Justin
takes issue with my methodology for spam protection...
I spent about 90 minutes implementing the spam protection and a few other minor tweaks
to blogx (like the ability to disable comments completely from the site.config file).
First, let me explain the goals of my spam protection. My goal was fairly simple,
remove the maximum number of spam comments in my blog. I had two approaches in mind,
1) remove commenting from the site, 2) provide some security.
When I went down the security route, I actually figured that even plain text security
(just making someone/thing read the text and parse out a word). I doubt anyone is
really using a OCR system to post spam comments on my site. Without anything it is
just too easy to post. If people start hacking on the site again, i'll just remove
comments - no money is at risk here, i'm not going to spend sleepless nights trying
to prevent spammers.
As for the process I use, it is a simple uniform gradient behind the text. Any artifacts
are from the jpeg compression. The words are stored in a plain text file on the server,
and I use System.Security.Cryptography.RandomNumberGenerator to pick the word. The
only thing sent to the client is the offset of the word.
Simple threat modeling excercise... Of course, since I have a small dictionary on
the server, it would be easy to visit the site often enough and form a complete duplicate
of the words from the server. Since the offset is round triped to the client, both
in the URL of the image and in the ViewState, these are both susceptible to attack.
In addition, the image pattern is simple, as you point out, so OCR against it would
be relatively straight forward.
With all of these threats, and basically no mitigations, it is pretty clear that someone
can hack around my "security". The intent isn't to provide robust security that I
would expect from a bank or anything else (I'm not even running HTTPs, I don't authorize
commentors, etc.)... the goal is just to make my site less attractive to spammers.