Controlling the Influx of SPAM on BlogEngine.NET

by Al Bsharah | 07.18.2009 06:34 PM | Comments (21)

BlogEngine.NET implements an “Invisible CAPTCHA” solution that has worked quite well for a considerable amount of time.  As of the past few weeks, those of us using BlogEngine.NET have been pelted with numerous SPAM entries, far too frequent to be human-generated.  It seemed as if someone had found their way around the CAPTCHA solution…and they have as the below video shows.

There is a lot of discussion amongst the developers of BlogEngine.NET on how to combat this, and four lines of code were added in Change Set 28194.  The four lines are below, and are added to the top of the Page_Load in CommentView.ascx.cs.

string generatedFieldName = "txtName" + DateTime.Now.Ticks.ToString();
txtName.ID = generatedFieldName;
CustomValidator1.ControlToValidate = generatedFieldName;
RequiredFieldValidator1.ControlToValidate = generatedFieldName;

The code seems to dynamically generate the submit button name, so that an automated bot can’t just post based on what it knows the submit button’s name to be.

This appears to be something that could theoretically be hacked as well, but is an easy quick fix if you’re having issues.  My understanding is that the BlogEngine.NET team is working diligently to come up with a more substantial solution.

Good luck…

Share | | |

Categories: Development

Tags: , , ,
Permalink | Post RSSRSS comment feed | Comments (21)

Comments

8/4/2009 1:34:29 PM #

Daniel Vaughan

Thanks. I've implemented your approach and I am hopeful that it will cut down the spam I've been seeing lately.

Cheers,
Daniel

Daniel Vaughan Switzerland | Reply

8/4/2009 3:48:16 PM #

Al Bsharah

Good to hear, Daniel.  It's definitely cut it down for me, but I still get them somewhat regularly.  This along with the Commentor plugin has done a good job of keeping things in check.  I also heard recently that Commentor is making it's way into the source...

Al Bsharah United States | Reply

8/17/2009 7:45:39 PM #

James Climer

Hey Al,

Good post.  I too was getting a lot of spam in my comments, and had to come up with a quick fix. My end goal is to put recapcha on the site, but for now I just put a checkbox on the page that reads "I am a human".  So far it has worked well.  And if someone actually modifies their script to put a check in the box, I'll just add something else to the comment page.

I wrote a blog entry about it here: blog.climers.com/.../...ngineNET-Comment-Spam.aspx

James Climer United States | Reply

8/18/2009 12:36:55 AM #

Al Bsharah

Hey James, thanks for the reply.  Nice job on your temporary fix, I'm sure it'll help for the time being.  I'm still getting the occasional spam, but it's no where near the level it was prior to the fix the BlogEngine folks put out...  I'm just hoping this doesn't become one of those never-ending Radar-Gun / Radar-Detector wars!

Cheers,
AL

Al Bsharah United States | Reply

8/21/2009 12:55:01 PM #

Keith Ratliff

In case you're interested, I did manage to embed reCaptcha to my BlogEngine.Net blog and I wrote about it.

Details are here:
keithratliff.com/.../...tcha-to-blogenginenet.aspx

Keith Ratliff United States | Reply

8/21/2009 3:24:02 PM #

Al Bsharah

Hey Keith, thanks for the reply and code for using reCaptcha on BlogEngine!  Looks like you spent a lot of time working on it.  

I haven't had time to really read or investigate this, but it looks like a fair amount of work for the average user.  Is there a way to package it up as an extension so the masses will be able to use it more easily?  Of course, the DLLs and such still need to be put into the right place, but modifying code might be tough for some.  I'm just not sure if the BE architecture allows for such an extension...?

Regardless, nice job!

Al Bsharah | Reply

8/25/2009 8:44:23 AM #

John Standlee

I've implemented Keith's reCaptcha solution (after upgrading to BlogEngine v1.5).  So far, no spam.  I was getting 20+ a night, had to turn on comment moderation and load the Commenter extension (what a pain).

John Standlee United States | Reply

8/26/2009 12:04:15 PM #

Al Bsharah

Hey Keith...FYI, your website is in a redirect loop.

Al Bsharah | Reply

8/28/2009 2:53:07 PM #

Al Bsharah

Sorry, MEANT to say:

"Hey John...FYI, your website is in a redirect loop."

(wrong name!)

Al Bsharah United States | Reply

8/30/2009 9:22:54 PM #

Laptop Drivers

Yeah I supposed captcha would be effective to stop spam. Thanks for the share.

Cheers.

Laptop Drivers United States | Reply

11/29/2009 9:59:43 AM #

Brett Jones

Al,

I just put this in my site.  I had to edit CommentView.ascx also because the CustomValidator and RequiredFieldValidator for the name didn't have an ID - I added an ID to each (cvName and reqName) and then referenced those in the code you provided.  The site is still working; now it's just a matter of seeing if it will stop my spam.

I added a checkbox with a customvalidator (javascript to make sure it's checked) a few days ago that says "I agree that my comment is pertinent to this blog entry. If it's not, it will be considered advertising and I agree to pay $100 per comment.
Note: Payday loans links will automatically be considering advertising and will be billed $100 per comment submitted."  It stopped the Payday loan SPAM I was getting but they I am still getting way too much.  I'm going to send them invoices and there is one that is already in a few thousand $$ range so maybe even small claims court ;).  So, I think they now look for every checkbox on the page and just check them.  I guess a way around that would be to require that it is NOT checked and have it say "Check here ONLY if you are a robot sending me SPAM".

