Implemented CAPTCHA Security to Protect the Contact Page

With today's site update I have protected the Contact page with a CAPTCHA security mechanism. CAPTCHA stands for "Completely Automated Public Turing Test to Tell Computers and Humans Apart" and can be used to prevent automated attacks on pages that allow a user to submit Comments, Contact details, Orders and so on.

Update 6/6/2010: I am no longer using a graphical CAPTCHA on my web site, but a simple text based calculation instead.

Update 10/09/2004: Microsoft just published a great article about this subject on their MSDN Web site. You can find the article here.

My Contact page wasn't really suffering from these kind of attacks, but I thought it would an interesting exercise to find out how to implement CAPTCHA.

Some of the sources for the CAPTCHA application come from an article at titled Fighting Spambots with .NET and AI. While I found the article itself pretty messy and difficult to read (there are at least a zillion images demonstrating the use of CAPTCHA), the article came with some pretty useful code written in VB.NET. Since my site is written exclusively in C#, I had to convert the code, and changed a few things along the way.

If you want to find out more about CAPTCHA, check out the Web site of The CAPTCHA Project or check out this short white paper titled Telling Humans and Computers Apart (in .PDF format). If you want to see an implementation of CAPTCHA in VB.NET, download the source code that comes with the CAPTCHA article at the 15Seconds site.


Where to Next?

Wonder where to go next? You can read existing comments below or you can post a comment yourself on this article .

Consider making a donation
Please consider making a donation using PayPal. Your donation helps me to pay the bills so I can keep running Imar.Spaanjaars.Com, providing fresh content as often as possible.

Feedback by Other Visitors of Imar.Spaanjaars.Com

On Sunday, May 10, 2009 3:51:44 PM Lars said:
How does these automated attacks actually work?
I have thought, that for a start I could just put in a normal picture with some text rather that CAPTCHA. If it is a robot crawling my site I guess it won't be able to tell, that it should put in the text from the picture.
Or am I wrong about this?
And the reason I would not put in CAPTCHA (at first) is that I guess it is difficult and I'm still just learning.
Kind regards
Danish fan and reader of beginning 3
On Sunday, May 10, 2009 4:03:10 PM Imar Spaanjaars said:
Hi Lars,

They do this by programmatically submitting data. There are a number of ways to do it:

1. Create a local form based on the target form, remove all client side validation and submit.

2. Programmatically submit data to the page.

In both case, it's easy to pass data for all fields. I regularly see automated posts with random data (or the name of a product) for all fields, including the CAPTCHA field.

And yes, a static text might work if you have a site that's not really worth spending a lot of time working around a CAPTCHA (for an advertiser). It might work for your site, or mine, but it would be way too weak for a site like ;-)

Cheers and have fun with the book,

On Friday, June 19, 2009 8:29:56 AM ant said:
I am having problems with jpeg files exported from Lightroom 2.2 . I dont think ImageGetExifMetadata working properly for LR images. I can see the all exif information with a different programs. One of the errors:"Element Focal Plane Y Resolution is undefined in a CFML structure referenced as part of an expression. ". "Element Focal Plane Y Resolution" is there but CF can't read it. I have tried all sorts with no luck.On the other hand it works for non LR jpg images. Any ideas?
On Saturday, June 20, 2009 9:28:08 AM Imar Spaanjaars said:
Hi ant,

Sorry, I have no idea....


Talk Back! Comment on Imar.Spaanjaars.Com

I am interested in what you have to say about this article. Feel free to post any comments, remarks or questions you may have about this article. The Talk Back feature is not meant for technical questions that are not directly related to this article. So, a post like "Hey, can you tell me how I can upload files to a MySQL database in PHP?" is likely to be removed. Also spam and unrealistic job offers will be deleted immediately.

When you post a comment, you have to provide your name and the comment. Your e-mail address is optional and you only need to provide it if you want me to contact you. It will not be displayed along with your comment. I got sick and tired of the comment spam I was receiving, so I have protected this page with a simple calculation exercise. This means that if you want to leave a comment, you'll need to complete the calculation before you hit the Post Comment button.

If you want to object to a comment made by another visitor, be sure to contact me and I'll look into it ASAP. Don't forget to mention the page link, or the QuickDocId of the document.

For more information about the Talk Back feature, check out this news item.