I know this has been asked a LOT of times, but I am really struggling having tried a lot of different potential solutions.
I have a c# ASP.net website page. There is a form on there with a submit button. all code is in the code behind page.
We do not get any spam submitted through the form because I have a capture element. Yet - spam bots have are scanning the page, getting the field names and posting straight to the page.
I only know this because I set the Application_Error
to report any errors by email to me (in global.asax).
I have tried changing my field names - but they just pick up the new fields.
I have put <httpRuntime requestValidationMode="2.0" />
in the web.config.
In my page, I have EnableEventValidation="False"
But - as I said, the problem isn't allowing html in the post data, it's trying to stop spam bots from submitting DIRECTLY to the page. It's being triggered (I think) before the page even loads.
I'm running out of ideas here! I am blocking ip ranges every 10 minutes on our firewall. I cannot keep doing that!
Thanks for any help!
This is what you do: ignore it. Blocking IPs will just keep you running around in circles and is ultimately a waste of time.
If spam is not actually being submitted then you really don't have a problem. The framework is doing exactly what it is supposed to be doing.
Quite frankly, I wouldn't bother investigating an error message like that unless it was preventing an actual user from doing what they need to do.
If you really just want the errors to go away then you need to do the following:
EnableEventValidation="true"
ValidateRequest="false"
EnableEventValidate
tells .net to see if the post came from clicking on a control that it had rendered. This should help prevent direct posts.ValidateRequest
tells .net whether to test the inputs for html and other "dangerous" characters. Turning it off will stop your error message.If you are simply trying to get spammers to stop hitting your site: close the site down. As that is the ONLY reliable way of keeping a spammer off of it.