Scott Hanselman

Microsoft Web Platform, Web Application Gallery, Web Platform Installer (and DasBlog)

March 18, '09 Comments [18] Posted in ASP.NET | DasBlog | IIS | Mix | Open Source | Tools
Sponsored By

Slash WebIt's so fun to help "announce" things, especially things that are a long time coming and that a lot of people worked on to make things "just work." (You can follow them on Twitter @mswebplatform.)

This is one of those fantastic things. Today, you can install free applications direct to IIS using the Web Platform Installer 2.0 and the Web Application Gallery. The WebPI will also check for application dependencies, and if you like, automatically download and install them. It'll install SQL Express, PHP, whatever you need to get your apps running.

For example, you can now install DasBlog just by clicking this button:

Install DasBlog now with the Web Platform Installer

There's a bunch of cool apps available in the gallery immediately, both ASP.NET and PHP (remember that IIS kicks ass at hosting PHP):

This gallery sits on top of some technologies that have been slowly but surely sneaking out of the most-awesome IIS team lately.

How's it work?

Here's some technical details. You can install free apps a few ways, and they are all easy.

  • You can visit the Web App Gallery, find an app and click install. If you've got the Web Platform Installer it'll launch out of the browser. (Don't worry, it's not a browser plugin, it's more like iTunes. It'll "leap out of the browser" from a link.)
  • You can open IIS manager on your machine after installing WebPI, and click "Install Application from Gallery." This feature is awesome enough to require a screenshot to drink in:image
  • Or, just run the Web Platform Installer and browse around the catalog. The list of apps comes down as an Atom Feed.

Hey, isn't that dasBlog in the list there? Why, yes! ;)

Packaging Your App - Technical Details - DasBlog

You can upload YOUR free app to the gallery. Start by downloading the Application Developer's Kit. We packaged up DasBlog 2.3 like this. You install DasBlog

The package is a zip file. Inside at the root are two files, manifest.xml and parameters.xml. You start by "exporting" your app already working in IIS. Then, if your app has specific needs you can edit the files manually.

For example, here's our manifest.xml, which is an MSDeploy file:

<MSDeploy.iisApp>

<!-- Copies content from path into the destination specified in parameters.xml and marks as an app in IIS 5.1, 6.0 and 7.x -->
<iisapp path="dasblogce" />

<!-- Set NTFS ACLs on the destination specified in parameters.xml -->
<setAcl path="dasblogce/content" setAclAccess="Read,Write,Delete" />
<setAcl path="dasblogce/logs" setAclAccess="Read,Write,Delete" />
<setAcl path="dasblogce/siteconfig" setAclAccess="Read,Write,Delete" />

</MSDeploy.iisApp>

Remember that DasBlog doesn't use a database, but rather stores all data in XML files in the content folder. Our MSDeploy file sets ACLs on a few directories to allow "Read,Write,Delete." This file encapsulates a potentially tricky setup step for DasBlog.

The parameters.xml is a little more sophisticated and drives a dynamic UI form inside of the Web Platform Installer 2.0.

For example, the blog owner's email is a parameter, and it's entered in two files. Since DasBlog uses XML files, we can use XPath to describe where to poke the values in.

<!-- Prompts for admin email -->
<parameter name="Email Address" description="Enter the blog owner's email address." defaultValue="dasblog@example.com">
<parameterEntry type="XmlFile" scope="dasblogce\\siteconfig\\site.config" match="//MSDeploy:Contact/text()" />
<parameterEntry type="XmlFile" scope="dasblogce\\siteconfig\\siteSecurity.config" match="//EmailAddress/text()" />
</parameter>

Here's what the generated UI looks like:

image

You can read about this format in the Application Developer's Kit. You can parameterize your SQL files as well, it's a very flexible format.

Then we zipped up the deployment and uploaded it to CodePlex. The CodePlex site is smart enough to notice when the Platform Installer is requesting a release (it sniffs the User-Agent) and serves up the file rather than the web site, so I can use CodePlex to host the zip. (It would have sucked to have to host somewhere else.)

MSDeploy -> WebDeploy -> Web Platform Installer 2.0 -> Web App Gallery

Just to take a second, and make sure this is clear.

