Lunacy Unleashed

Notes from the field in the War on Spam

Bad Behavior 2 Beta 1

Make a Donation.

First I want to say thank you to everyone who tried out an alpha version of Bad Behavior 2. Your valuable feedback and comments have resulted in a tool which eliminates some 99% of spam long before you would ever have to see it. And that means much less time spent cleaning out comments and reverting edits.

Based on your feedback, and on my own experience getting slashdotted last week, I’ve changed the pre-release quite a bit from previous pre-releases and it’s now ready for a wider audience. Here’s a quick rundown of the changes:

  • Trackback spam is pretty much dead. If you see a trackback spam get past Bad Behavior, I want to know about it.
  • Bad Behavior is stopping 99% or more of comment spam and an unknown amount of automated wiki vandalism. (I have no chicken to measure it.)
  • A check which required waiting five seconds before submitting POST requests has been removed. While it showed some benefit in stopping spam, it was unduly interfering with legitimate activity.
  • A check for misconfigured proxy servers has been disabled. While it blocked quite a bit of spam, it also blocks many corporate and government users, not to mention the entire country of Singapore. This appears to be a Microsoft ISA Server bug or misconfiguration, and when someone tells me how to fix it, this check will be re-enabled.
  • Several additional checks for spam and malicious activity have been added.
  • Database logging has been revamped, and the verbose option reinstated. When verbose is off, only blocked requests and some suspicious requests will be logged. On most requests, with verbose option off, Bad Behavior will make only one database query (to retrieve its settings).
  • On WordPress, the administrative screen has been expanded. You can now turn verbose mode logging on or off from this screen.
  • Once again, strangely enough it seems to be even faster than previous versions.

Some issues remain. I plan to implement a special page for MediaWiki, but I need some help from someone who is familiar with MediaWiki internals on implementing both the special page and the ability to save options. Please e-mail me if you have this knowledge.

I also plan to complete a technical support page both within WordPress and MediaWiki so that administrators can look up both missed spam and false positives. This should be complete prior to final release.

As always, I still need people to run the code, make sure it’s letting everyone through, and stopping spam. If it fails to catch spam, or blocks someone without good reason, then I need a report.

Now, on to installing it! Since people got confused last time, I’m going to break this into separate sections for WordPress and MediaWiki. But there is something common to both:

You will need to REMOVE all prior versions of both Bad Behavior 1 and Bad Behavior 2 BEFORE installing this release, because those versions may interfere with this one if left in place.

Then you need to DROP the *bad_behavior table from your database BEFORE installing this release, because the table format has changed. You can do this from within phpMyAdmin, for instance. (For instance, wp_bad_behavior or mw1_bad_behavior.)

Then you’re ready to install Bad Behavior 2 Beta 1. Follow the directions for your platform.

WordPress: The plugin installs just like any other plugin. Unzip it and you’ll have a Bad-Behavior folder. Upload the ENTIRE folder and its contents into your wp-content/plugins folder. Then activate the plugin from the Plugins administrative page. Once activated, you can edit its settings from the Options » Bad Behavior page.

MediaWiki: The extension installs just like any other extension. Unzip it and you’ll have a Bad-Behavior folder. If you want to edit the settings, edit the Bad-Behavior/bad-behavior-mediawiki.php file, find the text “Manually adjust settings here” and you can change them on the next line.

Upload the ENTIRE folder and its contents into your extensions folder. Then add the following to the end of LocalSettings.php:

include( 'extensions/Bad-Behavior/bad-behavior-mediawiki.php' );

And you’re done.

The to-do list is pretty short, though it’s possible I’ve forgotten something. If I did, please leave a comment below.

WordPress: Implement the database search facility on the Options > Bad Behavior admin screen.

MediaWiki: Implement the special page. Implement the ability to save options.

ExpressionEngine: Targeted for next alpha/beta release.

Generic/Third Party Ports: Should be possible now, but I don’t have a generic template ready yet.

And as always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit counts.

Download Bad Behavior Now!

