Can I CAPTCHA your attention please?
I recently had to handle an issue on my website raised by a Comment Spammer. There must be a special place in Hell for these particular individuals. If you are not familiar with the term, it describes those who post unwanted advertisements to message boards and virtually any place that allows user input. Now, I hate spam as much as the next guy when it comes in email format, but my email filter usually gets the most of it and it is kept rather private to just myself. Comment Spam clutters up public areas where I want my users to be able to see valid posts and not advertisements for unwanted products. So, that being said, I had to take matters into my own hands.
Looking on the bright side of things, I learned a number of interesting things and that always makes even the most trying process worthwhile. For starters, I learned that the name of the mechanism was called a CAPTCHA. This was actually as a result of a few questions out to friends of mine that read "What do you call those things that display a secret code that you have to type in to verify that you can see it?". Not the most specific question, but after bothering a few friends with my question, Amir Lieberman came through with the answer.
A couple of interesting notes about CAPTCHAs. First of all, it is not just a catchy name, it is actually an acronym for Completely Automated Public Turing Test To Tell Computers and Humans Apart. In short, it is a test that most humans can pass, but most computer programs can't. Interestingly enough, breaking a CAPTCHA is actually quite an area of interest in Artificial Intelligence. There are quite a number of algorithms that are being studied and developed to allow a computer to read the text that is embedded within an image. The approach is similar to object recognition software that is used to identify a face within in image recorded by a camera. I guess it is just a matter of time before this type of safeguard will be broken by spammers. Be sure to check out the site http://www.captcha.net. It has some interesting links to papers and resources on the topic.
After learning a bit about CAPTCHAs, the next step was for me to implement one. If you know me, you will know that I have no desire to reinvent the wheel. I went hunting for a good example of implementing a CAPTCHA in .NET and I found an example that was written back in 2003 by Adnan Masood. A very impressive testimonial to this example is that even though it is 2 years old, it did the trick perfectly. It was very clear and easy to implement, even considering the date that it was originally posted. In minutes, literally, I had it implemented on my site. Mission Accomplished!!!! or so I thought.....
Just as I was patting myself on my back, I get my first spam. As it turns out, Amir has a rather twisted sense of humor so he went to the page that I implemented it on, typed in the confirmation code and manually sent me a spam. Having known him for many years, I actually realized it immediately and thought that it was pretty hilarious. Only Amir could think of something like that. I chatted him about it and he fessed up. An hour later, though, the same spams were coming through. I was shocked!!! How could it be? That was impossible. I mean, I just invested my time and energy protecting that page so that a person would actually have to manually type in the code. THEY HAD TO!!! THERE WAS NO OTHER WAY!!!!. I was wondering if the spammers technology was really so sophisticated that it could break through this check. Then the answer finally occurred to me. I implemented my check via validation controls in .NET. If the user had turned off client-side scripting, they could easily get around it. I turned off scripting to test my theory and sure enough it was proven. The solution was simple, I needed to add an addition call to the validations on the server-side. So far, so good. I guess that my site is safe, at least for the time being. :)