Need to block Lead SPAM


We seem to bet getting tons of SPAM into our CRM since the install. We currently have a WordPress setup and use Gravity forms (with recaptcha) with a webhook into SuiteCRM and it works great. So I checked the entries in the Gravity form database and the SPAM is not coming through the forms, so I would like to know where / how I can plug the hole?

Any help and feedback is greatly appreciated.


Btw, this is the latest version install.

What do you see in the CRM as spam? which module are the entries going to ?
If you disable webhook, does the spam entries stop coming?

Hey, I’d love to know how you setup the webhook with GF. I was having issues setting that up. Are you using Gravity Forms Webhooks plugin, or something different?

Hello @cherub-chum! The SPAM is same first and last name and junk entries pretty much all similar to these >

I have recaptcha on the form and the entries are Not coming in to the website just into the CRM so they are bypassing recaptcha somehow. I’ve since put in a ticket with the developer and will share this with you once I hear back.


Hi pstevens! We were going to use the webhook addon, we use it alot for other customers, especially for those oddball CRMs. But this plugin just made it too easy Gravity Forms - SuiteCRM Integration by obtaincode | CodeCanyon and at $30 a pop, well worth it in my opinion. IF I can get this SPAM issue resolved.

1 Like

I think they have the CRM EntryPoint where they are injecting the Leads/Records.
Unless i see the records and log, it is hard to tell from which end the CRM is compromised to insert spam entries.

I would like to “me-too” this issue as well. I have added Google captha and it works for most parts. But there are some who are able to bypass that and are able to submit spam directly to SuiteCRM. How can this be prevented?

What logs specifically and I can get them…

URL to the Web Form entry point ( in DM since its an open forum) and the suitecrm.log from that time if you setup the log level at debug from Admin->System Settings [ Log Level Dropdown] value set to Debug.

Watching this thread. I get a lot of form spam. I can’t tell if its SQL injection or not, or just a nuisance.

What exactly would you look for in the log?

I’ll have this over to you soon… - thank you!

Hey @GreenixMKTG I managed to get the official Gravity Forms Webhooks plugin working to push leads into suitecrm. No spam. Could be a security issue with the plugin your using. I’m using the offical GF webhooks plugin.

Depending on your GF subscription, it should come included.

I’ve also had great luck with Forms:3rd Party Integration. Here’s a complete tutorial on my blog:

It’s 2024; 2+ years since last reported. This issues still persists. There is tremendous amount of leads created even though there is captcha. How can SuiteCRM to allow insertion into database by spammers who are somehow able to directly call the lead creation endpoint?

Can you post a link to the form on your website and I’ll have a look.

Personally, I use Gravity Forms and not the SuiteCRM web to lead form. It’s a more secure way of doing it.

Is it secure to post the link in a public forum post? Can I send it to you directly?

Is your website public and available on the internet? If so, there’s no reason not to post it.

You can see from the the HTML on your site, the POST url and the campaign ID is publicly available.

I think all a bot has to do is submit a POST request to that url with the campaign ID in the correct format (which is easily obtained from the form) and voila, lead created.



@GreenixMKTG @binfer @labanjohnson
I suggest this solution, to block spam lead submissions, yet allow only the local Suite server itself, and your website, to add a Lead to your CRM!
It requires your web server to be Apache 2.4 version or newer.
Add this to the end of your .htaccess file, located in your Suite base directory:

<If "%{REQUEST_URI} =~ m#^/index.php?entryPoint=WebToPersonCapture#">
    Require local
    Require host
    Require ip

Post back your results here!

UPDATED to allow website on different server to add a lead.


Hey @chris001 cool idea! Can you specify a specific IP if your website is different?