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

June 7, 2006 - Posted by | Bad Behavior, Blog Spam, MediaWiki, Spam, WordPress

47 Comments

  1. thnx for this great job Michael

    Comment by researcher | June 7, 2006

  2. […] That aside, if you’d like to see spam gone from your blog, head over to the Bad Behavior development page and download your copy of the plugin. If you have prior versions of the Bad Behavior, you got to read the instructions carefully before you upload and activate it, otherwise you’d be in for a screwup. I know it might be a little daunting for some, but come on…it’s either you learn or you get bombarded with spam. […]

    Pingback by Footsteps in the Mirror » Teach That Spam A Lesson | June 7, 2006

  3. Here is once more the mediawiki patch for proper version display. Just add it at the bottom of the mediawiki file:

    $wgExtensionCredits[‘other’][] = array(
    ‘name’ => ‘Bad Behavior’,
    ‘version’ => ‘2.0b1’,
    ‘author’ => ‘Michael Hampton’,
    ‘description’ => ‘Detects and blocks unwanted Web accesses’,
    ‘url’ => ‘http://www.homelandstupidity.us/software/bad-behavior/’
    );

    Comment by KDevelop webmaster | June 7, 2006

  4. Thank you for this Michael. Job done🙂

    Comment by joss | June 7, 2006

  5. […] IO ERROR aka Michael Hampton has announced Bad Behaviour goes to 2 Beta1. If your already using Bad Behaviour go get the update from here Don’t forget that to use this you must deactivate the plugin and delete it from your ftp wp-content/plugins folder. Then you need to DROP the *bad_behavior table from your database BEFORE installing this release, because the table format has changed. You can do this from within phpMyAdmin, for instance. (For instance, wp_bad_behavior or mw1_bad_behavior.) […]

    Pingback by jossblog » Bad Behaviour goes to 2 Beta 1 | June 7, 2006

  6. Installed. I’ll let you know if any spam gets through.😀

    Comment by Viper007Bond | June 7, 2006

  7. I think I need to port this to phpBB2…

    Comment by VxJasonxV | June 7, 2006

  8. […] Bad Behavior 2 Beta 1 Released。 […]

    Pingback by Bad Behavior 2 Beta 1 Released @ 天佑的自由天地 | June 7, 2006

  9. Would love to see one for IPB 2.0 forums.

    Comment by Tarun | June 7, 2006

  10. Heh. I barely have enough time to maintain the core! (Because I don’t get paid for this, I have to spend most of my time on other things.) Before final release I do plan to have a generic framework available so that you can port it quickly into (almost) any other package.

    Comment by Michael Hampton | June 7, 2006

  11. Hey Michael,

    First, I just wanted to say that after a few weeks of operation with Alpha4, nothing was getting through (not even to the point of moderation) and the Akismet was getting just a few items a day. So my spam problem has essentially been eliminated.

    Last night, I upgraded to the latest versions of everything (WP, Akismet, BB2) and seems to be just as good. I even cleared out the list of IPs flagged for moderation, since they don’t even get that far anymore.

    However, there are still a few items being caught by Akismet and I believe they are all trackback spam. (I’ve never been fully clear on the difference.) Does that mean they got past Bad Behavior? Here’s what they look like:

    “buy flowers online | http://buy-flower-online.frbb.net | IP: 82.146.58.48

    buy flowers online…

    buy flowers online…”

    Again, they aren’t getting to blog, but you said you wanted to know. (All but one was from that IP, btw). In either case, thanks so much for your work on this. It’s been such a tremendous help. I thought I’d be deleting spam for the rest of my life!

    Comment by Dashiell | June 8, 2006

  12. […] If you hate spam, I’m with you all the way. Thats why its good news all round to be able to report that Bad Behaviour 2 Beta 1 has now been released for download. Some of the changes include: […]

    Pingback by Bloggers Buzz » Blog Archive » Bad Behavior 2 Beta 1 | June 9, 2006

  13. […] Upgraded to Bad Behaviour 2.0 Beta 1 as a test – if you are having problems and getting blocked and can see this through an RSS aggregator like PLOA then drop me an email (chris at csamuel.org will work) to let me know please! […]

    Pingback by Upgrade to Bad Behaviour 2 Beta 1 at The Musings of Chris Samuel | June 10, 2006

  14. Hey,

    Awsome and glad to see it works with wp 1.5 correctly now.🙂

    Though, the “Display statistics in blog footer” does not seem to work with the Connections theme. Nothing is displayed.

