Just like so many others before me, I have fallen victim to comment spam. Although I still have to figure out how the spam is injected into my weblog (through the WebForm or Comment API), I have started to implement several features to battle it.
Step 1: Human Interface Proof (HIP) aka CAPTCHA
If you are unfamiliar with the concept, here’s a quick runthrough: present the user with a challenge so the server can tell you are human instead of some sort of program. Usually you get to see a bit of text with some text that is hard to read.
There is an excellent article at MSDN by Stephen Toub on HIP for ASP.NET. The mechanism he uses is one of a challenge (difficult to read text or even (!) a sound fragment generated using Speech API) in combination with a validator control for a textbox. I find this set of controls much more elegant than the one by ClearScreen. That one doesn’t seem to work for ASP.NET 2.0.
Step 2: Refresh insertion attacks
The website I am building for Champions (see splash (not by me) right here) will probably be a target for prankster attacks. I haven’t had problems with this on any of the blogs I know (including my own). Now, don’t get any funny ideas, it’s bad enough as it is. One of the testers of the website, Michiel de Gooijer, told me he was going to try F5 comment insertion. That got me thinking. I invented the term of “Refresh insertion attacks” myself, but the general idea is to submit multiple comments by hitting the F5 or Refresh button, over and over again.
Luckily Dino Esposito already wrote an article with some nice source code that you can take as a starting point. It seems to work.
I am nearly done with my upgrade of KillerBlog to ASP.NET 2.0. Stay tuned for more.