Scott Hanselman

A potential CAPTCHA Comment Spam Solution for dasBlog (and others) with no recompile or code changes

November 11, 2004 Comment on this post [10] Posted in ASP.NET | DasBlog
Sponsored By

I took Jeff Atwood's CAPTCHA example and added a new event called "UserValidationEvent"

Public Event UserValidationEvent As EventHandler

Then I raise the event at the VERY end of ValidateCaptcha I raise it:

RaiseEvent UserValidationEvent(Me, New EventArgs)

I made it a separate event because I want the CaptchaControl to integrate with my blogging software WITHOUT any code on the server side.  I didn't want to have to recompile dasBlog or check anything in the Page_Load.

I made the appropriate web.config changes as per Jeff's instructions, and I added the control to the CommentViewBox.ascx and put this code at the top:

<%@ Register TagPrefix="cc1" Namespace="WebControlCaptcha" Assembly="WebControlCaptcha" %>
<script Language="C#" Runat="Server">
  protected void Foo(object sender, System.EventArgs e)
  {
  if (Page.IsPostBack == true && CaptchaControl1.UserValidated == false)
   {
    Response.Redirect(Request.RawUrl);
   }
  }

  protected void Page_Load(object sender, System.EventArgs e)
  {
   //Ya, ya, I know I could have hooked this event up a number of ways
   // including AutoEventWireUp but I like this fine, and it feels
   // more explicit to moi.
   CaptchaControl1.UserValidationEvent += new EventHandler(Foo);
  }  
</script>

There are a few Font issues to work out...he has it setup with a number of "no-no" fonts, while I'd prefer a list of "allowed" fonts. 

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
November 11, 2004 4:12
Slick!
November 11, 2004 6:28
Scott,

Thanks for the link. I'm glad to see people getting use out of the Captcha control-- it's a very effective technique, as it raises the bar so much higher for spammers.

I can fold in any improvements to the control on the CodeProject article. I agree a blacklist wasn't the wisest choice in terms of random font selection.. you can avoid random fonts by picking a single font (of your choice) as the .CaptchaFont.

My only regret is, I can't implement it on my own blog since I chose the PERL based Movable Type. :P
November 11, 2004 6:30
Also, you probably want to increase the CaptchaTimeout to > 120 seconds (the default) or make it 0 (infinite).

Otherwise, anyone who takes longer than 120 seconds to compose a message is in for a.. uh.. surprise :P
November 11, 2004 12:26
Next spam-wave will be the track-back spam...
I already have to fight with referral spam on my blog... It's really annoying!

Floyd
November 11, 2004 15:26
What about blind people? Has the ADA been appealed?

ringi at bigfoot dot com
November 11, 2004 19:20
Good stuff, but only half of a solution. Now what to do about manual spammers? :|
November 11, 2004 20:28
Yes, the next step (almost done) is to dynamically generate a WAV file that reads the letters to the blind person.

As far as manual spammers, if they want to SPAM me THAT BADLY they can do ahead.
November 13, 2004 10:48
Thanks Scott! Working great for me now on my site.
December 04, 2004 23:22
very cool. When do you have time to get your real work done when doing all these cool things? :)
February 25, 2005 1:48
>>As far as manual spammers, if they want
>>to SPAM me THAT BADLY they can do ahead.

They will. Why? Not because they want Scott to buy **fill in the blank***. But, rather, because they want the improved search engine ranking that having the like from the comments section will provide.

or... maybe I'm wrong? Does dasBlog obuscate outgoing links from the comments section to prevent search engine coverage?

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.