    Tried I tried the old stats plug-in:

    http://ajaydsouza.com/wordpress/plugins/bad-behavior-stats-plugin/

    But of course it does not work with 2.0.

    So how would I add the stats to the footer myself?

    Thanks,

    Will

    Comment by Will | June 10, 2006

  15. Never mind, I figured it out.🙂

    [code][code]

    Comment by Will | June 10, 2006

  16. […] Michael Hampton released Bad Behavior v2.0b1. […]

    Pingback by MacManX.com » Blogroll Dive: 6/12/06 | June 12, 2006

  17. Hi Michael:

    I just send you several e-mails about bad-behavior lifetype plugin last week. But I did not get any feed back from you.

    Please kindly let me know, if you did not receive the mails. I will re-send the scripts to you again.

    I use the e-mail box you metioned in this post.

    If you prefer me to contact you in another way, please also kindly let me know.

    Mark

    Comment by Mark | June 13, 2006

  18. Hi,

    I have updated to new “bad-behavior-2.0b1”. And I have selected to show stats in footer. But nothing gets displayed. Can you please advice me.

    DG…

    Comment by DG | June 13, 2006

  19. Your theme probably doesn’t have the wp_footer() call that it should have. Check to make sure it’s in there.

    Comment by Michael Hampton | June 13, 2006

  20. Hi Michael:

    I wrote an article here to help LifeType user use Bad Behavior 2 in LifeType.

    I also link the “Make Donation” button in this article. Hope it can help you to get enough donation.

    http://blog.markplace.net/marks_place/1/2006/06/14/100

    And seems you did not receive my mails, so you can get the lifetype integration script here:

    http://blog.markplace.net/resserver.php?blogId=1&resource=90-bad-behavior-2.0-beta1.zip

    And, you are welcome to include this script in your next release.

    Thanks,

    Mark

    Comment by Mark | June 14, 2006

  21. Hi Michael,

    thx for BB. Im using BB on WP 2.0.3. An i have one, maybe stupid, Question: what i have to do to become the message what is the reason why is something blocked.

    I was looking in PHPMyAdmin but there is only:

    id
    ip
    date
    request_method
    request_uri
    server_protocol
    http_headers
    user_agent
    request_entity
    key

    And nothing that explains why is an entry blocked.
    Next Question, what is the function of the both index.html?

    Greetings

    Comment by Perun | June 14, 2006

  22. Hi Michael,
    Until now, BB has blocked all spam on my WP site. But in the last few days, I’m suddenly flooded with comment spam. Send me an email if you need specific details.
    Gabi

    Comment by Gabi | June 18, 2006

  23. Oh no you didn’t… lol

    There is now a Bad Behavior sta thingy in my footer that is destroying my footer.How can I remove that?
    🙂

    Comment by Stephani | June 18, 2006

  24. OOOOPS, I just saw how😀

    Comment by Stephani | June 18, 2006

  25. Hey Micheal,
    If you would provide a function call to display the number of blocked attempts and the number of days we would be able to format the stats in the footer. Now my stats are turned off (thus not providing you with a link) only because of aesthetics…

    Comment by eduardo | June 20, 2006

  26. You mean like bb2_insert_stats(true); ?

    Comment by Michael Hampton | June 20, 2006

  27. I think eduardo means something like bb2_attempts_blocked() and bb2_attempts_blocked_days() which return number of accesses blocked and number of days the stats is accumulated.

    This way, we can integrate the info into our own layout.

