NoBot is a control that attempts to provide CAPTCHA-like
bot/spam prevention without requiring any user interaction. This approach is easier to bypass than an
implementation that requires actual human intervention, but NoBot has the benefit of being completely
invisible. NoBot is probably most relevant for low-traffic sites where blog/comment spam is a problem
and 100% effectiveness is not required.
NoBot employs a few different anti-bot techniques:
- Forcing the client's browser to perform a configurable JavaScript calculation and verifying the
result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also
involve the DOM for added assurance that a browser is involved)
- Enforcing a configurable delay between when a form is requested and when it can be posted back.
(Ex: a human is unlikely to complete a form in less than two seconds)
- Enforcing a configurable limit to the number of acceptable requests per IP address per unit of
time. (Ex: a human is unlikely to submit the same form more than five times in one minute)
NoBot can be tested by violating any of the above techniques: posting back quickly, posting back
many times, or disabling JavaScript in the browser.
The control above is initialized with this code. The italic properties are optional:
<ajaxToolkit:NoBot
ID="NoBot2"
runat="server"
OnGenerateChallengeAndResponse="CustomChallengeResponse"
ResponseMinimumDelaySeconds="2"
CutoffWindowSeconds="60"
CutoffMaximumInstances="5" />
- OnGenerateChallengeAndResponse - Optional EventHandler<NoBotEventArgs>
providing a custom implementation of the challenge/response code
- ResponseMinimumDelaySeconds - Optional minimum number of seconds before which
a response (postback) is considered valid
- CutoffWindowSeconds - Optional number of seconds specifying the length of the
cutoff window that tracks previous postbacks from each IP address
- CutoffMaximumInstances - Optional maximum number of postbacks to allow by a
single IP addresses within the cutoff window