There's the command-line MSDeploy engine, there's WebDeploy that integrates with IIS and has a nice UI, and there's the Web Application Gallery where you can get a bunch of free applications. When you're in the App Gallery, the Web Platform Installer will do the installation.

Here's how I see it. Of course, you just have to click a button, but I always like to see what's underneath.

image 

What's cool about this is that even if you don't want to put your app up on the Web Application Gallery, you can still use MSDeploy/WebDeploy to deploy your apps. They are REALLY powerful tools that can help you deploy, migrate between IIS6 and IIS7, and synchronize content and apps between machines in a web farm. If you deal with IIS apps all day, host them, develop them, etc, take some time and spend it over at http://www.iis.net.

Now, if you want to have your app included in the gallery, here's the principles your app should follow:

Web Application Gallery Development Principles

1. Be Current: The application you provide a link to must be the latest, stable final release version available, hosted on a publically available Web URL

2. Be Free of Charge: The application for which you submit a link to the Microsoft Web App Gallery must be provided free of charge and fully functional without time restrictions. You are welcome to charge for professional support or consulting services and/or provide an enhanced, enterprise version of the application for purchase on your site.  We will be happy to provide a link to your commercial products and services from your page in the Microsoft Web Application Gallery.

3. Be Compatible: The application to which you provide a link must run on Windows Server 2003, Windows Server 2008, Windows XP & Windows Vista using best practices on running ASP.NET applications and PHP applications on IIS.

4. Be Deployable: The application to which you provide a link must integrate with Microsoft Web Deploy as described in the Microsoft Web Application Packaging Guide, and run with the Microsoft Web Platform Installer v2.

5. Be Supported: You must provide a publicly available Web site where end users can download your application, find documentation and/or get free on a best effort basis support through a forum.

6. Be Hostable: The application to which you provide a link must run well in a shared hosted environment as well as when the user has administrative rights for the computer.

7. Be Inclusive: If your link is included in the Gallery, you should include a link on your application community’s Web site to your Application entry on the Microsoft Web Application Gallery.

8. Be Safe: The application to which you provide a link must not harm customers or be malicious, dishonest, destructive, invasive, or act in any manner restricted by the Web Gallery Application Submission agreement.

Get the Microsoft Web PlatformCongrats to the IIS and /Web teams for this release, and thanks for all the guys on dasBlog for helping. Big thanks to Bill Staples for letting dasBlog 2.3 in on the launch.

Enjoy!

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Best Code Syntax Highlighter for Snippets in your Blog

December 2, '08 Comments [36] Posted in ASP.NET | DasBlog | Javascript | Open Source
Sponsored By

I get a few emails a day of folks asking what Syntax Highlighter I use in my blog for my code samples. Specifically, the newer code samples, as some of the old ones sucked as I was experimenting, trying to find the best one to settle on.

The tool I use is actually called SyntaxHighlighter and it's from Alex Gorbatchev. The trick is that the syntax highlighter is all javascript on the client side.

I was having all sorts of troubles with other code highlighters. First, there were ones that put css classes and stuff all through your code, trying to decorate each keyword. This just bloated my feed and site and made the code look weird in some Feed Readers. Then I tried using images for code, like ScottGu does, but that is just wrong. You can't copy paste the code, you can't search it, it's disrespectful for the blind, etc. Meh.

How I post code to my blog

I use Windows Live Writer to post all my blog posts, and it has a great plugin model. I've actually written a WLW plugin for the CueCat...it's really easy. I use a plugin from DasBlog contributor Anthony Bouch called PreCode that directly targets/supports SyntaxHighlighter from within WLW.

Screenshot of my plugins in Windows Live WriterThat means I see this from inside Live Writer. I slick Insert PreCode Snippet, and paste in my code.

If you're reading this blog post from inside an aggregator or feed reader, the next two code snippets look identical to you. However, if you visit my blog, you'll see that one is different.