    Comment by Stephen Chu | June 22, 2006

  28. What kind of details would you like about trackback spam that is getting through?

    Comment by beev | June 23, 2006

  29. None — not yet anyway. I already know about them.🙂

    Comment by Michael Hampton | June 23, 2006

  30. Thanks for your great plugin! It filter 100% of my comment spam. (yes, 100%!)

    However, it also blocks GeoUrl Bot. ( Mozilla/5.0 (compatible; geourl/2.0b16 – http://geourl.org/bot) ). Hopes you can add that to the default white list. Thanks.//

    GET / HTTP/1.1
    Accept-Encoding: gzip, deflate
    Connection: TE, close
    Host: http://www.sdiz.net
    TE: deflate,gzip;q=0.3
    User-Agent: Mozilla/5.0 (compatible; geourl/2.0b16 – http://geourl.org/bot)

    Comment by SDiZ | June 26, 2006

  31. A little bump for peron’s question (21)

    Are we to understand that all items in the bad-bevaior list are blocked?

    Comment by Rune Tomren | June 27, 2006

  32. If it appears in the database, and the key is not 00000000, then it was blocked.

    Comment by Michael Hampton | June 27, 2006

  33. Implement the database search facility on the Options > Bad Behavior admin screen

    After installing the upgrade & viewing the Options/BB screen I don’t see any info about a ‘dB search facility.’ I only see “Statistics” & ‘Logging’ as choices on the screen. I’m assuming I don’t need to worry about this but if I do then someone pls let me know what I might’ve done wrong.

    Comment by Richard Silverstein | June 28, 2006

  34. Yes, you quoted from the to-do list.

    Comment by Michael Hampton | June 28, 2006

  35. Hi Michael

    I have had serious spam problems on my site lately and upraded the BB from 1.something to the 2beta.
    From the bad_behavior I can see a few blocked posts but it seems like lots of spam post still go through.

    When you look at recent changes in the wiki you can see around 100 posts around 4 at night. http://www.bergenkitesurfingklubb.no/phase3/index.php?title=Special:Recentchanges

    This is what you can see in the bad_behavior table:
    INSERT INTO `bad_behavior` VALUES (7, ‘66.194.6.71’, ‘2006-06-27 17:46:24’, ‘GET’, ‘/’, ‘HTTP/1.1’, ‘GET / HTTP/1.1\nHost: bergenkitesurfingklubb.no\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312468)\n’, ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312468)’, ”, ‘17566707’);
    INSERT INTO `bad_behavior` VALUES (8, ‘208.62.125.146’, ‘2006-06-27 19:16:17’, ‘GET’, ‘/phase3/index.php?title=Help:Contents’, ‘HTTP/1.1’, ‘GET /phase3/index.php?title=Help:Contents HTTP/1.1\nAccept: */*\nConnection: Keep-Alive\nHost: http://www.bergenkitesurfingklubb.no\nPragma: no-cache\n’, ”, ”, ‘00000000’);
    INSERT INTO `bad_behavior` VALUES (9, ‘208.62.125.146’, ‘2006-06-27 19:16:22’, ‘GET’, ‘/phase3/index.php?title=Help:Contents&action=edit’, ‘HTTP/1.1’, ‘GET /phase3/index.php?title=Help:Contents&action=edit HTTP/1.1\nAccept: */*\nConnection: Keep-Alive\nHost: http://www.bergenkitesurfingklubb.no\nPragma: no-cache\n’, ”, ”, ‘00000000’);
    INSERT INTO `bad_behavior` VALUES (10, ‘66.194.6.73’, ‘2006-06-28 03:38:28’, ‘GET’, ‘/’, ‘HTTP/1.1’, ‘GET / HTTP/1.1\nHost: http://www.bergenkitesurfingklubb.no\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312462)\n’, ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312462)’, ”, ‘17566707’);
    INSERT INTO `bad_behavior` VALUES (11, ‘211.212.6.35’, ‘2006-06-28 05:40:49’, ‘GET’, ‘/phase3/index.php?title=Bruktmarked’, ‘HTTP/1.1’, ‘GET /phase3/index.php?title=Bruktmarked HTTP/1.1\nAccept: */*\nHost: http://www.bergenkitesurfingklubb.no\nPragma: no-cache\nProxy-Connection: Keep-Alive\nUser-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; es) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3\n’, ‘Mozilla/5.0 (Macintosh; U; PPC Mac OS X; es) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3’, ”, ‘b7830251’);

    So I gather that a few spam posts have been caught but most of it has gone through. I’m not sure why. Looking at the recent changes the speed of it all suggest that it’s automated and not manual posting.

