UPDATE: This code is now hosted in the Subkismet project on CodePlex.
Not too long ago I wrote about using heuristics to fight comment spam. A little later I pointed to the NoBot control as an independent implementation of the ideas I mentioned using Atlas.
I think that control is a great start, but it does suffer from a few minor issues that prevent me from using it immediately.
- It requires Atlas and Atlas is pretty heavyweight.
- Atlas is pre-release right now.
- We’re waiting on a bug fix in Atlas to be implemented.
Let me elaborate on the first point. In order to get the NoBot control working, a developer needs to add a reference to two separate assemblies, Atlas and the Atlas Control Toolkit, as well as make a few changes to Web.config. Some developers will simply want a control they can simply drop in their project and start using right away.
I wanted a control that meets the following requirements.
- Easy to use. Only one assembly to reference.
- Is invisible.
The result is the
InvisibleCaptcha control which is a validation control (inherits from
BaseValidator)so it can be used just like any other validator, only this validator is invisible and should not have the
When the user submits the form, we take the submitted value from the hidden form field, combine it with a secret salt value, and then hash the whole thing together. We then compare this value with the hash of the expected answer, which is stored in a hidden form field base64 encoded.
This should be sufficient to block a lot of comment spam.
Quick Aside: As Atwood tells me, the idea that CAPTCHA has to be really strong is a big fallacy. His blog simply asks you to type in orange every time and it blocks 99.9% of his comment spam.
I agree with Jeff on this point when it comes to websites and blogs with small audiences. Websites and blogs tend to implement different CAPTCHA systems from one to another and beating each one brings diminishing margins of returns.
However, for a site with a huge audience like Yahoo! or Hotmail, I think strong CAPTCHA is absolutely necessary as it is a central place for spammers to target. (By the way, remind me to write a bot to post comment spam on Jeff’s blog)
Accessible property to false.
I developed this control as part of the
Subtext.Web.Control.dll assembly which is part of the Subtext project, thus you can grab this assembly from our Subversion repository.
Please not that if you add this control to your own assembly, you will need to add the following assembly level
WebResource attribute in order to get the web resource handler working.
You will also need to find the call to
Page.ClientScript.GetWebResourceUrl inside InvisibleCaptcha.cs and change it to match the namespace specified in the
If you look at the code, you’ll notice I make use of several hidden input fields. I didn’t use
ViewState for values the control absolutely needs to work because Subtext disables ViewState. Likewise, I could have chosen to use
ControlState, but that can also be disabled. I took the most defensive route.
[Download InvisibleCaptcha here].
tags: CAPTCHA, Comment Spam, ASP.NET, Validator