The evolution of spam
Many blog owners will be familiar with one particular pest on the internet: spam bots. This blog is no exception, but I was determined to keep my pages clear of digital graffiti even when I don't have much time to post regularly.
Fortunately there are some nice and unobtrusive countermeasures available, like Akismet. They work pretty much like the spam detection for your email. For some time, this used to be enough to keep the spam bots at bay, but spammers are constantly changing their angle of attack. Many comments that are posted nowadays don't even contain any links anymore. With some luck, they can even pass for a comment from an interested reader. I'm not completely sure how exactly this helps the spammer, but no doubt they are trying to raise the reputation level of the IP address or email used to post the comment with, so t
hey are more likely to pass through filters like Akismet later. In any case, spam filters are not as effective against these messages as they are against something containing one or more actual links.
One day I decided enough was enough. I caved and added a CAPTCHA to the comment form, in this case provided by reCAPTCHA (now owned by Google). Unfortunately this wasn't nearly as effective as I had hoped: OCR techniques, together with dictionaries no doubt have made this type of CAPTCHA surprisingly easy to circumvent. I was still receiving 150 to 200 spam comments each day on this humble website. Akismet filters most of them, but BlogEngine.NET makes me look at potential spam for approval or permanent deletion anyway.
Alternative CAPTCHA: PlayThru
While it seems that Google is aware that reCAPTCHA is no longer secure enough, their improvements are not yet publicly available. I went looking for alternatives. I found an interesting one on AreYouAHuman.com, called PlayThru. In order to pass as a human, the user has to play a simple game, which usually involves dragging the right objects onto another object. In the background it keeps some data on things like your mouse movement, to see if they appear sufficiently human-like.
How effective is this method at stopping spam? I can only speak for my personal situation, but so far it has reduced the spam from 150-200 comments a day to 0 (zero, zilch, nada). That sounds pretty awesome, right?
Long term effectiveness
I guess the real question here is: How long will this success last?
At least one person has already managed to successfully attack this new type of CAPTCHA using existing computer vision libraries. This person rightly comments that in the end, it depends on how many different types of games will be presented to the user. Also, it is currently possible for the bot to reload the CAPTCHA until a game appears that it knows how to solve. This seems like a design flaw to me, but I expect that once this would be abused, it would be easily fixed by the people at AreYouAHuman.
I cannot escape the idea that as this type of CAPTCHA becomes more popular, bots will be made to solve them. In the end it is the same old arms race between spammers and spam detection companies. However, for the time being I am satisfied with the results.
Using PlayThru in BlogEngine.NET
AreYouAHuman.com has examples available for a variety of platforms, as well as ready to use components for well known web applications such as Wordpress, Drupal, vBulletin and phpBB. I figured integrating into BlogEngine.NET would be extremely easy using the AyahControl they provide for ASP.NET WebForms. Unfortunately, the control did not work together with the custom built form submission of BlogEngine.NET. I had more luck with the AyahServiceIntegration class that is also provided.
Unfortunately the flexibility of BlogEngine.NET leaves something to be desired when it comes to CAPTCHAs. It supports two types built-in, which both appear as an extension. However, in reality key parts of the code are actually part of the main application. To add a third CAPTCHA type, I needed to mess with these bits. This means that if you want to use this prototype extension, you should first backup your files. You should also update to BlogEngine 2.8.0.1 before applying the changes.
Files: