login      my ps      about      contact  



home instructor-led on-demand! screencasts blogs technical staff


Security Briefs » CAPTCHA enabled blogs

CAPTCHA enabled blogs

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

We've been getting a fair amount of comment spam, and we've got some heuristics on the server that allow us to detect and reject much of it automatically, but we've still had some bots that have managed to leak through. At a request from some of the bloggers at pluralsight.com, I've implemented a simple CAPTCHA solution to help us distinguish humans from spambots.

I'm dogfooding my own solution here, so if you have a moment, try it out by posting a comment on this thread.

This is opt-in for bloggers at pluralsight.com; for most of us the server-side heuristics are blocking spam just fine, so we won't need to turn on this feature. So far only Craig and Aaron have requested it, so you'll see it on their blogs as well.

It'll be interesting to see if any bots are able to break through our very simple image generation technique (I used the routine posted on codeproject.com for the image generation). Thanks to BrainJar for publishing this simple algorithm that works nicely in .NET.

Implementing this in .TEXT was rather interesting given that it doesn't support either session state or viewstate :-)

Posted Apr 26 2005, 08:38 AM by keith-brown
Filed under: ,

Comments

Keith Brown wrote re: CAPTCHA enabled blogs
on 04-26-2005 8:39 AM
Works for me!
Jim wrote re: CAPTCHA enabled blogs
on 04-26-2005 8:50 AM
A fair test of CAPTCHA would be to turn on CAPTCHA and turn off the heuristics (or at least log the rejects).
Jim wrote re: CAPTCHA enabled blogs
on 04-26-2005 8:53 AM
I also note that an accidental invalid code does not show the user an error, the post simply gets rejected. This is bad for real users for two reasons (1) It is confusing to a real user for they expect the comment to be accepted and it is not and (2) the time and effort composing the comment is immediately lost and therefore frustrating.
Michael wrote re: CAPTCHA enabled blogs
on 04-26-2005 9:23 AM
It works!
Randy wrote re: CAPTCHA enabled blogs
on 04-26-2005 9:57 AM
Seems to work.
Test wrote re: CAPTCHA enabled blogs
on 04-26-2005 11:19 AM
Test
Keith Brown wrote re: CAPTCHA enabled blogs
on 04-26-2005 2:05 PM
Tweaked the implementation so it's a bit more user friendly when you make a mistake. You are told what went wrong, and you shouldn't lose the comment you were trying to sumbit.
Paul Lockwood wrote re: CAPTCHA enabled blogs
on 04-26-2005 5:52 PM
Since using a captcha for three months I have had two pieces of comment spam. Turning it off means about ten per day. Of course captchas can be cracked with a little effort:

http://www.mindfusioncorp.com/weblog/PermaLink,guid,16a36923-e7a4-4c06-891d-21a9530f182d.aspx

Thankfully spammers are not putting in the effort to do this yet.

I like the error message for incorrect codes - would it hard to also send a Javascript alert?
Keith Brown wrote re: CAPTCHA enabled blogs
on 04-26-2005 6:10 PM
I thought about doing that, but frankly alerts bug the heck outta me. Instead I'm going to see if I can figure out how to get .TEXT to scroll down after you comment so you can see what you just said. Seems like a reasonable solution - that way you'd see the error message clearly.

Dunno if I'll be successful, but Fritz has suggested trying to turn on SmartNavigation, which will at least work for IE. Only problem is, .TEXT is pretty funky in how it uses ASP.NET. We'll see :-)
Patrick Foley wrote re: CAPTCHA enabled blogs
on 04-26-2005 6:59 PM
Far out.
Patrick Foley wrote re: CAPTCHA enabled blogs
on 04-26-2005 7:01 PM
http://patrickfoley.com/2005/01/21/scroll-saver/

I actually use WordPress (shhh!), but above is a simple scrolling solution I've used that should be quick to implement for .TEXT. I'm pretty sure it does what you want.
Kevin Westhead wrote re: CAPTCHA enabled blogs
on 04-27-2005 7:28 AM
Works for me!
Robert Hurlbut wrote re: CAPTCHA enabled blogs
on 04-27-2005 8:35 AM
Looks good.
Paul Lockwood wrote re: CAPTCHA enabled blogs
on 04-28-2005 4:39 AM
>>but frankly alerts bug the heck outta me
:) Know what you mean, especially when the back button is used and it appears again. My JavaScript is not good enough to write a 'show the alert once' function

SmartNav can be somewhat funky too and I have almost always ended turning it off on my projects due the odd problem or two. Maybe when IE7 hits the streets it will work OK?
Keith Brown wrote re: CAPTCHA enabled blogs
on 05-11-2005 1:47 PM
Jim,

>> A fair test of CAPTCHA would be to turn on CAPTCHA and turn off the heuristics (or at least log the rejects).<<

Test results: with CAPTCHA replacing our heuristics, we definitely reduced the spam hits, but didn't eliminate them entirely. In fact, this particular entry just got spammed with about 100 links to some porn site. Ironic eh? Anyway, I'm now doing both.
Critical Hippo wrote Blind people?
on 03-04-2006 11:04 AM
How do you plan to interface your CAPTCHA with the screen readers and Braille displays that people with visual disabilities use?
Keith Brown wrote re: CAPTCHA enabled blogs
on 03-04-2006 1:27 PM
There is no plan for that, but if you have some ideas, I'd be happy to see what we can do!
Critical Hippo wrote re: CAPTCHA enabled blogs
on 03-22-2006 1:41 PM
The two major methods of accommodating blind users are to provide an audio alternative (used by MSN Passport accounts) and to allow affected users to e-mail an administrator for assistance in creating an account (used by Slashdot.org).
Critical Hippo wrote re: CAPTCHA enabled blogs
on 08-08-2006 6:27 PM
UPDATE: The "what's this?" below the comment form now gives an alternative method for users who cannot read the CAPTCHA.


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation