Lunacy Unleashed

Notes from the field in the War on Spam

Bad Behavior 2.0.4

Make a Donation.

Bad Behavior 2.0.4 has been released to provide small bug fixes.

New in this release (since 2.0.3):

  • A bug affecting MediaWiki and ExpressionEngine users, and possibly others, caused database errors to be thrown when a POST request was received. This has been fixed.
  • A confusing entry in the generic code, which was causing PHP warnings for people who mistakenly used it without changing it, has been altered. The section of code, which users of the generic code are expected to change, referred to a variable which did not exist, and users who failed to change the code for their particular installation received warnings.
  • A part of the housekeeping code which optimizes Bad Behavior’s log table has been rescheduled to run in only one of 1000 blocked requests. Under a heavy spam attack this was running much too frequently at its old schedule of one in 25 blocked requests, causing at least one shared hosting provider to complain.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

Update: Due to some errors which creeped in, I’ve repacked the 2.0.4 release. If you already downloaded it and are having strange problems, please re-download it.

July 27, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 17 Comments

Bad Behavior 2.0.3

Make a Donation.

Before I get into the release announcement, I just want to ask all of you to send me money so I can buy a T-shirt here at the HOPE conference. Oh, and eat too. NYC has drained my wallet to just about empty. Thanks!

Bad Behavior 2.0.3 has been released to provide additional protection from certain Ukrainian spammers and to prevent certain users from being blocked inappropriately.

New in this release (since 2.0.2):

  • A check has been added for a high-volume Ukrainian spammer who can generate 500,000 spams per day (and quite possibly much more).
  • A blacklist entry has been relaxed in order to prevent inappropriate blocking of a few rare legitimate users and bots.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 23, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 6 Comments

Bad Behavior 2.0.2

Make a Donation.

Bad Behavior 2.0.2 has been released to provide additional protection from certain blog and wiki spammers and email address harvesters.

New in this release (since 2.0.1):

  • A check has been added for certain types of blog comment and wiki spam.
  • Several email address harvesters have been added to the blacklists.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 16, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 6 Comments

Bad Behavior 2.0.1

Make a Donation.

Bad Behavior 2.0.1 has been released to address a critical bug in the whitelisting code. All users who use or plan to use the whitelisting feature of Bad Behavior should upgrade to version 2.0.1.

New in this release (since 2.0.0):

  • A bug causing the whitelist to fail on some POST requests has been fixed.
  • Support for the LifeType blog platform has been added. This support was graciously provided by Mark Wu. Unfortunately, I don’t know much about LifeType, so I can’t really give any support for it. You can find more information at Mark’s blog.
  • Some additional checks for trackback spam have been added.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 9, 2006 Posted by | Bad Behavior, Blog Spam, LifeType, MediaWiki, Spam, WordPress | 9 Comments

E-mail with viruses is not from me

Some malicious software has gotten hold of the badbots at ioerror dot us email address and is sending out large numbers of e-mail messages with viruses and Trojan horses embedded in them, faking the From: e-mail address.

These e-mail messages do not originate from me and should be discarded unread. Under no circumstances should you open the attachment in these fake messages, as it contains malicious software.

I will probably change this e-mail address in the near future.

July 7, 2006 Posted by | Bad Behavior, Spam | 1 Comment

Bad Behavior 2 for ExpressionEngine

Paul Burdick of pMachine has managed to put out a port of Bad Behavior 2 for ExpressionEngine in the record time of “an hour this afternoon,” he wrote on the EE forums Thursday.

I took a quick look through the extension and to my eye it looks good. I haven’t tested it myself, but the early results on the forum suggest that it works OK.

Check out the EE forum thread for more info and to download the extension.

Please note these special installation instructions:

You need BOTH the bad_behavior extension from EE AND the standard Bad Behavior download.

To install it: Unpack the stock Bad Behavior download, and you’ll find a Bad-Behavior folder. Inside THAT folder is a bad-behavior folder. Upload ONLY the bad-behavior folder from the stock download, along with the ext.bad_behavior.php from the EE download, to your EE ./system/extensions folder. Then upload the lang.bad_behavior.php file to your EE ./system/language/english folder.

You can then activate and configure Bad Behavior from the Extensions Manager. The ‘strict’ and ‘verbose’ settings should work as for the other ports. I don’t know if the ‘display_stats’ setting has been implemented; I think on EE it probably requires a template change at least…

Thanks, Paul!

July 7, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, Spam | 15 Comments

Bad Behavior: Your first line of defense

In the two days or so since I released Bad Behavior 2, it’s been downloaded 267 times. That’s 267 (or more) people enjoying the peace of mind that comes from knowing that web spam doesn’t have to be a nightmare. If you’re reading this, you are probably one of them. Congratulations!