Anyways, thanks for the help!  I'll post back in a few days to let you know if it worked for me.

Brett Jones United States | Reply

11/30/2009 8:58:39 AM #

Al Bsharah

Haha, classic post Brett!

Yeah, I think a few spammers have found their way around this fix that the BlogEngine guys have come up with.  I like your creative ways though...  <chuckle>

Interesting idea on changing the requirement to have a successful post with the checkbox.  I'm almost to the point of adding a visual Captcha to the mix, but it seems that a lot of the posts I'm getting are manual too...and I'm not sure there's a fix for that other than spam blockers like Akismet/Waegis.

This reminds me of the old radar/radar-detector wars.  <laugh>

Let me know how your Accounts Receivables work out!

Al Bsharah United States | Reply

1/2/2010 5:28:53 AM #

Firoz Ozman

Hi Al Bsharah,

Thanks for the nice fix. I used it to reduce the spam to a certain extend. Spammers seems to have found a way around. Any further ideas to fix this?

Thanks

Firoz Ozman Canada | Reply

1/9/2010 11:41:38 AM #

Al Bsharah

Hey Firoz, they definitely have found their way around it.  I use the Commentor extension, which is supposedly in the source-code for the next release of BlogEngine.NET.  So, at least their comments don't go public and I can easily delete them in bulk.  

I don't know what the BE.NET guys have in store for the next version though, hopefully something substantial!

Al Bsharah United States | Reply

1/24/2010 1:07:28 PM #

Michael Ceranski

I wrote an article on how to implement a captcha solution in BlogEngine. Since implementing I have seen a huge reduction in spam: www.codecapers.com/.../...ts-in-BlogEngineNET.aspx

Michael Ceranski United States | Reply

1/24/2010 5:52:44 PM #

Al Bsharah

Fantastic addition, Michael!  Works like a charm.  I'm curious to see how much more it helps in the reduction of spam beyond what the Commentor plugin is doing...

By the way, there are a couple minor adjustments I'd make in your post:
1)  #3 and #4 should be reversed (.aspx vs .aspx.cs)
2)  Maybe note that CommentView files are located in the "User Controls" folder.  Some might be looking at the "theme" versions of the file.

Thanks again for sharing!

Al Bsharah United States | Reply

2/2/2010 1:57:09 PM #

trackback

Add CAPTCHA to Your BlogEngine.NET Installation - Reduce SPAM!

Add CAPTCHA to Your BlogEngine.NET Installation - Reduce SPAM!

Al Bsharah | Reply

3/7/2010 4:55:44 AM #

Learn How to Lose Weight

Hey, how come you don't use WordPress for your blog? I'm going to be starting a new blog on mobiles/gadgets but still can't choose between WordPress/BlogEngine/MovableType. Any suggestions would be welcome.

-Melinda

P.S. Sorry for the off-topic comment, I hope that's okay with you.

Learn How to Lose Weight United States | Reply

3/28/2010 10:45:18 AM #

Dan

So I recently began to receive alot of comment spam from a compant called PC Tech Outlet.  After reading some of the comments about comment spam here, I went to their site and emailed them directly with the following:

From: "Daniel Arbeider"
To: "PC Tech Outlet" <sales@pctechoutlet.com>
Sent: Saturday, March 27, 2010 4:42 PM
Subject: Message from PC Tech Outlet


From: Daniel Arbeider
Email: verbatim0909@yahoo.com

------------------------------------------------------

I've noticed PC Tech outlet has decided to use comment spam advertisement
on
my website: www.modernscientist.com.  This is your notice that comments
not
directly related to blog entries on my site are charged a $100 per
ad/comment posted on my site.  Currently there are 4 advertisement/comment
posts on modernscientist.com within the comments from PC Tech outlet.  I
will remove these four today since you were not aware of my site's policy.
If more posts appear I will begin invoicing you $100 per post.  If at that
point you refuse payment, or do not pay within 30 days I will seek
restitution within the court systems of the United States and Canada.

Sincerely,

Daniel Arbeider
Owner of ModernScientist.com

They did reply:

Hello Daniel,

Thank You for bringing this to our attention. We werent aware of this. I
will personally look into this matter.

Sorry for the inconvenience

Regards
Sharms

I know one company is a drop in the bucket but I like the idea of this "unrelated comment fee."  Thanks for the suggestion guys!

Dan United States | Reply

3/29/2010 5:46:35 PM #

Al Bsharah

Dan!  That's pretty damn funny!  I love the creativity...I wish I had the time to do the same to them all.  I wonder if putting a note near the "Save Comment" button would help.  

Thanks for the post!

Al Bsharah United States | Reply

5/24/2010 8:51:49 AM #

trackback

Confessions of a Lazy Blogger

Confessions of a Lazy Blogger

CodersBarn.com | Reply

Add comment
Anything that hints of SPAM will be either caught by my filters or deleted by me, so please don't waste your time or mine.


(Will show your Gravatar icon)

  Country flag

Click to change captcha
biuquote
  • Comment
  • Preview
Loading



RecentComments

Comment RSS

Calendar

<<  July 2010  >>
MoTuWeThFrSaSu
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678

View posts in large calendar

Tag cloud