Kartones.Net: Implemented a Server-side CAPTCHA for Community Server 2007

After getting tired of still getting spam (having Brendan Tompkins CAPTCHA installed), I decided to dig into the problem, and found the big FAIL: The captcha is client-side only, relying on a Javascript validation of a cookie for sending or not the comments.

As this proved to be unsuccessful (I was getting 2-3 spam emails/comment forms per day), I've scraped out almost all the original code excepting the image generation stuff and redone it both client-side (checking that the CAPTCHA field is not empty) and server-side (validating CAPTCHA field).

Also, it is no longer a simple "input the numbers you see", because most spam bots have OCR and can read it, no matter how hard you do it (up to a point humans no longer can read it either, as sometimes happens with GMail new accounts validation one). So read the small instructions because today one person didn't and was blaming the browser xD

It doesn't appears to the community bloggers, but if they want to check how it looks they only need to logout and navigate for example to this post comments section.

On the technical part, instead of using the original Brendan's ControlAdapter I've directly modified the ContactForm and WeblogPostCommentForm classes to support and validate the captcha with server-side code (and to make it slightly faster than dynamically adding controls at render time).

I might even play with creating two or three CAPTCHAs of different types (like doing math operations or choosing the right image or color) and display randomly one of them.

My knowledge of Community Server is slowly but surely increasing, and I'm starting to like a lot how the "templated" ASPX controls work. Once you find the desired control or form, you can do significant logic modifications with few lines of code (the captcha controls & checks don't take more than 20 lines of code + 4 standard web controls...). Things like adding the CAPTCHA to all blogs is a matter of adding a few fields and formatting to each blog template, no more code is needed and everything "connects" automatically. I want to make deeper modifications but this is getting interesting :)

And finally, as a side-note, I found another interesting "hidden" feature, the HtmlScrubber component, which cleans and sanitizes post's HTML elements and attributes. I wanted to create something similar (but as a Windows Live Writer plugin, to make blog posts more XHTML compilant), and it is not only already implemented on CS2007, but it is also very easy to extend.

As I've said more than once, Community Server is quite hard to learn, but then opens an endless world of possibilities!

Note: Right now it is only placed on two blogs (this and another one) for testing purposes (it logs failed CAPTCHA attempts), but if everything works as expected tomorrow night I'll install it on all blogs of the community.


Posted by Kartones on 2009-05-19