Paul Burdick of pMachine has managed to put out a port of Bad Behavior 2 for ExpressionEngine in the record time of “an hour this afternoon,” he wrote on the EE forums Thursday.
I took a quick look through the extension and to my eye it looks good. I haven’t tested it myself, but the early results on the forum suggest that it works OK.
Check out the EE forum thread for more info and to download the extension.
Please note these special installation instructions:
You need BOTH the bad_behavior extension from EE AND the standard Bad Behavior download.
To install it: Unpack the stock Bad Behavior download, and you’ll find a Bad-Behavior folder. Inside THAT folder is a bad-behavior folder. Upload ONLY the bad-behavior folder from the stock download, along with the ext.bad_behavior.php from the EE download, to your EE ./system/extensions folder. Then upload the lang.bad_behavior.php file to your EE ./system/language/english folder.
You can then activate and configure Bad Behavior from the Extensions Manager. The ‘strict’ and ‘verbose’ settings should work as for the other ports. I don’t know if the ‘display_stats’ setting has been implemented; I think on EE it probably requires a template change at least…
In the two days or so since I released Bad Behavior 2, it’s been downloaded 267 times. That’s 267 (or more) people enjoying the peace of mind that comes from knowing that web spam doesn’t have to be a nightmare. If you’re reading this, you are probably one of them. Congratulations!
Since I have a lot of new subscribers lately, this seemed like a good time to talk about what Bad Behavior is, what it isn’t, and how it fits into an overall spam prevention strategy.
First and foremost, Bad Behavior is an open source project developed by a stressed and overworked guy (me) with a high profile blog (Homeland Stupidity) in my limited spare time between finding people who want code written for cash and writing that code. If you’ve been around a while, then you know Bad Behavior 2 was delayed for months for just this reason, and was released without all of the planned features.
So the project relies on contributions from its users to allow me to devote more time to Bad Behavior, rather than the other projects which usually pay the bills. Tens of thousands of people use Bad Behavior now, but the number of people who have contributed financially over its lifetime is fewer than 100. (If you’re one of them, you can skip the next section.)
For those of you who have used Bad Behavior and enjoyed not having ads for Viagra, poker, forex, and gawd knows what else for all this time, you should first upgrade to Bad Behavior 2 to get the additional protections it provides. Then by way of saying thanks, buy me a beer. Okay, you can’t do that online, so consider dropping off $5.00 or £3.00 or €4,25 instead. Or if you feel it’s really worth it, you can contribute more from the sidebar.
Your contributions will allow me to devote more time to further development of Bad Behavior. This is sorely needed because, despite the best efforts of the brightest minds on the Internet, spam isn’t going away anytime soon. (We just haven’t figured out how to deliver electric shock over the Internet yet.) This will allow me to spend time on solving your spam problem so you don’t have to.
Bad Behavior is completely different from any other anti-spam solution out there, in that it doesn’t specifically target spam itself. Rather, it targets the methods by which the spam is delivered. Until I released the first version last year, this approach had never been tried. It proved very effective at stopping a lot of malicious activity, not just spam: It also blocks many email address harvesters, meaning less e-mail spam, and some types of automated cracking attempts, improving your server’s security.
While a somewhat similar solution called mod_security exists, it has a rather different purpose, doesn’t target spam, and regular people can’t install mod_security on their shared web hosting accounts. Bad Behavior blocks spam as well as other malicious activity and can be installed by anyone (except GoDaddy customers).
On some high traffic sites, or those specifically targeted by spammers, the traffic from these spam attacks can be so excessive as to exceed your account’s bandwidth limits, or overload the server, and cause your account to be suspended. Bad Behavior helps to prevent both of these situations by blocking malicious activity as soon as possible, before either bandwidth or CPU are expended on a request which will turn out to be bogus.
But because Bad Behavior intends to block no legitimate users whatsoever, it must necessarily let some things pass. Consider it your first line of defense, and back it up with a secondary line of defense in the form of a more traditional anti-spam tool for your platform. For WordPress, this can include Akismet or Spam Karma 2.
You absolutely should use both, as what will happen if you use only the secondary line of defense is that your administrative screen will rapidly fill with so much spam that you won’t be able to find and recover the occasional legitimate comment that those tools block. By blocking most spammers before you ever see it, the amount of garbage you have to sift through to find legitimate comments, or the number of edits you have to revert on your wiki, is greatly reduced.
In this way Bad Behavior saves you time and frustration. And this is why I think you should continue to support it: it gives you peace of mind by turning spam from a colossal nightmare into, well, not much at all.
It’s been a long time coming, and Bad Behavior 2, the next generation of the Web’s premier malicious traffic killer, is finally here!
Bad Behavior, conceived in 2005 as a fingerprinting method for HTTP requests, has proven, as one user called it, “shockingly effective” at identifying and blocking malicious activity, including blog/wiki spam, e-mail address harvesting, automated cracking attempts, and more. It does all of this looking only at the HTTP request headers; for POST data, the content of the spam is not analyzed at all.
Even so, Bad Behavior blocks the vast majority of web spam, and has gotten the spammers so worked up they’ve actually stopped spamming me with their latest tools, so as to try to prevent me from learning what they’re up to. (It didn’t work. “The king hath note of all that they intend, By interception which they dream not of.” — Shakespeare)
I’ve been developing Bad Behavior 2 in my limited spare time, off and on, for almost a year. And I want to thank all of you for your patience, especially while spammers were bombarding your blogs and wikis, and for your support. It’s been a crazy year, and I’ll be talking more on a personal note about it in the next few weeks.
And that is the reason I am releasing the software now, when not all of the planned features are present: In recent weeks spammers have greatly stepped up their activity, with some sites receiving ten times as much spam as before. I’ve been hard at work on Bad Behavior 2, making sure that it can block this spam without keeping away your regular readers.
Even without everything I’d planned, Bad Behavior 2 is chock full of new features. Some of them are quite visible, others are more in the backend.
- Bad Behavior 2 is faster than Bad Behavior 1, whether you use database logging or not. It has been completely redesigned from the ground up to be as fast as possible and provide protection on very high traffic sites, such as when you find yourself on the front page of slashdot.org, or you’re the sysop of Wikipedia. For most requests, Bad Behavior 2 issues at most one fast database query, and in many cases, no database queries. Bad Behavior’s run time on fast servers is measured in single milliseconds.
- Bad Behavior 2 has been enhanced with additional checks for spammers who have started or increased their activity in the last year. It also has better screening of trackback spam, killing virtually all of it. Bad Behavior 1 permitted a lot of trackback spam.
- Bad Behavior 2′s options have been standardized across ports, so that the same options work the same way on each software package. (Not all of the options apply to each package, however.) This makes Bad Behavior easier to deploy across multiple sites and different software packages.
- On some software packages, Bad Behavior’s options can be controlled from within the software package. Currently an administrative screen is available on WordPress, and a screen is planned for MediaWiki. (It hasn’t been implemented because developer documentation is sparse, incomplete and wrong, according to Brion. When the documentation improves, the MediaWiki port’s features will improve.)
- For speed reasons, Bad Behavior 2 does not use PHP classes in its core. But Bad Behavior 2′s API has been rewritten to provide a better interface for certain types of software, such as ExpressionEngine, which expect their extensions to be encapsulated in classes. (The EE port isn’t complete, sorry!)
- Some spam delivery methods are easily confused with legitimate users, especially those in large corporations or governments. This is mainly due to the proxies in use at those places. When a spammer uses such a proxy, Bad Behavior cannot easily tell whether the request is legitimate or not. In Bad Behavior 1, these requests were blocked, causing many legitimate users to be blocked. In Bad Behavior 2, you can choose whether to block these requests with the “strict” option.
To upgrade to Bad Behavior 2, you first need to remove all previous versions of Bad Behavior, including any 2.0 pre-release versions. Then you need to drop any database tables Bad Behavior may have created in your database. These may be named, e.g.
wp_bad_behavior. They may also be
Then you are ready to install Bad Behavior 2!
The basic installation instructions haven’t changed much from Bad Behavior 1. Please see:
For all platforms except WordPress (for now) options are configured by editing them near the top of the
bad-behavior-platform.php file. Currently this includes MediaWiki and the generic non-database port. MediaWiki options will be moved to a special page in a future version.
In WordPress, the available options appear in the Options » Bad Behavior administrative page.
The options available to all users are:
- log_table: The name of the database table Bad Behavior should use. This is set by default for all platforms and should not be changed unless you are porting Bad Behavior to a new software package.
- display_stats: When this option is set, Bad Behavior will display statistics in the footer of your web pages. (Currently works only on WordPress.)
- strict: Enables strict mode blocking. When turned on, certain types of spam will be blocked, but legitimate corporate and government users may also be blocked. This is off by default.
- verbose: Enables logging of all requests received. When turned on, the details of every HTTP request Bad Behavior processes will be logged to the database. When turned off, only blocked requests, and a few legitimate but suspicious requests, will be logged. This is off by default.
I’ve pushed this release out the door because it’s proven stable, fast, and effective, and because spammers have greatly stepped up their activity. So several features which were in the roadmap have been postponed. I will be drawing up a new post-2.0 roadmap for these features in the next few days.
As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.
Bad Behavior 2 will be released within the next 24 hours.
Unfortunately I didn’t get everything on the roadmap that I wanted to implement. In the last few weeks there’s been a sharp upturn in spam, and despite the spammers’ trying to hide themselves from me, I’ve caught quite a few of them. I’ll continue plugging at the roadmap over the next few weeks, but I want to get a stable release out which will help to stem the new tides of spam we’re seeing now.
Hello, spammers. I know your secrets. I know how you operate. I know what software you use. I know where you downloaded it. I know when you wrote it yourself and when you paid someone else too much for a piece of crap that doesn’t work half the time. I know when you’ve spread a virus to take over people’s computers and run your own private spam network, and I know when you’re just renting a botnet from someone else.
No one likes you. No one truly wants what you’re selling, or you wouldn’t have to mislead them to get them to buy it. And no one will miss you when you meet the same fate as Vardan Kushnir.
First I want to say thank you to everyone who tried out an alpha version of Bad Behavior 2. Your valuable feedback and comments have resulted in a tool which eliminates some 99% of spam long before you would ever have to see it. And that means much less time spent cleaning out comments and reverting edits.
Based on your feedback, and on my own experience getting slashdotted last week, I’ve changed the pre-release quite a bit from previous pre-releases and it’s now ready for a wider audience. Here’s a quick rundown of the changes:
- Trackback spam is pretty much dead. If you see a trackback spam get past Bad Behavior, I want to know about it.
- Bad Behavior is stopping 99% or more of comment spam and an unknown amount of automated wiki vandalism. (I have no chicken to measure it.)
- A check which required waiting five seconds before submitting POST requests has been removed. While it showed some benefit in stopping spam, it was unduly interfering with legitimate activity.
- A check for misconfigured proxy servers has been disabled. While it blocked quite a bit of spam, it also blocks many corporate and government users, not to mention the entire country of Singapore. This appears to be a Microsoft ISA Server bug or misconfiguration, and when someone tells me how to fix it, this check will be re-enabled.
- Several additional checks for spam and malicious activity have been added.
- Database logging has been revamped, and the verbose option reinstated. When verbose is off, only blocked requests and some suspicious requests will be logged. On most requests, with verbose option off, Bad Behavior will make only one database query (to retrieve its settings).
- On WordPress, the administrative screen has been expanded. You can now turn verbose mode logging on or off from this screen.
- Once again, strangely enough it seems to be even faster than previous versions.
Some issues remain. I plan to implement a special page for MediaWiki, but I need some help from someone who is familiar with MediaWiki internals on implementing both the special page and the ability to save options. Please e-mail me if you have this knowledge.
I also plan to complete a technical support page both within WordPress and MediaWiki so that administrators can look up both missed spam and false positives. This should be complete prior to final release.
As always, I still need people to run the code, make sure it’s letting everyone through, and stopping spam. If it fails to catch spam, or blocks someone without good reason, then I need a report.
Now, on to installing it! Since people got confused last time, I’m going to break this into separate sections for WordPress and MediaWiki. But there is something common to both:
You will need to REMOVE all prior versions of both Bad Behavior 1 and Bad Behavior 2 BEFORE installing this release, because those versions may interfere with this one if left in place.
Then you need to DROP the
*bad_behavior table from your database BEFORE installing this release, because the table format has changed. You can do this from within phpMyAdmin, for instance. (For instance,
Then you’re ready to install Bad Behavior 2 Beta 1. Follow the directions for your platform.
WordPress: The plugin installs just like any other plugin. Unzip it and you’ll have a
Bad-Behavior folder. Upload the ENTIRE folder and its contents into your
wp-content/plugins folder. Then activate the plugin from the Plugins administrative page. Once activated, you can edit its settings from the Options » Bad Behavior page.
MediaWiki: The extension installs just like any other extension. Unzip it and you’ll have a
Bad-Behavior folder. If you want to edit the settings, edit the
Bad-Behavior/bad-behavior-mediawiki.php file, find the text “Manually adjust settings here” and you can change them on the next line.
Upload the ENTIRE folder and its contents into your
extensions folder. Then add the following to the end of
include( 'extensions/Bad-Behavior/bad-behavior-mediawiki.php' );
And you’re done.
The to-do list is pretty short, though it’s possible I’ve forgotten something. If I did, please leave a comment below.
WordPress: Implement the database search facility on the Options > Bad Behavior admin screen.
MediaWiki: Implement the special page. Implement the ability to save options.
ExpressionEngine: Targeted for next alpha/beta release.
Generic/Third Party Ports: Should be possible now, but I don’t have a generic template ready yet.
And as always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit counts.
Bad Behavior 2 Alpha 2 is now available for wide testing. If you’ve used Bad Behavior in the past, or if you currently use Akismet or Spam Karma 2 and those spam numbers just keep going up, it’s time to learn what Bad Behavior 2 can do for you.
Bad Behavior 2 is a ground-up rewrite of Bad Behavior, the only Web spam killer which stops spammers before they even have a chance to get started. It does this by focusing not on the content of the messages, but on the delivery method. As such, for maximum effect, you should use it in conjunction with another content-based plugin, such as Spam Karma 2 or Akismet. But even on its own, Bad Behavior is once again shockingly effective at stopping spam.
When Bad Behavior was first introduced a year ago, (holy crap it HAS been that long!) it was the first tool of its kind targeting malicious activity on a wide variety of Web sites and platforms. While a few other similar solutions exist, such as mod_security for Apache, they can’t be installed by the user, and they don’t specifically target blog and forum spam, wiki vandalism and the like.
By contrast, Bad Behavior is a set of PHP scripts which pre-screens every request to your PHP-based Web site. The first major version of Bad Behavior was ported to nearly a dozen different blogs, wikis, forums and guestbooks, and many more generic ports were reported that their authors kept privately and never released. Bad Behavior 2 intends to keep the tradition of being portable to any PHP-based platform and expand on it by providing a more comprehensive and structured general API which can be wrapped into virtually anything.
Unfortunately, this wasn’t possible with the previous major version of Bad Behavior, owing to its design, thus the ground-up rewrite. Much to my surprise, Bad Behavior 2 is actually smaller than its predecessor, and catches virtually all spam with virtually no false positives. As of the time of this writing, it allowed only one spam to escape, and on investigation I found that spam had been manually posted by a very bored spammer. (In the final release, he too will be blocked.)
Now, down to business. As I said in the previous post, I haven’t completed the MediaWiki and ExpressionEngine ports yet, primarily due to time constraints, and the constraints of having thousands of people being hit by millions of spams and crying out for a solution now. So for now, this test release only runs on WordPress. It requires WP 1.5 or any later version.
Because this is a test release, there are some special installation instructions. First, if you installed 2.0 Alpha 1, delete it first before uploading this version.
This version can be installed alongside Bad Behavior 1, and in fact I recommend it. Upload the files in the usual way for any plugin. Then go to Manage Plugins. You’ll see both versions listed. Deactivate Bad Behavior 1, then activate Bad Behavior 2. To switch back, deactivate Bad Behavior 2, then activate Bad Behavior 1. Do not allow both version 1 and 2 to be active at the same time.
There are no show-stopping bugs that I’m aware of in this release; it’s stable enough for everyday use. However, it is not feature-complete; several items on the roadmap remain unfinished. For instance, a screener for requests which are suspicious but not certainly spam is only partially implemented. (Which is how that manual spammer got through.) The administrative screen located under Options > Bad Behavior is also not yet implemented.
