LABS
 
BLOG
 
APPS
 




ASP.NET Automated Negative CAPTCHA User Control v2

Tags tagged as   Code: ASP.NET, C#, JavaScript, Web
A no-user-interaction, accessible CAPTCHA that is invisible to visitors - it makes spam-bots identify themselves instead.

Summary

CAPTCHA inputs are effective at preventing form spam, but they require user actions and understanding, and have poor accessibility.

Based on an article by Damien Katz and another by Ned Batchelder, I created a .NET User Control to add an automated spam-bot detector to pages.

This detector requires no user input, and is not visible to the user. However, through two different techniques, it can trap spam-bots.

This is called a 'Negative CAPTCHA' it because is makes spam-bots identify themselves, instead of making humans identify themselves.

Version 2 includes an added script that can tell the difference between automatic form-filling tools used by legitimate users and spam-bots, so that legitimate users aren't blocked. Thanks to Antediluvia for pointing this issue out.

Articles and downloads sponsored by:
Thanks! Amazon commissions help me pay for textbooks.

User Control

The source code for the User Control is straightforward. No parameters or customization are required. We simply add the form fields that will trick the spam-bots to the page. 

 1 <%@ Control Language="C#" %>
 2 
 3 <script language="C#" runat="server">
 4 
 5     public bool IsValidSubmission()
 6     {
 7         string ncts  = "";
 8         string email = "";
 9         
10         try
11         {
12             ncts  = Request.Form["NCTS"].Split(',')[0];
13             email = Request.Form["Email"].Split(',')[0];
14         }
15         catch { return false; }
16         
17         if (email != null && email != "")
18             return false;
19         
20         if (ncts == null || ncts == "")
21             return false;
22         
23         int timestamp = -1;
24         
25         try   { timestamp = Convert.ToInt32(ncts); }
26         catch { return false; }
27         
28         if (timestamp == DateTime.Now.Hour)
29             return true;
30         
31         if (timestamp == (DateTime.Now.Hour - 1) && 
32             DateTime.Now.Minute < 30)
33             return true;
34         
35         return false;
36     }
37 
38 </script>
39 
40 <input type="hidden" id="NCTS" name="NCTS" 
41        value="<%= DateTime.Now.Hour %>" />
42 
43 <div style="display:none;">
44     Leave this field blank:<br />
45     <input type="text" id="Email" name="Email" value="" />
46 </div>
47 
48 <script language="JavaScript" type="text/javascript">
49     setInterval("document.getElementById('Email').value='';", 250);
50 </script>

The hidden input holds a timestamp. The timestamp stops playback bots from posting the form over and over by making the form valid only for the current time.

The text field tricks form-filling bots. The CSS setting prevents this form field from being displayed to human users, but form-filling bots don't understand CSS, so they will fill in this field. Thus, if this field has been filled in, we have identified a form-filling bot.

For users with screen-readers which do not understand CSS, we also include a hidden note instructing them to leave the trick field blank.

For users with automatic form-filling tools, we include a javascript to clear the text field. Spam-bots do not support javascript, so this function won't run for them. This has to be done on a timer, because Google Toolbar doesn't fire onChange events when it fills form fields.

Using the Control

To use the custom control on a page, you need to register the control at the top of the page. 

1 <%@ Register tagprefix="akxl" 
2              Tagname="NegativeCaptcha" 
3              src="/controls/NegativeCaptcha.ascx" %>

Then you can place the control inside the form using it's custom tag. 

1 <akxl:NegativeCaptcha id="AkxlCaptcha" runat="server" />

When the form is submitted, you can check the CAPTCHA using the IsValidSubmission method. 

1 if (!AkxlCaptcha.IsValidSubmission())
2 {
3     // CAPTCHA is not valid (spam-bot detected)
4 }


Download

You can download the control here:

NegativeCaptcha.zip (1K)

Comments & Feedback


Ardekantur says:
Tuesday, January 23, 2007 @ 6:08 PM
Glad to see you got some inspiration from that link I sentcha. :-)
Adam says:
Tuesday, January 23, 2007 @ 6:38 PM
I just posted this like 10 minutes ago... I see my RSS feed isn't going to waste.
Adam says:
Thursday, March 15, 2007 @ 6:11 PM
My old webhost lost a big chunk of data, and a few posts got dropped here. The issues addressed in them are now covered in the article, however. Thanks to everyone who posted.
Leave this field blank:
Comment on this Entry
This work is licensed under a Creative Commons Attribution 3.0 United States License.
Please link to this article in your source code comments if you use this content.

Article Info
Posted February 18, 2007
Viewed 2693 times

User Rating:

Share
Add to DiggAdd to del.icio.usAdd to FURLAdd to RedditAdd to YahooAdd to BlinklistAdd to GoogleAdd to ma.gnoliaAdd to ShadowsAdd to Technorati
Coffee Counter
Current Coffee:
 Peet's Malawi Songwe River

Current Count:
Akxl Coffee Meter

Create Your Own »

The Real-Time Coffee Meter is a free Website App from Akxl Labs. Text-only and badge versions available.