Scott Hanselman

A potential CAPTCHA Comment Spam Solution for dasBlog (and others) with no recompile or code changes

November 11, '04 Comments [10] Posted in ASP.NET | DasBlog
Sponsored By

I took Jeff Atwood's CAPTCHA example and added a new event called "UserValidationEvent"

Public Event UserValidationEvent As EventHandler

Then I raise the event at the VERY end of ValidateCaptcha I raise it:

RaiseEvent UserValidationEvent(Me, New EventArgs)

I made it a separate event because I want the CaptchaControl to integrate with my blogging software WITHOUT any code on the server side.  I didn't want to have to recompile dasBlog or check anything in the Page_Load.

I made the appropriate web.config changes as per Jeff's instructions, and I added the control to the CommentViewBox.ascx and put this code at the top:

<%@ Register TagPrefix="cc1" Namespace="WebControlCaptcha" Assembly="WebControlCaptcha" %>
<script Language="C#" Runat="Server">
  protected void Foo(object sender, System.EventArgs e)
  {
  if (Page.IsPostBack == true && CaptchaControl1.UserValidated == false)
   {
    Response.Redirect(Request.RawUrl);
   }
  }

  protected void Page_Load(object sender, System.EventArgs e)
  {
   //Ya, ya, I know I could have hooked this event up a number of ways
   // including AutoEventWireUp but I like this fine, and it feels
   // more explicit to moi.
   CaptchaControl1.UserValidationEvent += new EventHandler(Foo);
  }  
</script>

There are a few Font issues to work out...he has it setup with a number of "no-no" fonts, while I'd prefer a list of "allowed" fonts. 

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Thursday, 11 November 2004 00:12:01 UTC
Slick!
Fred Klezmer
Thursday, 11 November 2004 02:28:21 UTC
Scott,

Thanks for the link. I'm glad to see people getting use out of the Captcha control-- it's a very effective technique, as it raises the bar so much higher for spammers.

I can fold in any improvements to the control on the CodeProject article. I agree a blacklist wasn't the wisest choice in terms of random font selection.. you can avoid random fonts by picking a single font (of your choice) as the .CaptchaFont.

My only regret is, I can't implement it on my own blog since I chose the PERL based Movable Type. :P
Thursday, 11 November 2004 02:30:05 UTC
Also, you probably want to increase the CaptchaTimeout to > 120 seconds (the default) or make it 0 (infinite).

Otherwise, anyone who takes longer than 120 seconds to compose a message is in for a.. uh.. surprise :P
Thursday, 11 November 2004 08:26:13 UTC
Next spam-wave will be the track-back spam...
I already have to fight with referral spam on my blog... It's really annoying!

Floyd
Thursday, 11 November 2004 11:26:47 UTC
What about blind people? Has the ADA been appealed?

ringi at bigfoot dot com
Ian Ringrose
Thursday, 11 November 2004 15:20:49 UTC
Good stuff, but only half of a solution. Now what to do about manual spammers? :|
Thursday, 11 November 2004 16:28:06 UTC
Yes, the next step (almost done) is to dynamically generate a WAV file that reads the letters to the blind person.

As far as manual spammers, if they want to SPAM me THAT BADLY they can do ahead.
Scott Hanselman
Saturday, 13 November 2004 06:48:42 UTC
Thanks Scott! Working great for me now on my site.
Saturday, 04 December 2004 19:22:10 UTC
very cool. When do you have time to get your real work done when doing all these cool things? :)
Christian Duhard
Thursday, 24 February 2005 21:48:47 UTC
>>As far as manual spammers, if they want
>>to SPAM me THAT BADLY they can do ahead.

They will. Why? Not because they want Scott to buy **fill in the blank***. But, rather, because they want the improved search engine ranking that having the like from the comments section will provide.

or... maybe I'm wrong? Does dasBlog obuscate outgoing links from the comments section to prevent search engine coverage?
Rob McEwen
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.