A no-user-interaction, accessible CAPTCHA that is invisible to visitors - it makes spam-bots identify themselves instead.
CAPTCHA inputs are effective at preventing form spam, but they require user actions and understanding,
and have poor accessibility.
Based on an article by
Damien Katz
and another by
Ned Batchelder,
I created a .NET User Control to add an automated spam-bot detector to pages.
This detector requires no user input, and is not visible to the user.
However, through two different techniques, it can trap spam-bots.
This is called a 'Negative CAPTCHA' it because is makes spam-bots identify themselves,
instead of making humans identify themselves.
Version 2 includes an added script that can tell the difference between automatic form-filling tools used by legitimate users
and spam-bots, so that legitimate users aren't blocked. Thanks to Antediluvia for pointing this issue out.
Articles and downloads sponsored by:
Thanks! Amazon commissions help me pay for textbooks.
The source code for the User Control is straightforward. No parameters or customization are required.
We simply add the form fields that will trick the spam-bots to the page.
1 <%@ Control Language="C#" %>
2
3 <script language="C#" runat="server">
4
5 public bool IsValidSubmission()
6 {
7 string ncts = "";
8 string email = "";
9
10 try
11 {
12 ncts = Request.Form["NCTS"].Split(',')[0];
13 email = Request.Form["Email"].Split(',')[0];
14 }
15 catch { return false; }
16
17 if (email != null && email != "")
18 return false;
19
20 if (ncts == null || ncts == "")
21 return false;
22
23 int timestamp = -1;
24
25 try { timestamp = Convert.ToInt32(ncts); }
26 catch { return false; }
27
28 if (timestamp == DateTime.Now.Hour)
29 return true;
30
31 if (timestamp == (DateTime.Now.Hour - 1) &&
32 DateTime.Now.Minute < 30)
33 return true;
34
35 return false;
36 }
37
38 </script>
39
40 <input type="hidden" id="NCTS" name="NCTS"
41 value="<%= DateTime.Now.Hour %>" />
42
43 <div style="display:none;">
44 Leave this field blank:<br />
45 <input type="text" id="Email" name="Email" value="" />
46 </div>
47
48 <script language="JavaScript" type="text/javascript">
49 setInterval("document.getElementById('Email').value='';", 250);
50 </script>
The hidden input holds a timestamp. The timestamp stops playback bots
from posting the form over and over by making the form valid only for the current
time.
The text field tricks form-filling bots. The CSS setting prevents this form field from
being displayed to human users, but form-filling bots don't understand CSS,
so they will fill in this field. Thus, if this field has been filled in, we have identified
a form-filling bot.
For users with screen-readers which do not understand CSS, we also include a hidden note
instructing them to leave the trick field blank.
For users with automatic form-filling tools, we include a javascript to clear the text field. Spam-bots
do not support javascript, so this function won't run for them. This has to be done on a timer,
because Google Toolbar doesn't fire onChange events when it fills form fields.
To use the custom control on a page, you need to register the control at the top of the page.
1 <%@ Register tagprefix="akxl"
2 Tagname="NegativeCaptcha"
3 src="/controls/NegativeCaptcha.ascx" %>
Then you can place the control inside the form using it's custom tag.
1 <akxl:NegativeCaptcha id="AkxlCaptcha" runat="server" />
When the form is submitted, you can check the CAPTCHA using the
IsValidSubmission method.
1 if (!AkxlCaptcha.IsValidSubmission())
2 {
3 // CAPTCHA is not valid (spam-bot detected)
4 }
You can download the control here:
NegativeCaptcha.zip (1K)
Articles
Contact
IM
Peet's Malawi Songwe River