In Telerik Sitefinity the Form Spam Protector control uses two major strategies: CAPTCHA and Automatic Robots Discovery.

Current Features

There are two strategies provided in Sitefinity:

• CAPTCHA – this strategy uses an image with modified symbols. They are displayed in a form, and the user is required to input the symbols in a textbox. If the input is correct, the control validates that the user is not a robot because it is not yet possible for robots to identify distorted symbols. This is the most secure method to protect from comment spam. However, it is considered to be inaccessible for disabled people (blind people could not see the text in the image). There is a set of properties that characterize the image:
• • Noise factors – background, line, font warping
  • Image – height and width
  • Text – font family name, set of characters, number of characters
  • CAPTCHA session expiration time
  • CAPTCHA error message to be displayed if the entered value was incorrect

   

   Figure 1

CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.

• Automatic Robots Discovery – this strategy uses predefined rules which decide whether the input comes from a robot or not. This strategy is not 100% secure and some sophisticated robots may pass it. The Sitefinity administrator is allowed to decide which of the predefined rules to use. At this point, there are two implemented rules that could be applied either separately or simultaneously:
• • Minimum form submission time – the presumption is that a human cannot input the fields in a form correctly for a time less than 3 seconds (this is set by default, and could be modified). If the submission is executed faster than the predefined value, it is assumed that the executor is a robot.
  • Hidden textbox in the form (the so-called “honeypot”) – this rule requires the insertion of a textbox which is not visible when the form is styled. Still, it will be detected by a robot, and therefore if any data is entered, the executor is considered to be a robot. A hidden label is also used to instruct humans not to fill in the textbox. This is necessary in case the styles are turned off and the textbox becomes visible, or in case a screen reader is used for disabled people.

   

  Figure 2

Setting up Spam Protection on Custom Forms

Setting up the spam protection on a custom form could be done by following these steps:

1. Open the Page Editor for the page with the custom form.

2. Drag the Form Spam Protector control and drop it onto your page. This control is situated in the Form section of the toolbox. 

3. Click Edit on the SpamProtector control in order to set its properties and enable it. In order to set the most important properties, choose a strategy in the tab Basic and click in the checkbox of that strategy, then click the Settings link. This enables the strategy. Here are the steps to follow for each strategy:  

    

   • CAPTCHA
   • • Set the level of different noise factors for background, line, font warping
     • Set the value of width and height of the image
     • Choose from the available values of text properties for font family name, set of characters, and number of characters
     • Set CAPTCHA session expiration time which is in minutes 
     • Set CAPTCHA error message which will be displayed if the entered value was incorrect. This could be done by filling in the message in the CapcthaInvalidInputMsg textbox, in the Captcha section, in the Advanced tab of the Spam Protector properties
       

    

   • Automatic Robots Discovery

       There are two rules that could be applied either separately or simultaneously:

   
   

                 Minimum form submission time:

   • Set the time in seconds
   • Set the error message returned if this rule fails. This could be done by filling in the message in the MinTimeoutMsg textbox, in the section Auto Discovery - Min Submission Time, in the Advanced tab of the Spam Protector properties
     

                 Hidden textbox on the form (the so-called honeypot):

   • Set an accessibility label which will be displayed on screens where CSS is disabled - the Hidden message textbox needs to be filled
   • Set the error message returned if this rule fails - in case the hidden textbox has been filled. This could be done by filling in the message in the HiddenTextboxMsg textbox, in the section Auto Discovery - Hidden TextBox, in the Advanced tab of the Spam Protector properties
     

    

4. In the user control which processes the submission data, check whether the page is valid or not (using the Page.IsValid or ValidationGroup properties) before processing the submitted data. This is necessary because the Form Spam Protector is a validator and as such only sets the Page.IsValid property to false if a page is not valid but still allows the data submission to take place. If the page is not valid, then this form has been submitted from a robot, not a human, and the submitted data should be discarded.

 See Next:

Extending the Spam Protector with Custom Strategies 

See Also

© 2002-2008 Telerik. All Rights Reserved.