// Hello3.cs
using System;

public class Hello3
{
public static void Main(string[] args)
{
Console.WriteLine("Hello, World!");
Console.WriteLine("You entered the following {0} command line arguments:",
args.Length );
for (int i=0; i < args.Length; i++)
{
Console.WriteLine("{0}", args[i]);
}
}
}
// Hello3.cs
using System;

public class Hello3
{
public static void Main(string[] args)
{
Console.WriteLine("Hello, World!");
Console.WriteLine("You entered the following {0} command line arguments:",
args.Length );
for (int i=0; i < args.Length; i++)
{
Console.WriteLine("{0}", args[i]);
}
}
}

One looks like this, as HTML:

// Hello3.cs
using System;

public class Hello3
{

public static void Main(string[] args)
{

Console.WriteLine("Hello, World!");
Console.WriteLine("You entered
the following {0} command line arguments:",
args.Length );

for (int i=0; i < args.Length; i++)
{

Console.WriteLine("{0}", args[i]);
}
}
}

See the 'class="c#" name="code"' part? Alex's Javascript SyntaxHighlighter is looking for those and parsing them on the client side. I choose to add
breaks, but that's an option in PreCode. Other options for SyntaxHighlighter include line numbering, gutters, copy/paste support, a toolbar and more.

P.S. If you don't use Windows Live Writer (and seriously, stop and ask yourself, WHY NOT?) and use instead a web interface, you can integrate SyntaxHighlighter into your web-based rich text editor. For example, Darren made a SyntaxHighlighter Plugin for the popular FCKeditor. Perhaps we'll put that in DasBlog.

Installing SyntaxHighlighter to Your Blog

You install the SyntaxHighlighter by adding it to your blog's template. It doesn't care what blog engine you run, as it doesn't need anything on the server:









Just add the shCore library and just the languages you require. If you want your blog to feel snappy and you have some control over your server, don't forget to set the files/directories to cache on the client by making them expire far in the future. You don't want your user's browsers to keep asking for these scripts each page view.

Even better, you can create your own plugins for SyntaxHighlighter if you use a language Alex hasn't supported officially. This guy threw together a Scala SyntaxHighlighter file by editing the Java one and adding a regex.

There are a few bugs but I think folks forget that Alex is doing this all alone, so I have to give him mad props for the effort. It can be lonely and unforgiving when you do something awesome and either no one cares, or folks only care to complain.

UPDATE: There's some great un-bundled brushes collected here.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

The Weekly Source Code 25 - OpenID Edition

April 30, '08 Comments [161] Posted in ASP.NET | ASP.NET MVC | DasBlog | Identity | Source Code
Sponsored By

OpenID Logo We spent a lot of time at Corillian (my last job) thinking about Identity, and a few months before I left I started getting into Cardspace and OpenID. This was a little over a year ago. We did a podcast on OpenID as well.

At that time, I tried to take the only .NET implementation at the time of OpenID which was written in in Boo written originally by Grant Monroe and port it to C# causing me to go through the Programmer Phases of Grief. Andrew Arnott and Jason Alexander took the reins and we spend a number of late nights trying to get a good OpenID library working. I gave up, but they soldiered on and created dotnetopenid (downloads), including a client and server as well as Andrew's excellent ASP.NET controls .

Fast-forward to now. My new friend Aaron Hockley decided to a stands and promote OpenID. He said:

Effective immediately, I will no longer comment on tech blogs that don’t support OpenID for comment authentication.

He's just one guy, but his heart is in the right place. He points out that:

Google offers it as a Blogger option. It’s available as a super-easy-to-install WordPress plugin. Movable Type has it as a built-in feature.

OpenID is a good thing and it's Growing. You may already have an OpenID if, for example, you have a Yahoo! account. More on this soon.

How to turn your blog into an OpenID

Simon Willison wrote How to turn your blog into an OpenID and it's very easy.

STEP 1: Get an OpenID. There a lots of servers and services out there you can use. I use http://www.myopenid.com for two reasons. One, I know the CEO (they're in Portland), and two, they support optionally using CardSpace to authenticate yourself (as well as the standard way with password).

STEP 2: Add these two lines to your blog's main template in-between the <HEAD></HEAD> tags at the top of your template. Most all blog engines support editing your template so this should be an easy and very possible thing to do.

