UPDATE: This code is now hosted in the Subkismet project on CodePlex.
Not too long ago I wrote about using
to fight comment spam. A little later I pointed to the NoBot
as an independent implementation of the ideas I mentioned using Atlas.
I think that control is a great start, but it does suffer from a few
minor issues that prevent me from using it immediately.
- It requires Atlas and Atlas is pretty heavyweight.
- Atlas is pre-release right now.
- We’re waiting on a bug
in Atlas to be implemented.
Let me elaborate on the first point. In order to get the NoBot control
working, a developer needs to add a reference to two separate
assemblies, Atlas and the Atlas Control Toolkit, as well as make a few
changes to Web.config. Some developers will simply want a control they
can simply drop in their project and start using right away.
I wanted a control that meets the following requirements.
- Easy to use. Only one assembly to reference.
- Is invisible.
The result is the
InvisibleCaptcha control which is a validation
control (inherits from
BaseValidator)so it can be used just like any
other validator, only this validator is invisible and should not have
ControlToValidate property set. The way it works is that it
When the user submits the form, we take the submitted value from the
hidden form field, combine it with a secret salt value, and then hash
the whole thing together. We then compare this value with the hash of
the expected answer, which is stored in a hidden form field base64
The whole idea is that most comment bots currently don’t have the
alongside a visible text field, thus giving users reading your site via
the blind) a chance to comment.
This should be sufficient to block a lot of comment spam.
Quick Aside: As Atwood tells me, the
idea that CAPTCHA has to be really strong is a big fallacy. His blog
simply asks you to type in orange every time and it blocks 99.9% of
his comment spam.
I agree with Jeff on this point when it comes to websites and blogs
with small audiences. Websites and blogs tend to implement different
CAPTCHA systems from one to another and beating each one brings
diminishing margins of returns.
However, for a site with a huge audience like Yahoo! or Hotmail, I
think strong CAPTCHA is absolutely necessary as it is a central place
for spammers to target. (By the way, remind me to write a bot to post
comment spam on Jeff’s blog)
If you do not care for accessibility, you can turn off the rendered form
Accessible property to false.
I developed this control as part of the
assembly which is part of the Subtext
project, thus you can grab this assembly
from our Subversion repository.
To make things easier, I am also providing a link to a zip file that
contains the assembly as well as the source code for the control. You
can choose to either reference the assembly in order to get started
file (make sure to mark it as an embedded resource) to your own project.
Please not that if you add this control to your own assembly, you will
need to add the following assembly level
WebResource attribute in
order to get the web resource
You will also need to find the call to
Page.ClientScript.GetWebResourceUrl inside InvisibleCaptcha.cs and
change it to match the namespace specified in the
If you look at the code, you’ll notice I make use of several hidden
input fields. I didn’t use
ViewState for values the control absolutely
needs to work because Subtext disables ViewState. Likewise, I could
have chosen to use
ControlState, but that can also be disabled. I
took the most defensive route.
tags: CAPTCHA, Comment