Since I have a lot of new subscribers lately, this seemed like a good time to talk about what Bad Behavior is, what it isn’t, and how it fits into an overall spam prevention strategy.

First and foremost, Bad Behavior is an open source project developed by a stressed and overworked guy (me) with a high profile blog (Homeland Stupidity) in my limited spare time between finding people who want code written for cash and writing that code. If you’ve been around a while, then you know Bad Behavior 2 was delayed for months for just this reason, and was released without all of the planned features.

So the project relies on contributions from its users to allow me to devote more time to Bad Behavior, rather than the other projects which usually pay the bills. Tens of thousands of people use Bad Behavior now, but the number of people who have contributed financially over its lifetime is fewer than 100. (If you’re one of them, you can skip the next section.)

For those of you who have used Bad Behavior and enjoyed not having ads for Viagra, poker, forex, and gawd knows what else for all this time, you should first upgrade to Bad Behavior 2 to get the additional protections it provides. Then by way of saying thanks, buy me a beer. 🙂 Okay, you can’t do that online, so consider dropping off $5.00 or £3.00 or €4,25 instead. Or if you feel it’s really worth it, you can contribute more from the sidebar.

Your contributions will allow me to devote more time to further development of Bad Behavior. This is sorely needed because, despite the best efforts of the brightest minds on the Internet, spam isn’t going away anytime soon. (We just haven’t figured out how to deliver electric shock over the Internet yet.) This will allow me to spend time on solving your spam problem so you don’t have to.

Bad Behavior is completely different from any other anti-spam solution out there, in that it doesn’t specifically target spam itself. Rather, it targets the methods by which the spam is delivered. Until I released the first version last year, this approach had never been tried. It proved very effective at stopping a lot of malicious activity, not just spam: It also blocks many email address harvesters, meaning less e-mail spam, and some types of automated cracking attempts, improving your server’s security.

While a somewhat similar solution called mod_security exists, it has a rather different purpose, doesn’t target spam, and regular people can’t install mod_security on their shared web hosting accounts. Bad Behavior blocks spam as well as other malicious activity and can be installed by anyone (except GoDaddy customers).

On some high traffic sites, or those specifically targeted by spammers, the traffic from these spam attacks can be so excessive as to exceed your account’s bandwidth limits, or overload the server, and cause your account to be suspended. Bad Behavior helps to prevent both of these situations by blocking malicious activity as soon as possible, before either bandwidth or CPU are expended on a request which will turn out to be bogus.

But because Bad Behavior intends to block no legitimate users whatsoever, it must necessarily let some things pass. Consider it your first line of defense, and back it up with a secondary line of defense in the form of a more traditional anti-spam tool for your platform. For WordPress, this can include Akismet or Spam Karma 2.

You absolutely should use both, as what will happen if you use only the secondary line of defense is that your administrative screen will rapidly fill with so much spam that you won’t be able to find and recover the occasional legitimate comment that those tools block. By blocking most spammers before you ever see it, the amount of garbage you have to sift through to find legitimate comments, or the number of edits you have to revert on your wiki, is greatly reduced.

In this way Bad Behavior saves you time and frustration. And this is why I think you should continue to support it: it gives you peace of mind by turning spam from a colossal nightmare into, well, not much at all.

July 7, 2006 Posted by | Bad Behavior, Blog Spam, Spam, WordPress | 8 Comments

Bad Behavior 2

Make a Donation.

It’s been a long time coming, and Bad Behavior 2, the next generation of the Web’s premier malicious traffic killer, is finally here!

Bad Behavior, conceived in 2005 as a fingerprinting method for HTTP requests, has proven, as one user called it, “shockingly effective” at identifying and blocking malicious activity, including blog/wiki spam, e-mail address harvesting, automated cracking attempts, and more. It does all of this looking only at the HTTP request headers; for POST data, the content of the spam is not analyzed at all.

Even so, Bad Behavior blocks the vast majority of web spam, and has gotten the spammers so worked up they’ve actually stopped spamming me with their latest tools, so as to try to prevent me from learning what they’re up to. (It didn’t work. “The king hath note of all that they intend, By interception which they dream not of.” — Shakespeare)

I’ve been developing Bad Behavior 2 in my limited spare time, off and on, for almost a year. And I want to thank all of you for your patience, especially while spammers were bombarding your blogs and wikis, and for your support. It’s been a crazy year, and I’ll be talking more on a personal note about it in the next few weeks.

And that is the reason I am releasing the software now, when not all of the planned features are present: In recent weeks spammers have greatly stepped up their activity, with some sites receiving ten times as much spam as before. I’ve been hard at work on Bad Behavior 2, making sure that it can block this spam without keeping away your regular readers.

