Home / AJAX

Ajax Control Toolkit NoBot

RSS
Modified on 2010/04/16 00:50 by Stephen Walther Categorized as Uncategorized
NoBot is a control that attempts to provide CAPTCHA-like bot/spam prevention without requiring any user interaction. This approach is easier to bypass than an implementation that requires actual human intervention, but NoBot has the benefit of being completely invisible. NoBot is probably most relevant for low-traffic sites where blog/comment spam is a problem and 100% effectiveness is not required.

NoBot employs a few different anti-bot techniques:

  • Forcing the client's browser to perform a configurable JavaScript calculation and verifying the result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also involve the DOM for added assurance that a browser is involved)
  • Enforcing a configurable delay between when a form is requested and when it can be posted back. (Ex: a human is unlikely to complete a form in less than two seconds)
  • Enforcing a configurable limit to the number of acceptable requests per IP address per unit of time. (Ex: a human is unlikely to submit the same form more than five times in one minute)

NoBot can be tested by violating any of the above techniques: posting back quickly, posting back many times, or disabling JavaScript in the browser.

NoBot Server Properties

The properties in italics are optional.

<ajaxToolkit:NoBot
  ID="NoBot2"
  runat="server"
  OnGenerateChallengeAndResponse="CustomChallengeResponse"
  ResponseMinimumDelaySeconds="2"
  CutoffWindowSeconds="60"
  CutoffMaximumInstances="5" />
  • OnGenerateChallengeAndResponse - Optional EventHandler providing a custom implementation of the challenge/response code
  • ResponseMinimumDelaySeconds - Optional minimum number of seconds before which a response (postback) is considered valid
  • CutoffWindowSeconds - Optional number of seconds specifying the length of the cutoff window that tracks previous postbacks from each IP address
  • CutoffMaximumInstances - Optional maximum number of postbacks to allow by a single IP addresses within the cutoff window