Example:

<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href=
http://YOURUSERNAME.myopenid.com/ />

This will let you use your domain/blog  as your OpenID. Now, I can log in with "http://www.hanselman.com" when I see an OpenID Login option - and so can you! Go do it now!

Making OpenID Logins Easier

If you have a blog or site with OpenID support, you should go get this little snippet of JavaScript and install an OpenID ID Selector on your blog from http://www.idselector.com/.

virgin-3

One of the things that is slowing OpenID adoption is that many people don't realize that they may already have one. That's what this little Javascript is trying to do by showing folks sites that they recognize. This way my Dad could login using Yahoo and it would make sense to him. It's a little busy, but it's a start. I've added an http://www.idselector.com/ to my blog for comments.

Adding OpenID Support to DasBlog

A year ago, I originally tried to port the Boo code to C# in an attempt to enable OpenID in DasBlog but eventually gave up. However, last night, I re-familiarized myself with the OpenID spec (it's on 2.0 now) and started reading the source for http://code.google.com/p/dotnetopenid/.

In a word, it's a joy. I was able to get OpenID running OK in two hours and working well and up on my blog in two more. I have to give credit to the fantastic work that Andrew Arnott and Jason Alexander and team are doing. It's come far and you should know about it, Dear Reader.

I had two scenarios in DasBlog (again, in case you didn't know, it's the C# and XML-based blog that runs this site and others) to handle.

First, I wanted to support OpenID for Comments which wouldn't actually "log a user in" in the stateful FormsAuthentication sense. I think this isn't a very common scenario, and I'd describe it as One-Time Occasional Authentication. In this case, I used the dotnetopenid classes directly in a moderately complex scenario.

Second, I wanted to support OpenID to login as the Administrator for my site. This would, in fact, log me in via FormsAuthentication. This would be a common scenario that you'd probably care about as it's very typical. In this case, I used the dotnetopenid ASP.NET Controls, which were about as easy as falling off a log. (That's pretty easy.)

Here's the first, harder, scenario.

If you've entered your OpenID and hit Submit Comment then we'll store the current entry and the comment you're submitting. We'll be redirecting away to get authenticated and we'll need them when we get back. If you're running in a WebFarm, you'll want to store these temporary variables in a database or somewhere that doesn't have node-affinity.

Session["pendingComment"] = comment.Text;
Session["pendingEntryId"] = ViewState["entryId"] as string;
OpenIdRelyingParty openid = new OpenIdRelyingParty();
IAuthenticationRequest req = openid.CreateRequest(openid_identifier.Text);
ClaimsRequest fetch = new ClaimsRequest();
fetch.Email = DemandLevel.Require;
fetch.Nickname = DemandLevel.Require;
req.AddExtension(fetch);
SaveCookies();
req.RedirectToProvider();
return;

What I think of as an "OpenID Client" is called a "Relying Party" or "RP" in the parlance of the OpenID folks. In this code we create an AuthenticationRequest and add some additional claims. There's a nice interface-based extension model in this lower-level library that lets you Request or Require information from the user's profile. For comments on the blog, I just need your email for your Gravatar and your Nickname for Display.

I then call RedirectToProvider, and that's if for the request side. Remember I said this was the hard scenario! Not so hard. ;)

Next, we're redirected to an OpenIDProvider, we authenticate (or not) and are redirected BACK with additional information encoded on the GET. On the way back in, in our Page_Load (or an HttpHandler if you like) we check the Response status.  If we're Authenticated, we grab the info we requested and add the comment. Bam. Sprinkle in a little error handling and we're all set.

OpenIdRelyingParty openid = new OpenIdRelyingParty();
if (openid.Response != null)
{
// Stage 3: OpenID Provider sending assertion response
switch (openid.Response.Status)
{
case AuthenticationStatus.Authenticated:
ClaimsResponse fetch = openid.Response.GetExtension(typeof(ClaimsResponse)) as ClaimsResponse;
string nick = fetch.Nickname;
string homepage = openid.Response.ClaimedIdentifier;
string email = fetch.Email;
string comment = Session["pendingComment"] as string;
string entryId = Session["pendingEntryId"] as string;
if (String.IsNullOrEmpty(comment) == false && String.IsNullOrEmpty(entryId) == false)
{
AddNewComment(nick, email, homepage, comment, entryId, true);
}
break;
}
}

Here's the second scenario where we'll log in as the Administrator of the blog. I just register the DotNetOpenId assembly in my ASPX page and put an <openidlogin> control on the page. Notice that even the claims I created in the manual scenario above are just properties on this control. There's also events like OnLoggedIn to handle the results.

