Lunacy Unleashed

Notes from the field in the War on Spam

Bad Behavior 2 Alpha 2

Make a Donation.

Bad Behavior 2 Alpha 2 is now available for wide testing. If you’ve used Bad Behavior in the past, or if you currently use Akismet or Spam Karma 2 and those spam numbers just keep going up, it’s time to learn what Bad Behavior 2 can do for you.

Bad Behavior 2 is a ground-up rewrite of Bad Behavior, the only Web spam killer which stops spammers before they even have a chance to get started. It does this by focusing not on the content of the messages, but on the delivery method. As such, for maximum effect, you should use it in conjunction with another content-based plugin, such as Spam Karma 2 or Akismet. But even on its own, Bad Behavior is once again shockingly effective at stopping spam.

When Bad Behavior was first introduced a year ago, (holy crap it HAS been that long!) it was the first tool of its kind targeting malicious activity on a wide variety of Web sites and platforms. While a few other similar solutions exist, such as mod_security for Apache, they can’t be installed by the user, and they don’t specifically target blog and forum spam, wiki vandalism and the like.

By contrast, Bad Behavior is a set of PHP scripts which pre-screens every request to your PHP-based Web site. The first major version of Bad Behavior was ported to nearly a dozen different blogs, wikis, forums and guestbooks, and many more generic ports were reported that their authors kept privately and never released. Bad Behavior 2 intends to keep the tradition of being portable to any PHP-based platform and expand on it by providing a more comprehensive and structured general API which can be wrapped into virtually anything.

Unfortunately, this wasn’t possible with the previous major version of Bad Behavior, owing to its design, thus the ground-up rewrite. Much to my surprise, Bad Behavior 2 is actually smaller than its predecessor, and catches virtually all spam with virtually no false positives. As of the time of this writing, it allowed only one spam to escape, and on investigation I found that spam had been manually posted by a very bored spammer. (In the final release, he too will be blocked.)

Now, down to business. As I said in the previous post, I haven’t completed the MediaWiki and ExpressionEngine ports yet, primarily due to time constraints, and the constraints of having thousands of people being hit by millions of spams and crying out for a solution now. So for now, this test release only runs on WordPress. It requires WP 1.5 or any later version.

Because this is a test release, there are some special installation instructions. First, if you installed 2.0 Alpha 1, delete it first before uploading this version.

This version can be installed alongside Bad Behavior 1, and in fact I recommend it. Upload the files in the usual way for any plugin. Then go to Manage Plugins. You’ll see both versions listed. Deactivate Bad Behavior 1, then activate Bad Behavior 2. To switch back, deactivate Bad Behavior 2, then activate Bad Behavior 1. Do not allow both version 1 and 2 to be active at the same time.

There are no show-stopping bugs that I’m aware of in this release; it’s stable enough for everyday use. However, it is not feature-complete; several items on the roadmap remain unfinished. For instance, a screener for requests which are suspicious but not certainly spam is only partially implemented. (Which is how that manual spammer got through.) The administrative screen located under Options > Bad Behavior is also not yet implemented.

Even so, I believe that this release will cut your spam flow on your WordPress blog to virtually nothing, without any false positives. However, in the extremely rare event that there is a false positive, the user will receive a technical support key and a brief explanation of what he can do to fix the problem (e.g. scan for spyware). Collect this key from the user and then mail it to me and I’ll get back to you with further information. The error page also provides a link the user can click for extended information; this part is also partially implemented and will be what I work on next.

And as always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit counts.

Download Bad Behavior Now!

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)


April 27, 2006 - Posted by | Bad Behavior, Blog Spam, Blogging, Spam, WordPress, WordPress 2.0


  1. […] io_error has just released Bad Behavior 2 Alpha 2. […]

    Pingback by Caught in the World "Wild" Web » Blog Archive » Bad Behavior 2 Alpha 2 | April 27, 2006

  2. I see a new BB table in the database now. Is the former one ‘bad_behavior_log’ in use anymore? If not, where do you store the ‘denied reason’ now? Is that encoded within the key?

    Comment by halr9000 | April 27, 2006

  3. Yep, the new table is used by BB2; the old one by BB1.

    Comment by Michael Hampton | April 27, 2006

  4. Installed and in use! Thanks Michael! I like ur enthusiasm against spammers!

    Comment by J | April 27, 2006

  5. Sweet! 😀

    Comment by Viper007Bond | April 27, 2006

  6. you’d be surprised how much comment spam gets manually posted – I’m starting to think some of the Russians are actually hiring people to do spam posting manually for cheap, a la the Chinese “professional” gold farmers in World of Warcraft.

    I’ve got a phpbb that I “botproofed” by randomizing the URL to the post page so that you HAVE to actually look at the index page to find it… and changed all of the graphic element names on the index page so that there was no “posting.gif” or anything like that to give it away. I still get about five spams a day on that thing. Usually from Moscow area IP addresses, although sometimes from colos – often, the exact same box hosting the web site being spammed.

    Like I said, I strongly suspect there are “comment spam sweatshops” starting to spring up.

    Comment by Jim Salter | April 27, 2006

  7. […] io error A public release of the newly written from the ground up version of the indispensable WP plugin. If you’ve not explored this plugin with your other comment spam fighters, now is the time to investigate. […]

    Pingback by WordPress Station » Blog Archive » Bad Behavior 2 Alpha 2 | April 28, 2006

  8. […] On Sunday last, I installed WordPress 2.02 and re-installed the tables in the database, but without the databases for the spamblocker plugins which I previously had installed, Spam Karma 2 and Bad Behaviour: reason was I had spent hours trying to restore the database and something went wrong each time, so I decided not to reinstall the SK2 and BB tables. Whether that helped or not I did get a successful install of WP2 and my old posts, categories etc. […]

    Pingback by » Blog Archive » Spam Karma 2 Installation Problem | May 10, 2006

  9. The best way to stop spam would be to spend some time in moderating the comments persoanlly rather than relying on any captchas. You can go to the other extreme of not allowing anyone to comment – but then the whole essence of sharing information is lost. At least Yahoo and MSN rewards the commentators with relevant backlinks, so that is a reward which many spammers like to go for.

    Comment by Tom in Cala Dor Palma de Mallorca | October 1, 2006

Sorry, the comment form is closed at this time.

%d bloggers like this: