Microsoft MVP Logo

Do you have a blog? Do you get slammed by comment spam or referrer spam or even trackback spam? If you’re like the rest of the world, you probably do.

Some of us combat comment spam by adding CAPTCHA images where our readers have to type in some convoluted text in a crappy image to prove we are human and not a bot. The problem is that some geeky college student decided to write an algorithm to beat CAPTCHA as a class project and show it to the web. Now, your CAPTCHA is only about 17% effective in stopping bots (no, I don’t know where I read that, but I did so just trust me). This also doesn’t take into account the comments submitted via the CommentAPI web service through clients like RSSBandit, or referral spam or even trackback spam. How can you kill these people?

A few months ago I saw ReverseDOS by Michael Campbell on his site AngryPets (cool site name BTW, but I digress…). If you want to know how it really works, go to the ReverseDOS link above. Here’s my take: he checks every since request coming in against a bunch of filters in a special config file. If something matches the specific criteria, ReverseDOS gives the impression that your site is the victim of a DOS attack and just sits and spins, not accepting the post. It’s a piece of cake to install too! Just drop a DLL in your bin, add the ReverseDOS.config to your root, and add the ReverseDOS DLL to your HttpModule section of your web.config. That’s it! It’s working so well for me that I’ve removed my CAPTCHA solution! Try it for yourself! You can hit this page on my site: http://www.andrewconnell.com/blog/default.aspx. But, if you add the querystring “?poker” to the URL, you’ll see my site act like it’s getting hammered and just not respond. Why didn’t it catch this post? Because I’ve listed my IP as a trusted address (anything sent from my home PC will get through).

Is it perfect? No… but it’s pretty damn close. I sent a few feature requests in last night which I may give a shot to try to implement them myself (yes, the source is available). Here’s my ideas for enhancements:

  • Add reverse DNS lookup to trusted sites OR
  • Add a special cookie to be added on clients which you wish to grant access to… use with some sort of encryption algorithm (like a combo of the domain?) with a daily/weekly/monthly/on-demand expiry?
  • Add anti-filters, or white list filters to the filter list
  • Add a “DMZ” url pattern to allow anything to a specific URL REGEX pattern to be allowed (so I can post to my admin site without ReverseDOS locking me out).

I strongly recommend it after using it for only a few days.

» AngryPets: ReverseDOS

Comments powered by Disqus