<%@ Register Assembly="DotNetOpenId" Namespace="DotNetOpenId.RelyingParty" TagPrefix="cc1" %>
<cc1:openidlogin id="OpenIdLogin1"
RequestEmail="Require" RequestNickname="Request" RegisterVisible="false"
RememberMeVisible="True" PolicyUrl="~/PrivacyPolicy.aspx" TabIndex="1"
OnLoggedIn="OpenIdLogin1_LoggedIn"/></cc1:openidlogin>

This controls renders nicely as seen in the screenshot below.

image

In the OnLoggedIn event, I call my existing security APIs (Thanks to Tony Bunce and Anthony Bouch) and set the AuthCookie from FormsAuthentication.

protected void OpenIdLogin1_LoggedIn(object sender, OpenIdEventArgs e)
{
UserToken token = SiteSecurity.Login(e.Response);
if (token != null)
{
FormsAuthentication.SetAuthCookie(userName, rememberCheckbox.Checked);
Response.Redirect(SiteUtilities.GetAdminPageUrl(), true);
}
}

Poof. I love using well designed libraries and just work. At this point all that was left was adding some CSS and tidying up.

OpenID and ASP.NET WebForms and MVC

The dotnetopenid source includes source for sample sites. It actually includes three samples, two WebForms and one ASP.NET MVC.

The MVC implementation is very clean, even though (or because?) it doesn't use controls. Here's the Authenticate Controller Action:

public void Authenticate() {
var openid = new OpenIdRelyingParty();
if (openid.Response == null) {
// Stage 2: user submitting Identifier
openid.CreateRequest(Request.Form["openid_identifier"]).RedirectToProvider();
} else {
// Stage 3: OpenID Provider sending assertion response
switch (openid.Response.Status) {
case AuthenticationStatus.Authenticated:
FormsAuthentication.RedirectFromLoginPage(openid.Response.ClaimedIdentifier, false);
break;
case AuthenticationStatus.Canceled:
ViewData["Message"] = "Canceled at provider";
RenderView("Login");
break;
case AuthenticationStatus.Failed:
ViewData["Message"] = openid.Response.Exception.Message;
RenderView("Login");
break;
}
}
}

What about CardSpace?

Infocard LogoOpenID is a spec for a protocol that "eliminates the need for multiple usernames across different websites, simplifying your online experience."  What's cool is that it's open, so you (the consumer) gets to pick your Provider. It's not owned by anyone, so it's ours to screw up (or succeed with).

CardSpace is built into Vista and installed on XP when you put .NET 3.0 on your system. There are also Identity Selectors for Safari and Firefox in the works. It's different than OpenID in that it's concerned with strong authentication. Therefore, they are very complimentary.

Here's my CardSpace login as I'm getting ready to log into this blog...

image

...because my chosen OpenID provider at http://www.myopenid.com (it's free) also supports both InfoCards and SSL Certificates for authentication as well as strong passwords.

Notice the "Sign into Information Card" icon below next to the IconCard purple icon.

image

An OpenID provider can choose to use anything available with which to authenticate you. Here's a video of a Belgian using an eID to authenticate against an OpenID provider at http://openid.trustbearer.com/ that supports biometric devices, USB keys, and smart cards.

So What?

Get involved and give it a try! Here's some things you can do.

  1. Sign up for a Free OpenID at MyOpenID or one of the many public OpenID providers out there.
  2. Go use your new OpenID at one of the many sites that supports OpenID.
    • Come back to this post and leave your first comment using OpenID!
  3. Watch Simon Willison talk about the case for OpenID (video)

And, if you're a developer, get an OpenID library like dotnetopenid and consider enabling your app. Consider using the Javascript ID Selector to make for a nicer User Experience.

