Bad Behavior 2 Alpha 2 is now available for wide testing. If you’ve used Bad Behavior in the past, or if you currently use Akismet or Spam Karma 2 and those spam numbers just keep going up, it’s time to learn what Bad Behavior 2 can do for you.
Bad Behavior 2 is a ground-up rewrite of Bad Behavior, the only Web spam killer which stops spammers before they even have a chance to get started. It does this by focusing not on the content of the messages, but on the delivery method. As such, for maximum effect, you should use it in conjunction with another content-based plugin, such as Spam Karma 2 or Akismet. But even on its own, Bad Behavior is once again shockingly effective at stopping spam.
When Bad Behavior was first introduced a year ago, (holy crap it HAS been that long!) it was the first tool of its kind targeting malicious activity on a wide variety of Web sites and platforms. While a few other similar solutions exist, such as mod_security for Apache, they can’t be installed by the user, and they don’t specifically target blog and forum spam, wiki vandalism and the like.
By contrast, Bad Behavior is a set of PHP scripts which pre-screens every request to your PHP-based Web site. The first major version of Bad Behavior was ported to nearly a dozen different blogs, wikis, forums and guestbooks, and many more generic ports were reported that their authors kept privately and never released. Bad Behavior 2 intends to keep the tradition of being portable to any PHP-based platform and expand on it by providing a more comprehensive and structured general API which can be wrapped into virtually anything.
Unfortunately, this wasn’t possible with the previous major version of Bad Behavior, owing to its design, thus the ground-up rewrite. Much to my surprise, Bad Behavior 2 is actually smaller than its predecessor, and catches virtually all spam with virtually no false positives. As of the time of this writing, it allowed only one spam to escape, and on investigation I found that spam had been manually posted by a very bored spammer. (In the final release, he too will be blocked.)
Now, down to business. As I said in the previous post, I haven’t completed the MediaWiki and ExpressionEngine ports yet, primarily due to time constraints, and the constraints of having thousands of people being hit by millions of spams and crying out for a solution now. So for now, this test release only runs on WordPress. It requires WP 1.5 or any later version.
Because this is a test release, there are some special installation instructions. First, if you installed 2.0 Alpha 1, delete it first before uploading this version.
This version can be installed alongside Bad Behavior 1, and in fact I recommend it. Upload the files in the usual way for any plugin. Then go to Manage Plugins. You’ll see both versions listed. Deactivate Bad Behavior 1, then activate Bad Behavior 2. To switch back, deactivate Bad Behavior 2, then activate Bad Behavior 1. Do not allow both version 1 and 2 to be active at the same time.
There are no show-stopping bugs that I’m aware of in this release; it’s stable enough for everyday use. However, it is not feature-complete; several items on the roadmap remain unfinished. For instance, a screener for requests which are suspicious but not certainly spam is only partially implemented. (Which is how that manual spammer got through.) The administrative screen located under Options > Bad Behavior is also not yet implemented.
Even so, I believe that this release will cut your spam flow on your WordPress blog to virtually nothing, without any false positives. However, in the extremely rare event that there is a false positive, the user will receive a technical support key and a brief explanation of what he can do to fix the problem (e.g. scan for spyware). Collect this key from the user and then mail it to me and I’ll get back to you with further information. The error page also provides a link the user can click for extended information; this part is also partially implemented and will be what I work on next.
And as always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit counts.
I’ve said before that the time would probably come when I would ask for brave volunteers to help run test code in order to help me build the next generation of Bad Behavior. One of those times has just arrived.
In developing Bad Behavior, I need access to a much larger body (corpus) of spam than I currently have, and I need your help to collect it. So this test code will automatically send a copy of any spam you receive to me.
There are some qualifications for this test, however, and you will want to pay close attention.
First, the plugin compatibility requirements. You must already be running both Bad Behavior and Akismet, and NOT be running Spam Karma. (The test code just won’t work with Spam Karma, and it currently requires Akismet for screening missed comments.) You must have at least WordPress 1.5 or higher to play.
Second, the data privacy issue. In some countries you may need to disclose this to your readers, so I’m disclosing it to you. This bit of code leverages Akismet to determine what bits of spam Bad Behavior is missing, and when Akismet determines that a comment is spam, it sends me a copy of the spammy request. The problem is that like everything else, Akismet is not 100% perfect, and it is possible that I’ll receive a legitimate comment. When this happens, I will delete the copy I received.
Finally, the installation. This is just a repackaged copy of Bad Behavior 1.2.4 with the code in question enabled. Replace your existing copy of Bad Behavior with this copy, reactivate the plugin if necessary, and you’re done.
In all other respects it operates exactly as Bad Behavior 1.2.4, the current version, except that it sends me a copy of any comment/ping submitted that Akismet (and possibly other plugins, but not Spam Karma) marks as spam. With this body of information I will be better able to develop more advanced techniques to combat comment spam, reduce the need for other plugins, and possibly even eliminate the very few false positives. I’ve got a few other ideas in mind, but I don’t want to share them too early and allow the spammers any advantages.
Sorry, MediaWiki users; I don’t have something ready for you just yet. But stay tuned. I run MediaWiki also, and I’m very interested in helping you eliminate wikispam as well.