It’s been a long time coming, and Bad Behavior 2, the next generation of the Web’s premier malicious traffic killer, is finally here!
Bad Behavior, conceived in 2005 as a fingerprinting method for HTTP requests, has proven, as one user called it, “shockingly effective” at identifying and blocking malicious activity, including blog/wiki spam, e-mail address harvesting, automated cracking attempts, and more. It does all of this looking only at the HTTP request headers; for POST data, the content of the spam is not analyzed at all.
Even so, Bad Behavior blocks the vast majority of web spam, and has gotten the spammers so worked up they’ve actually stopped spamming me with their latest tools, so as to try to prevent me from learning what they’re up to. (It didn’t work. “The king hath note of all that they intend, By interception which they dream not of.” — Shakespeare)
I’ve been developing Bad Behavior 2 in my limited spare time, off and on, for almost a year. And I want to thank all of you for your patience, especially while spammers were bombarding your blogs and wikis, and for your support. It’s been a crazy year, and I’ll be talking more on a personal note about it in the next few weeks.
And that is the reason I am releasing the software now, when not all of the planned features are present: In recent weeks spammers have greatly stepped up their activity, with some sites receiving ten times as much spam as before. I’ve been hard at work on Bad Behavior 2, making sure that it can block this spam without keeping away your regular readers.
New Features
Even without everything I’d planned, Bad Behavior 2 is chock full of new features. Some of them are quite visible, others are more in the backend.
- Bad Behavior 2 is faster than Bad Behavior 1, whether you use database logging or not. It has been completely redesigned from the ground up to be as fast as possible and provide protection on very high traffic sites, such as when you find yourself on the front page of slashdot.org, or you’re the sysop of Wikipedia. For most requests, Bad Behavior 2 issues at most one fast database query, and in many cases, no database queries. Bad Behavior’s run time on fast servers is measured in single milliseconds.
- Bad Behavior 2 has been enhanced with additional checks for spammers who have started or increased their activity in the last year. It also has better screening of trackback spam, killing virtually all of it. Bad Behavior 1 permitted a lot of trackback spam.
- Bad Behavior 2’s options have been standardized across ports, so that the same options work the same way on each software package. (Not all of the options apply to each package, however.) This makes Bad Behavior easier to deploy across multiple sites and different software packages.
- On some software packages, Bad Behavior’s options can be controlled from within the software package. Currently an administrative screen is available on WordPress, and a screen is planned for MediaWiki. (It hasn’t been implemented because developer documentation is sparse, incomplete and wrong, according to Brion. When the documentation improves, the MediaWiki port’s features will improve.)
- For speed reasons, Bad Behavior 2 does not use PHP classes in its core. But Bad Behavior 2’s API has been rewritten to provide a better interface for certain types of software, such as ExpressionEngine, which expect their extensions to be encapsulated in classes. (The EE port isn’t complete, sorry!)
- Some spam delivery methods are easily confused with legitimate users, especially those in large corporations or governments. This is mainly due to the proxies in use at those places. When a spammer uses such a proxy, Bad Behavior cannot easily tell whether the request is legitimate or not. In Bad Behavior 1, these requests were blocked, causing many legitimate users to be blocked. In Bad Behavior 2, you can choose whether to block these requests with the “strict” option.
Upgrading
To upgrade to Bad Behavior 2, you first need to remove all previous versions of Bad Behavior, including any 2.0 pre-release versions. Then you need to drop any database tables Bad Behavior may have created in your database. These may be named, e.g. mw1_bad_behavior or wp_bad_behavior. They may also be bad_behavior_log instead.
Then you are ready to install Bad Behavior 2!
Installation
The basic installation instructions haven’t changed much from Bad Behavior 1. Please see:
Options
For all platforms except WordPress (for now) options are configured by editing them near the top of the bad-behavior-platform.php file. Currently this includes MediaWiki and the generic non-database port. MediaWiki options will be moved to a special page in a future version.
In WordPress, the available options appear in the Options » Bad Behavior administrative page.
The options available to all users are:
- log_table: The name of the database table Bad Behavior should use. This is set by default for all platforms and should not be changed unless you are porting Bad Behavior to a new software package.
- display_stats: When this option is set, Bad Behavior will display statistics in the footer of your web pages. (Currently works only on WordPress.)
- strict: Enables strict mode blocking. When turned on, certain types of spam will be blocked, but legitimate corporate and government users may also be blocked. This is off by default.
- verbose: Enables logging of all requests received. When turned on, the details of every HTTP request Bad Behavior processes will be logged to the database. When turned off, only blocked requests, and a few legitimate but suspicious requests, will be logged. This is off by default.
To-Do List
I’ve pushed this release out the door because it’s proven stable, fast, and effective, and because spammers have greatly stepped up their activity. So several features which were in the roadmap have been postponed. I will be drawing up a new post-2.0 roadmap for these features in the next few days.
Finally…
As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.
And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)