Technorati Tags: ,,

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

dasBlog 2.0 Released

August 16, '07 Comments [7] Posted in ASP.NET | DasBlog
Sponsored By

Congratulations to the team, dasBlog 2.0 is out and it runs on Medium Trust. There are numerous small bug fixes, but the move to 2.0 and Medium Trust support is the major feature. However, the fact that we are on 2.0 (and many of us are building on 3.5) will allow us to do some pretty cool innovation pretty quickly. Clemens Vaster is back on the team and checking in some "dasBlog 3.5" architectural spikes that are worth looking at. They can be found, as always, in the source via anonymous Subversion to https://dasblogce.svn.sourceforge.net/svnroot/dasblogce/trunk.

Upgrading

The upgrade is simple, just back everything up, copy all DLLs and AS?X files. The only manual process is that you should merge your web.config with the new default one that includes a few ASP.NET 2.0 specific tags. Make sure your virtual directory is set in IIS to be an Application and that Application is set to ASP.NET 2.0.

Getting Help

If you need help with dasBlog, you've got a number of options.

Hosts that Support dasBlog

Works with dasBlog There are a number of commercial hosts that support dasBlog. That should mean that they won't say "huh?" when you ask them to setup your blog. Here's the ones we know about. If you're a host that supports or wants to support dasBlog, join our Developer Mailing List and start a dialog with us.

Medium Trust

From my previous post on our Medium Trust Issues:

Tony Bunce has a fine write-up on the issues we ran into with dasBlog on Medium Trust. Here's some highlights:

"The goal of medium trust is for hosting providers to provide functional ASP.NET 2.0 hosting while also protecting against rogue or malicious applications. Unfortunately that protection comes at the cost of application flexibility. ...There are a few features that are limited in a medium trust environment: SMTP on alternative ports and Mail to Weblog via POP3...dasBlog will let you know that you don't have these privileges by displaying warnings on the configuration page.

There is some good news though, these limitations won't affect most users.  Many hosting providers that run limited trust environments don't run in the default medium trust, but rather a "modified full trust".  In that case you may already have all the permissions you need for all of the features to work."

Go check out his post for more details. The most interesting issue we bumped into was that you aren't supposed to be able to call out via HTTP on the server side to any other connections unless they match your originURL in your web.config. In other words, my blog at www.hanselman.com can't call to any other site that isn't hanselman.com. However, you can set you originUrl to a regular expression like ".*" and then you can connect anywhere. Phil Haack noticed this and got the fix from Cathal Connollys.

The Future

There's also some cool stuff going on around our pluggable editors, with John Forsythe setting up a YUI Editor as well as Rich Comments support for the folks who want to live on the edge. Do checkout the dasBlog section on John's blog for extra add-on macros and cool patches if you're compiling dasBlog on your own.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Preventing Comment, Trackback and Referral Spam in dasBlog

August 13, '07 Comments [5] Posted in ASP.NET | DasBlog
Sponsored By

Blog spam is a huge problem. If you don't spend time "tending" to the garden that is your blog, you'll return back after a short hiatus and find it completely overrun with weeds and spam.

Here's how to keep your dasBlog installation free of SPAM.

Easiest

Here's the absolute easiest way to clean your dasBlog installation of spam.