New Features

Even without everything I’d planned, Bad Behavior 2 is chock full of new features. Some of them are quite visible, others are more in the backend.

  • Bad Behavior 2 is faster than Bad Behavior 1, whether you use database logging or not. It has been completely redesigned from the ground up to be as fast as possible and provide protection on very high traffic sites, such as when you find yourself on the front page of slashdot.org, or you’re the sysop of Wikipedia. For most requests, Bad Behavior 2 issues at most one fast database query, and in many cases, no database queries. Bad Behavior’s run time on fast servers is measured in single milliseconds.
  • Bad Behavior 2 has been enhanced with additional checks for spammers who have started or increased their activity in the last year. It also has better screening of trackback spam, killing virtually all of it. Bad Behavior 1 permitted a lot of trackback spam.
  • Bad Behavior 2’s options have been standardized across ports, so that the same options work the same way on each software package. (Not all of the options apply to each package, however.) This makes Bad Behavior easier to deploy across multiple sites and different software packages.
  • On some software packages, Bad Behavior’s options can be controlled from within the software package. Currently an administrative screen is available on WordPress, and a screen is planned for MediaWiki. (It hasn’t been implemented because developer documentation is sparse, incomplete and wrong, according to Brion. When the documentation improves, the MediaWiki port’s features will improve.)
  • For speed reasons, Bad Behavior 2 does not use PHP classes in its core. But Bad Behavior 2’s API has been rewritten to provide a better interface for certain types of software, such as ExpressionEngine, which expect their extensions to be encapsulated in classes. (The EE port isn’t complete, sorry!)
  • Some spam delivery methods are easily confused with legitimate users, especially those in large corporations or governments. This is mainly due to the proxies in use at those places. When a spammer uses such a proxy, Bad Behavior cannot easily tell whether the request is legitimate or not. In Bad Behavior 1, these requests were blocked, causing many legitimate users to be blocked. In Bad Behavior 2, you can choose whether to block these requests with the “strict” option.

Upgrading

To upgrade to Bad Behavior 2, you first need to remove all previous versions of Bad Behavior, including any 2.0 pre-release versions. Then you need to drop any database tables Bad Behavior may have created in your database. These may be named, e.g. mw1_bad_behavior or wp_bad_behavior. They may also be bad_behavior_log instead.

Then you are ready to install Bad Behavior 2!

Installation

The basic installation instructions haven’t changed much from Bad Behavior 1. Please see:

Options

For all platforms except WordPress (for now) options are configured by editing them near the top of the bad-behavior-platform.php file. Currently this includes MediaWiki and the generic non-database port. MediaWiki options will be moved to a special page in a future version.

In WordPress, the available options appear in the Options » Bad Behavior administrative page.

The options available to all users are:

  • log_table: The name of the database table Bad Behavior should use. This is set by default for all platforms and should not be changed unless you are porting Bad Behavior to a new software package.
  • display_stats: When this option is set, Bad Behavior will display statistics in the footer of your web pages. (Currently works only on WordPress.)
  • strict: Enables strict mode blocking. When turned on, certain types of spam will be blocked, but legitimate corporate and government users may also be blocked. This is off by default.
  • verbose: Enables logging of all requests received. When turned on, the details of every HTTP request Bad Behavior processes will be logged to the database. When turned off, only blocked requests, and a few legitimate but suspicious requests, will be logged. This is off by default.

To-Do List

I’ve pushed this release out the door because it’s proven stable, fast, and effective, and because spammers have greatly stepped up their activity. So several features which were in the roadmap have been postponed. I will be drawing up a new post-2.0 roadmap for these features in the next few days.

Finally…

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

Download Bad Behavior Now!

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 4, 2006 Posted by | Bad Behavior, Blog Spam, MediaWiki, Spam, WordPress | 69 Comments

Bad Behavior 2 Update

Bad Behavior 2 will be released within the next 24 hours.

Unfortunately I didn’t get everything on the roadmap that I wanted to implement. In the last few weeks there’s been a sharp upturn in spam, and despite the spammers’ trying to hide themselves from me, I’ve caught quite a few of them. I’ll continue plugging at the roadmap over the next few weeks, but I want to get a stable release out which will help to stem the new tides of spam we’re seeing now.

Hello, spammers. I know your secrets. I know how you operate. I know what software you use. I know where you downloaded it. I know when you wrote it yourself and when you paid someone else too much for a piece of crap that doesn’t work half the time. I know when you’ve spread a virus to take over people’s computers and run your own private spam network, and I know when you’re just renting a botnet from someone else.

No one likes you. No one truly wants what you’re selling, or you wouldn’t have to mislead them to get them to buy it. And no one will miss you when you meet the same fate as Vardan Kushnir.

July 3, 2006 Posted by | Bad Behavior, Blog Spam, Spam | 5 Comments