|
Article relates to
|
Sitefinity 3.2 Beta
|
|
Created by
|
Tihomir Atanasov
|
SPAM PROTECTOR? WHAT'S THIS? IS IT SOMETHING CONNECTED WITH EMAILS?
Absolutely not!
In the last few years spam has become a nasty problem for many bloggers and companies who need input from their web clients.
Fear no more.
Since the release of v3.2 Beta, the Sitefinity toolbox contains a new section: Forms. If you expand it, you'll find the Spam Protector control. It prevents bots from spamming your forms by using some known-to-work strategies which hinder bots’ attempts to spam forms.
In the current release, the Spam Protector control uses two major strategies, but we certainly will be upgrading it with more and more so that our users feel safer.
CAPTCHA
In this strategy we use an image with obfuscated text which is displayed onto the form and the user is required to input this text in a textbox, thus allowing the control to validate whether s/he is a robot or not. This is the most secure method to protect from comment spam but it is considered to be inaccessible (although there are accessinility workarounds) because disabled people may not see the text in the image.
There is a set of properties which define the obfuscated image:
- Noise factors – background, line, font warping
- Image – height and width
- Text – font family name, set of characters to be used, number of characters to be used
- CAPTCHA session expiration time
- CAPTCHA error message if the value was not filled correctly
AUTOMATIC ROBOTS DISCOVERY
In this strategy we use predefined rules which decide whether the input comes from a robot or not. This strategy is not 100% secure and some sophisticated robots may pass it. In this strategy you as administrator are allowed to decide which of the predifened rules to use. So far we have implemented 2 rules:
- Minimum form submission time – in this rule, our presumption that a form submission comes from a robot is based on the notion that a human cannot input the fields in a form faster than a predefined value (3 seconds by default but can be modified).
- Hidden textbox on the form (or the so called “honeypot”) – this rule is based on a hidden textbox which is displayed in the form and if it gets filled before the form is submitted, then this submission is considered to be from a bot. There is a hidden label to this textbox which can contain a message informing people with CSS turned-off on their browsers or screen readers not to fill this field.
SOUNDS GREAT SO FAR BUT HOW DO I SET UP SPAM PROTECTION ON MY FORMS?
You can do this in 4 easy steps:
1. Open the page containing your form for editing.
2. In the toolbox, expand the Froms section and drag the Spam Protector control and drop it onto your page.
3. Edit its properties to enable it.
Here is a list of the most important ones:
CAPTCHA
- First you need to enable it.
- Set different noise factors – background, line, font warping
- Set image properties – height and width
- Set text properties – font family name, set of characters to be used, number of characters to be used
- Set CAPTCHA session expiration time
- Set CAPTCHA error message if the value was not filled correctly
AUTOMATIC ROBOTS DISCOVERY
First, you need to enable it before enabling any of the 2 sub-strategies used:
- Minimum form submission time:
- Set the time in seconds
- Set the error message returned if this rule fails
- Hidden textbox on the form (so called honeypot):
- Set an accessibility label which will be displayed on screens where CSS is disabled
- Set the error message returned if this rule fails
4. In the user control which processes the submission data, check whether the page is valid or not (Page.IsValid) before doing anything with the submitted data as the Form Spam Protector is a validator. If the page is not valid, then this form has been submitted from a robot, not a human and you should not process the data coming from it.
I'M TOTALLY IN LOVE WITH YOUR SPAM PROTECTOR BUT HOW CAN I EXTEND IT WITH MY OWN STRATEGIES?
Follow the steps below to create the custom strategy Bot Trap Link and add it to Sitefinity.
Creating the strategy in a nutshell
1. Create a new class which inherits from SpamProtector. For example, name it MySpamProtector.
2. Create a new class which implements ISpamProtector. For example, name it MyStrategy.
3. Implement the custom logic in the class MyStrategy using the methods and properties provided by the interface and adding any new necessary methods and properties.
4. Create a private instance of MyStrategy as an extender in the class MySpamProtector. For example, name it myStrategyInstance.
5. Add a constructor to the class MySpamProtector.
6. Add all the needed properties to the class MySpamProtector. Use them to access the properties on myStrategyInstance.
7. Add a boolean property to MySpamProtector which will enable the custom strategy, for example, EnableMyStrategy. Add myStrategyInstance to the collection of spam protectors in the setter of this property:
| if (value) |
| { |
| this.spamProtectors.Add(this.myStrategyInstance); |
| } |
8. Add MySpamProtector to the Sitefinity toolbox.To do that, the protector should be added to the <toolboxControls> tag in the web.config file.
Sample Implementation of Bot Trap Link Strategy
Functionality description
The Bot Trap Link strategy for spam detection is based on the assumption that an extremely small image would be invisible to humans but visible to bots. So, if there is a link beneath that image and it gets opened, the executor should be a bot and the received data should be ignored.
The page that contains the form that should be filled by a user also contains an image with size 1 pixel and a link to an additional page. If the link is opened and the page this link directs to is visited, the executor is assumed to be a bot. Therefore, a handler class (BotTrapLinkHandler) adds the GUID of the page visitor and saves it in the cache. Afterwards, the BotTrapLink class checks if the current GUID is in the cache - if yes, the executor is a bot. This means the submitted data should be discarded.
Steps for creating the Bot Trap Link strategy
1. Create a new class which inherits from SpamProtector. Name it CustomSpamProtector.
| public class CustomSpamProtector : SpamProtector |
2. Create a new class which implements ISpamProtector. Name it BotTrapLink.
| public class BotTrapLink : ISpamProtector |
3. Implement the custom logic in the class BotTrapLink using the methods and properties provided by the interface and add any new necessary methods and properties.
4. Create a private instance of BotTrapLink as an extender in the class CustomSpamProtector. Name it botTrapLink.
| private BotTrapLink botTrapLink; |
5. Add a constructor to the class CustomSpamProtector.
| public CustomSpamProtector() |
| { |
| botTrapLink = new BotTrapLink(); |
| } |
6. Add all the needed properties to the class CustomSpamProtector. Use them to access the properties on botTrapLink. For example:
| public string BotTrapLinkMsg |
| { |
| get |
| { |
| return botTrapLink.ErrorMessage; |
| } |
| set |
| { |
| botTrapLink.ErrorMessage = value; |
| } |
| } |
7. Add a boolean property to the CustomSpamProtector class which will enable the custom strategy. Name it EnableMyStrategy. Add botTrapLink to the collection of spam protectors in the setter of this property:
| public bool EnableBotTrapLink |
| { |
| get |
| { |
| return botTrapLink.IsEnabled; |
| } |
| set |
| { |
| botTrapLink.IsEnabled = value; |
| if (value) |
| { |
| this.spamProtectors.Add(this.botTrapLink); |
| } |
| } |
| } |
8. Add MySpamProtector to the Sitefinity toolbox. To do that, the protector should be added to the <toolboxControls> tag in the web.config file:
| <toolboxControls> |
| ... |
| <add name="Custom Spam Protector" section="Forms" type="SpamProtectionTest.CustomSpamProtector, SpamProtectionTest" |
| description="A different strategy." /> |