Even so, I believe that this release will cut your spam flow on your WordPress blog to virtually nothing, without any false positives. However, in the extremely rare event that there is a false positive, the user will receive a technical support key and a brief explanation of what he can do to fix the problem (e.g. scan for spyware). Collect this key from the user and then mail it to me and I’ll get back to you with further information. The error page also provides a link the user can click for extended information; this part is also partially implemented and will be what I work on next.
And as always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit counts.
I’ve said before that the time would probably come when I would ask for brave volunteers to help run test code in order to help me build the next generation of Bad Behavior. One of those times has just arrived.
In developing Bad Behavior, I need access to a much larger body (corpus) of spam than I currently have, and I need your help to collect it. So this test code will automatically send a copy of any spam you receive to me.
There are some qualifications for this test, however, and you will want to pay close attention.
First, the plugin compatibility requirements. You must already be running both Bad Behavior and Akismet, and NOT be running Spam Karma. (The test code just won’t work with Spam Karma, and it currently requires Akismet for screening missed comments.) You must have at least WordPress 1.5 or higher to play.
Second, the data privacy issue. In some countries you may need to disclose this to your readers, so I’m disclosing it to you. This bit of code leverages Akismet to determine what bits of spam Bad Behavior is missing, and when Akismet determines that a comment is spam, it sends me a copy of the spammy request. The problem is that like everything else, Akismet is not 100% perfect, and it is possible that I’ll receive a legitimate comment. When this happens, I will delete the copy I received.
Finally, the installation. This is just a repackaged copy of Bad Behavior 1.2.4 with the code in question enabled. Replace your existing copy of Bad Behavior with this copy, reactivate the plugin if necessary, and you’re done.
In all other respects it operates exactly as Bad Behavior 1.2.4, the current version, except that it sends me a copy of any comment/ping submitted that Akismet (and possibly other plugins, but not Spam Karma) marks as spam. With this body of information I will be better able to develop more advanced techniques to combat comment spam, reduce the need for other plugins, and possibly even eliminate the very few false positives. I’ve got a few other ideas in mind, but I don’t want to share them too early and allow the spammers any advantages.
Sorry, MediaWiki users; I don’t have something ready for you just yet. But stay tuned. I run MediaWiki also, and I’m very interested in helping you eliminate wikispam as well.
I had originally intended to have a second alpha release of Bad Behavior 2, the next generation of the Web’s only non-content-based link spam killer, ready by now. Actually by last week. So I wanted to give you all an update on why it’s delayed and when you can expect to see some code.
As I posted back in February, I wanted to have the next alpha release out by mid-March. That didn’t happen, and it’s starting to look like early April before I’ll have something out. The reasons for this are as follows:
First off, you all should understand that I don’t work a regular 9-to-5 job like most people. In fact, I haven’t since last summer. I live solely on the income that I make blogging and from performing WordPress and other programming work for various clients. And while Bad Behavior has many generous donors, one of whom helped me obtain a computer when I needed it most, it isn’t enough to live on. Because of this, the work which generates the income that I live on must always come first. Unless Bad Behavior becomes a lot more popular than it already is, it will likely always take a back seat to the other work I must do in order to pay the rent and buy the groceries.
This means blogging and slinging code for anyone willing to pay for it. Almost. I did tell a splogger to go to hell the other day, and probably lost a couple hundred bucks. But some things just aren’t worth it. I’m trying to eliminate these guys, not help them.
Anyway, enough of that. For the past few weeks, I’ve had several clients engage me for various things, and actually been able to pick up a halfway decent desktop computer as well. And I’ll be working for at least the next week on a couple of other projects. And then there’s whoever else comes along.
Once I’ve gotten all this paid work off my plate, and have enough money to live on for a couple of months, then I’ll return to Bad Behavior with a vengeance. I’ve seen the spammers who have managed to evade Bad Behavior. They’ve hit me as well. And they’ve hit hard. For the first time I can remember, Bad Behavior is less than 80% effective, and that just won’t stand. I’ll be back on the case shortly, just as soon as I’m reasonably sure that I can stop taking paid clients for a short while and still have enough money to live on.
If you have suggestions for Bad Behavior 2, please leave a comment.
(By the way, if Bad Behavior 1 has blocked you, your friends, or a robot you want to crawl your site, read this.)