Al Bsharah Business Minded, Technically Inclined

Controlling the Influx of SPAM on BlogEngine.NET

C

UPDATE 01.31.2010:  The latest release of BlogEngine.NET (2.0) addresses a number of spam-related issues and includes some of it’s own CAPTCHA-type options, including reCaptcha.

BlogEngine.NET implements an “Invisible CAPTCHA” solution that has worked quite well for a considerable amount of time.  As of the past few weeks, those of us using BlogEngine.NET have been pelted with numerous SPAM entries, far too frequent to be human-generated.  It seemed as if someone had found their way around the CAPTCHA solution…and they have as the below video shows.

There is a lot of discussion amongst the developers of BlogEngine.NET on how to combat this, and four lines of code were added in Change Set 28194.  The four lines are below, and are added to the top of the Page_Load in CommentView.ascx.cs.

string generatedFieldName = “txtName” + DateTime.Now.Ticks.ToString();
txtName.ID = generatedFieldName;
CustomValidator1.ControlToValidate = generatedFieldName;
RequiredFieldValidator1.ControlToValidate = generatedFieldName;

The code seems to dynamically generate the submit button name, so that an automated bot can’t just post based on what it knows the submit button’s name to be.

This appears to be something that could theoretically be hacked as well, but is an easy quick fix if you’re having issues.  My understanding is that the BlogEngine.NET team is working diligently to come up with a more substantial solution.

Good luck…

About the author

Al Bsharah

Al’s been involved in multiple San Diego startups since 1999 after leaving the Detroit auto industry as an electrical engineer. He's started two of his own companies where he's raised capital from both VCs and angels, and sold one of them to both Seismic and Return Path. He resides on the board of Startup San Diego, is a Tech Coast Angels member, and has graduated both Techstars and Founder Institute accelerator programs where he now mentors. Al is currently the Vice President of Product Strategy at Seismic and in his free time he manages to play a little beach volleyball, trade stocks, and camp with his wife, son, dog, and friends.

24 comments

  • Good to hear, Daniel. It’s definitely cut it down for me, but I still get them somewhat regularly. This along with the Commentor plugin has done a good job of keeping things in check. I also heard recently that Commentor is making it’s way into the source…

  • Hey Al,

    Good post. I too was getting a lot of spam in my comments, and had to come up with a quick fix. My end goal is to put recapcha on the site, but for now I just put a checkbox on the page that reads "I am a human". So far it has worked well. And if someone actually modifies their script to put a check in the box, I’ll just add something else to the comment page.

    I wrote a blog entry about it here: http://blog.climers.com/post/2009/08/15/BlogEngineNET-Comment-Spam.aspx

  • Hey James, thanks for the reply. Nice job on your temporary fix, I’m sure it’ll help for the time being. I’m still getting the occasional spam, but it’s no where near the level it was prior to the fix the BlogEngine folks put out… I’m just hoping this doesn’t become one of those never-ending Radar-Gun / Radar-Detector wars!

    Cheers,
    AL

  • Hey Keith, thanks for the reply and code for using reCaptcha on BlogEngine! Looks like you spent a lot of time working on it.

    I haven’t had time to really read or investigate this, but it looks like a fair amount of work for the average user. Is there a way to package it up as an extension so the masses will be able to use it more easily? Of course, the DLLs and such still need to be put into the right place, but modifying code might be tough for some. I’m just not sure if the BE architecture allows for such an extension…?

    Regardless, nice job!

  • I’ve implemented Keith’s reCaptcha solution (after upgrading to BlogEngine v1.5). So far, no spam. I was getting 20+ a night, had to turn on comment moderation and load the Commenter extension (what a pain).

  • Al,

    I just put this in my site. I had to edit CommentView.ascx also because the CustomValidator and RequiredFieldValidator for the name didn’t have an ID – I added an ID to each (cvName and reqName) and then referenced those in the code you provided. The site is still working; now it’s just a matter of seeing if it will stop my spam.

    I added a checkbox with a customvalidator (javascript to make sure it’s checked) a few days ago that says "I agree that my comment is pertinent to this blog entry. If it’s not, it will be considered advertising and I agree to pay $100 per comment.
    Note: Payday loans links will automatically be considering advertising and will be billed $100 per comment submitted." It stopped the Payday loan SPAM I was getting but they I am still getting way too much. I’m going to send them invoices and there is one that is already in a few thousand $$ range so maybe even small claims court ;). So, I think they now look for every checkbox on the page and just check them. I guess a way around that would be to require that it is NOT checked and have it say "Check here ONLY if you are a robot sending me SPAM".

