I’ve hooked a health provider up in my web.config to send me all unhandled exceptions by e-mail. See here how to do that – you just have to put some lines in the web.config. Well, I get all sorts of different exceptions but one I get more than 20 times a day. It’s actually rear that I get anything else than this one particular unhandled exception.
It looks like this:
Exception type: System.ArgumentException
Exception message: Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
Am I an idiot?
Now you might think that I’m an idiot that I didn’t do anything about it months ago, but hold on a minute. It says that a postback is invalid because event validation is turned on. It’s turned on by default in ASP.NET so that’s no big surprise. No my dear reader, this is not an error I would like to remove by disabling the event validation, because this error is in fact caused by spam bots trying to spam my comments.
They all fail in doing so, because event validation is enabled and thus throwing this exception every time they try. Did I mention to say that event validation is turned on by default and is a native feature of ASP.NET? That means that all ASP.NET application has a natural spam bot protection system build right into it by default. How cool is that?
Maybe this example will convince those of you who didn’t believe me in the last post I did about ASP.NET security and unnecessary CAPTCHAS.
Update 30 minutes later: I've just received 25 more mails in half an hour. Maybe the bots read my post and didn't believe me either.