  • Turn off TrackBacks and Pingbacks
    • Trackbacks and Pingbacks are the way that blogs let YOU know that you're being talked about. For example, if I mention Greg, like I just did, dasBlog will send him a Trackback and a Pingback when I submit this blog post and there's an endpoint on his blog, listening over HTTP that will receive it. Then his web server will load up my page and check to see if there's really a new link. A pingback is the same thing, without the back-check.
    • However, more and more I believe the Trackback spec is broken. There's just no decent way to prove that the Trackback is legitimate.
    • Therefore, I've stopped collecting them. 7 out of 10 Trackbacks I get are spam, so I've turned off the service in DasBlog. Instead, I check Technorati for references to my blog in order to see if anyone's mentioned a topic I've blogged about.
      image
  • Turn off Referrals
    • Referrals are created when someone simply arrives at your site from another site. They are created by the HTTP Referer (yes, it's misspelled) Header and it's the easiest of the spams to fake. It also grows forever. I've turned it off by un-checking "Save Referrals Along with Entries." This is especially important if you run a high-traffic blog. Quickly you'll find that Referrals will take up more space than your blog content!
  • Remove All your old Referrals
    • If you run the dasblogupgrader.exe (you can run it as many times as you like) on your content folder, there is an option to remove all referrals. I suggest you do just that, then turn off this option. It'll tidy up your XML files, make your whole blog faster and referral spam free.
    • You download your entire content folder to your local machine, and run:
      dasblogUpgrader.exe c:\myfolder\content
      and follow the prompts.
  • Stop Displaying Trackbacks and Referrals
    • Posts (items) in dasBlog are formatted according to the "itemTemplate.blogtemplate" file using well-known macros. Go into your theme's itemTemplate.blogtemplate and remove both <%TrackbackList%> and <%ReferralList%>. Both of them take processing time to load up the referrals and trackbacks you've collected, and if your blog is spammy, these will only display naughty things you don't want.
    • Instead, consider replacing them with a call to Technorati like this:
      <li class="technorati"><script src="http://embed.technorati.com/linkcount" type="text/javascript"></script><a class="tr-linkcount" href="http://technorati.com/search/<%PermalinkUrlRaw%>">Blog reactions</a></li>
    • Or, use the FeedBurner service and include their Technorati "FeedFlare" option. Here's how to add FeedBurner Flare to dasBlog.
  • Turn off Comments or turn on CAPTCHA
    • I personally wouldn't suggest this, but you could always turn off comments all-together. I would argue that at this point you have a pamphlet, rather than a blog, but it's your blog.
    • Alternatively, you could make sure that CAPTCHA (those funny letters you have to type in to prove you're a human) is enabled.
    • You could also turn on explicit comment approval but if you have a high-traffic blog this will get old fast.
  • Close your Comments after some period of time
    • This is a little controversial, but I found that a lot of really old posts were getting spammed a lot. I started turning off comments for posts over 60 days old and my incoming spam dropped a LOT.

Slightly Harder (and still effective)

Ok, so you're not willing to do the easy stuff. Here's some more tricky things, that give you the best of both worlds

  • Start using Akismet
    • Go visit the WordPress.com site and sign up for a free account.
    • IMPORTANT: At the bottom, click "Just a username, please." You don't want a blog, remember, you're using dasBlog.
    • They will email you a welcome and in that email will be an API KEY. That's what you want and why you signed up for a free account.
      WordPress.com - Windows Internet Explorer
    • Go into the dasBlog configuration page at the VERY bottom and click "Enable spam blocking service." DasBlog uses Subkismet, from Subtext. Enter your API Key and click either "Save suspected SPAM" or "Delete Suspected SPAM immediately."
    • Akismet is very very accurate in my experience, so I just delete SPAM. It will block comment spam and TrackBack spam, so you could keep Trackbacks up with this solution if you like.
    • I would also greatly encourage you to pay them $5 a month or $55 a year via PayPal for preferred service. Your response from their servers will be faster. I've been very happy with them.
  • Add a Referral Blacklist
    • Still not ready to give up referrals? Enable the Referral Blacklist and enter in a ';' separated list of naughty words that appear in your referrals. Be warned, this list will be used to create a Regular Expression, so keep it simple.
    • Also, click "Send 404s to blacklisted referrals" and dasBlog will lie to the spammers and tell then the page is gone.
  • Block Specific IPs
    • If a particular IP Address is a problem, make a blockedips.config file in your /SiteConfig folder and put each IP on a different line. Then make sure this line in is the httpModules section of your web.config:
      <add type="newtelligence.DasBlog.Web.Core.IPBlackList, newtelligence.DasBlog.Web.Core" name="IPBlackList"/>
  • Install ReverseDOS
    • Still not satisfied? Install AngryPet's ReverseDOS and fight back. It's a fairly sophisticated HttpModule that lets you determine what's legit and what's not. Tony uses it under dasBlog and SubText ships with ReverseDOS. We likely will add this in the future, but you can always add it now.

These are the ways I know of to fight blog SPAM. If you have more, add them to the comments!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Page 1 of 27 in the DasBlog category Next Page

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.