    Do you have any suggestions?

    Comment by Rune Tomren | June 28, 2006

  36. Rune: You’ll need to turn on verbose mode (see the directions in the post above) and collect some examples of the spam that’s getting through. Then I can do something about it. Thanks!

    Comment by Michael Hampton | June 28, 2006

  37. BLOCKED!!!

    I think it had something to do with my running an app to generate google sitemaps. More when I’ve had time to look into un-blacklisting myself. Bloody shame, the spammers discovered my site last month.

    Comment by Leslie | June 28, 2006

  38. Leslie, you forgot to send in your technical support key.

    Comment by Michael Hampton | June 28, 2006

  39. Pingback by Anonymous | June 30, 2006

  40. Bad Behavior doesn’t allow my users to use their cellphones to view my site through GPRS.

    It gives some kinda proxy error stating there could be a bug in opera.

    Any workaround for that ??

    Comment by Uthfull | July 1, 2006

  41. You’ll have to send me the bad_behavior log entries showing where they were blocked.

    Comment by Michael Hampton | July 1, 2006

  42. Since switching to the beta of version 2, I’ve had only one specific problem – I am bombarded with valium-related spams which I wasn’t getting before.

    Spam Karma 2 is catching and putting into moderation, so they’re not getting all the way through to my site but with the original Bad Behaviour all spam was killed stone dead and never seen while I did, however, suffer from the problem of government servers being blocked.

    I even tried adding in ‘valium’ to the WordPress complete blacklist, meaning in theory all comments with the word should be nuked but no luck. I don’t think that the WordPress functions where moderation and zapping are concerned work at all.

    Every day I’m getting anywhere from 2-10 valium spams, all saying ‘I like your cool site’ and variants thereof with a wide range of IPs.

    Can you please tell me how do I copy log entries from myphpadmin into an email to send to you? If I can figure that out, I will switch verbose logging on tomorrow for 12-24 hours and then forward what comes from that to you in the hope that you can ascertain why these spammers are bypassing so much. Thank you.

    Comment by Andy | July 2, 2006

  43. Andy, there’s no need to send me copies of those spams. I know why they’re getting through and how to block them. (Blocking them, though, will also block those corporate and government users. And now you know where that spam is coming from.)

    As for the WP blacklist, many of WP’s built in comment moderation tools — and many other anti-spam plugins — don’t work when Spam Karma 2 is active, as it overrides them. I consider this a bug; its author considers it a feature…

    Comment by Michael Hampton | July 2, 2006

  44. Michael, I’m having problems sending you emails, they keep bouncing permanently with no useful error.

    From: Mail Delivery Subsystem
    To: halr9000@gmail.com
    Subject: Delivery Status Notification (Failure)
    Date: Mon, 03 Jul 2006 09:56:50 -0700 (PDT)

    This is an automatically generated Delivery Status Notification

    Delivery to the following recipient failed permanently:

    badbots@ioerror.us

    Comment by Hal Rottenberg | July 3, 2006

  45. Michael, just curious what happened to the blocked reason in the log. I’m also wondering if spambot operators have a clue about the things that get them blocked, and might actually fix their code to bypass Bad-Behavior… then what?

    Comment by Stevious | July 4, 2006

  46. Still failing since you restarted your mail server.

    Comment by Hal Rottenberg | July 4, 2006

  47. […] In einer Antwort des Entwicklers (Kommentar Nr. 32) als einzige Fundstelle auf eine Anfrage per Kommentar (Nr. 21) konnte ich nur die folgende Differenzierung entnehmen: […]

    Pingback by dyingeyes weblog » Bad Behavior: Keys und was dahintersteckt | July 5, 2006


Sorry, the comment form is closed at this time.

%d bloggers like this: