolving industry where the role of bots has become increasingly prominent. When utilizing platforms such as Marketo, grasping the intricacies of bot behavior becomes crucial for maintaining campaign effectiveness and system functionality. Bots have the ability to significantly skew analytics and disrupt operations. In this blog, we’ll delve into the different types of bots you may run into, offer insights on understanding them, provide tips for identification, and outline strategies for managing their impact.

What types of bots should I be familiar with?

There are two types of bots you’ll likely encounter in Marketo: email bots and web bots.

  1. Email bots are often a standard security measure in certain companies. They’re deployed to safeguard against any malicious content infiltrating via email. However, they can inadvertently register opens or clicks from recipients who weren’t the intended targets. This can pose challenges, particularly when email interactions trigger actions based on behavior, like scoring or subsequent follow-ups, or when assessing email performance reports.
  2. Web bots are malicious bots that aim to disrupt your website’s functionality by submitting forms with fake information, overwhelming your system with bogus records. Depending on your system configuration, this influx of false data can overload your system, potentially inundating your sales team with counterfeit leads, distorting your lifecycle metrics, and damaging your sender reputation.

What do I need to know about email bots in Marketo?

Marketo has made it fairly easy to manage email bots in your system. Simply navigate to the “Email” tab of your Admin Section, then navigate to the “Bot Activity” tab (shown below).

From here, you can choose to log activities or exclude activities as it relates to email open and link clicks generated by bots.

Marketo keeps a list of User Agent/IP addresses of known bots, called the IAB List. All IPs are listed in this Marketo doc at the bottom of the page.

A proximity pattern is identified as two or more activities that happen simultaneously (under one second), which would defy normal human behavior and indicate bot activity. You have the ability to adjust the proximity pattern anywhere from 0 to 3 seconds, although 0 seconds is recommended.

If you choose to Filter Bot Activity, it would remove the activity from ever being logged in Marketo, which means you cannot get this information back if you decide to change your settings later. This will eliminate it from your email performance metrics, prevent related trigger activity, and stop related activities from showing up on the person’s activity log. Once you begin to filter this behavior, it will look as though email open and click rates have dropped dramatically as the false activities are weeded out. The good news is that the information is more reliable, and new email benchmarks can be set.

On the other hand, choosing to Log Bot Activity will flag it as bot, but will allow the activity to show on the individual’s record, trigger any “link click” triggers, and will allow it to be included in email performance reports. You would still have the option to filter on Bot Activity Pattern in Smart lists and email performance reports.

What do I need to know about web bots in Marketo?

Unlike the neutral bot clicks from above, bots that occur from form fills are always nefarious in nature. Here’s what to watch out for:

  1. Repetitive Form Fills: These often come from similar IP addresses and use look-alike email addresses, all with identical or similar information entered.
  2. NULL Email Addresses: Despite the field being mandatory, bots may input NULL or fake email addresses.
  3. Persistent Form Fills: Bots may repeatedly fill out the same form or multiple forms using the same email address.
  4. Lack of Web Activity: Bots may submit forms without any prior activity on the corresponding website.

Typically, bot activity begins subtly, with a few thousand form fills over several days, maintaining a low frequency to avoid detection. Once successful, however, the attack can escalate rapidly, inundating systems with tens or even hundreds of thousands of submissions within a single day. This flood can severely impact operations, slowing down platforms like Marketo, disrupting the sync with other tools, and grinding productivity to a halt.

Recognizing the early signs of bot activity is crucial. Implementing preventive measures when the first trickle of bots appear can help mitigate the impact of a full-blown attack.

Moreover, bot activity doesn’t just disrupt operations; it can also harm your sender reputation. Every company that sends emails has a sender reputation, which can suffer from low open rates, clicks, or an increase in hard bounces. Fake email addresses entered by bots lead to hard bounces and contribute to poor engagement metrics. This not only skews reporting and metrics but also tarnishes your sender reputation. As a result, genuine prospects and customers may miss out on your communications due to your compromised reputation as a sender.

How do I create a solution to identify or prevent web bots?


Captcha has become a frictionless way to prevent bots from entering the system. Marketo’s CAPTCHA solution uses Google reCAPTCHA v3, which is a puzzle- and challenge-free experience for site visitors.

Captcha requires collaboration with your Google Analytics and web team to ensure it is set up properly.

Important Note: It’s worth noting that CAPTCHA, while effective against bots, can inadvertently block individuals using screen readers, wrongly categorizing them as bots. It’s crucial to handle this situation with sensitivity.


The honeypot technique involves tricking less sophisticated bots by blending a hidden field with visible ones. An effective method is to include a hidden field on a form, disguised as a typical field, such as “Verify Email”, to confuse bots. You set a default value for this field, and any deviation from it flags suspicion of bot activity (since genuine users won’t interact with hidden fields). Sometimes, bots might leave the field blank or alter its value, indicating their presence. To enhance the effectiveness of honeypots, it’s advisable to make them less conspicuous. Rather than solely relying on Marketo to hide the field, collaborate with a developer to utilize JavaScript for field concealment. This approach lends a more authentic appearance, making it harder for bots to detect the trap.

Smart Lists:

If you’re already identifying bot patterns, creating a smart list that identifies common “bad actor” IP addresses can help you take action in Marketo.

Email Verification:

Tools like “Neverbounce” or “Kickbox” can help identify if an email address is legitimate or not. While bots frequently use legitimate email addresses, this can still help identify and cleanse your system of any fake addresses created.

Global Form Validation Rules:

Within the Marketo admin interface, a section called “Global Form Validation Rules,” serves to block submissions that do not meet specified criteria. Marketo includes a pre-configured rule targeting free consumer email domains, often used by bots. Enabling this rule would automatically enforce it across all forms, though you have the option to selectively exclude specific forms if necessary.

While Marketo allows for the creation of custom email address rules, it’s important to note that this is the sole field capable of preventing records from entering the system via a Marketo form.

Custom Javascript:

If your team has the resources, custom javascript can be used to prevent IP addresses from known bots from submitting a form. This information could be gathered from known bots in your system in order to prevent them from re-entering, but must be done via javascript.

Human Test Question:

This method is not as widely favored because it entails adding an extra form question, which could be perceived as creating more friction for users. However, the concept is straightforward: you pose a simple question that any human could answer, allowing responses via free text, radio buttons, or checkboxes. This serves as an additional identification measure. With assistance from the web team, you can implement measures to prevent individuals from progressing if they provide an incorrect answer.

What do I do with bots that have entered Marketo?

Most bot prevention methods primarily focus on identifying bots for subsequent removal from the system. It’s advisable to take the following actions:

  • Implement a Marketability Management program capable of automatically suspending or unsubscribing identified bot records, provided there’s a reliable method for their detection.
  • Regularly purge bot records using a database cleanup program to maintain data integrity and remove unwanted records from the database.
  • If removal or repeatable processes aren’t feasible, create a smart list to identify bot records. Exclude these records from email campaigns and, if necessary, filter them out from triggered smart campaigns. For instance, if a record repeatedly fills out a form, employ a filter within the triggered campaign to prevent them from re-entering or block similar records from entering altogether.


In conclusion, navigating the landscape of marketing operations in the presence of bots is a challenge that demands attention to detail and proactive measures. Understanding the nuances of bot behavior is essential for safeguarding the effectiveness of campaigns and maintaining system integrity. By familiarizing yourself with the various types of bots, implementing effective identification techniques, and deploying strategies to manage their impact, you can better protect your operations and reputation.

Get in Touch with Us

At Etumos, we love what we do and we love to share what we know. Call us, email us, or set up a meeting and let's chat!

Contact Us