    Anyways, thanks for the help! I’ll post back in a few days to let you know if it worked for me.

  • Haha, classic post Brett!

    Yeah, I think a few spammers have found their way around this fix that the BlogEngine guys have come up with. I like your creative ways though… <chuckle>

    Interesting idea on changing the requirement to have a successful post with the checkbox. I’m almost to the point of adding a visual Captcha to the mix, but it seems that a lot of the posts I’m getting are manual too…and I’m not sure there’s a fix for that other than spam blockers like Akismet/Waegis.

    This reminds me of the old radar/radar-detector wars. <laugh>

    Let me know how your Accounts Receivables work out!

  • Hi Al Bsharah,

    Thanks for the nice fix. I used it to reduce the spam to a certain extend. Spammers seems to have found a way around. Any further ideas to fix this?

    Thanks

  • Hey Firoz, they definitely have found their way around it. I use the Commentor extension, which is supposedly in the source-code for the next release of BlogEngine.NET. So, at least their comments don’t go public and I can easily delete them in bulk.

    I don’t know what the BE.NET guys have in store for the next version though, hopefully something substantial!

  • Fantastic addition, Michael! Works like a charm. I’m curious to see how much more it helps in the reduction of spam beyond what the Commentor plugin is doing…

    By the way, there are a couple minor adjustments I’d make in your post:
    1) #3 and #4 should be reversed (.aspx vs .aspx.cs)
    2) Maybe note that CommentView files are located in the "User Controls" folder. Some might be looking at the "theme" versions of the file.

    Thanks again for sharing!

  • Hey, how come you don’t use WordPress for your blog? I’m going to be starting a new blog on mobiles/gadgets but still can’t choose between WordPress/BlogEngine/MovableType. Any suggestions would be welcome.

    -Melinda

    P.S. Sorry for the off-topic comment, I hope that’s okay with you.

  • So I recently began to receive alot of comment spam from a compant called PC Tech Outlet. After reading some of the comments about comment spam here, I went to their site and emailed them directly with the following:

    [i]From: "Daniel Arbeider"
    To: "PC Tech Outlet" <sales@pctechoutlet.com>
    Sent: Saturday, March 27, 2010 4:42 PM
    Subject: Message from PC Tech Outlet

    From: Daniel Arbeider
    Email: verbatim0909@yahoo.com

    ——————————————————

    I’ve noticed PC Tech outlet has decided to use comment spam advertisement
    on
    my website: http://www.modernscientist.com. This is your notice that comments
    not
    directly related to blog entries on my site are charged a $100 per
    ad/comment posted on my site. Currently there are 4 advertisement/comment
    posts on modernscientist.com within the comments from PC Tech outlet. I
    will remove these four today since you were not aware of my site’s policy.
    If more posts appear I will begin invoicing you $100 per post. If at that
    point you refuse payment, or do not pay within 30 days I will seek
    restitution within the court systems of the United States and Canada.

    Sincerely,

    Daniel Arbeider
    Owner of ModernScientist.com[/i]

    They did reply:

    [i]Hello Daniel,

    Thank You for bringing this to our attention. We werent aware of this. I
    will personally look into this matter.

    Sorry for the inconvenience

    Regards
    Sharms[/i]

    I know one company is a drop in the bucket but I like the idea of this "unrelated comment fee." Thanks for the suggestion guys!

  • Dan! That’s pretty damn funny! I love the creativity…I wish I had the time to do the same to them all. I wonder if putting a note near the "Save Comment" button would help.

    Thanks for the post!

  • There are many ways to combat spam, but I don’t think that captcha is the answer. I’m pretty sure that company also knew they were spamming lol.

  • I implemented recaptcha using the current version of BlogEngine.
    The spam keeps comming, down from 1000 a day to five or six.

    I have manual moderation on so nothing ends up on the site, but it keeps comming.

    Very annoying when some of the satifaction of blogging for me is in the feedback so I don’t want to turn comments off. Just living with it for now.

  • He,

    i am getting lot of problem in my network becaus of spam and i am not able to send a mail from outlook becaus of spam issue can u please help me.

  • This is what I did and it reduced the Spam a great extend.

    – In the source code go search for txtName (relevant to comment control) and replace it with something else.
    – replace btnSaveAjax with something else.

    Spam bots are looking for these control names on BE pages.

    – redeploy your application

    Hope this helps.

By Al Bsharah
Al Bsharah Business Minded, Technically Inclined