Lunacy Unleashed

Notes from the field in the War on Spam

Bad Behavior Blackhole Update

About a year ago I started a project called the Bad Behavior Blackhole. The purpose of the blackhole was to list known sources of blog spam and to publish that data for the use of bloggers who wanted to make use of it to prevent spam.

Due to lack of time, I put the project on hold indefinitely. But I’ve been slowly working on it, off and on, over the last few months. Mostly off, again, due to lack of time. As I’ve said before, I have to spend most of my time on things that pay the bills, and historically, fighting spam hasn’t really been one of them, unfortunately.

With Bad Behavior 2.0.6 this week, I released a new feature which checks POST requests against third-party spam blacklists. This has proven quite effective in stopping a lot of the spam that wasn’t otherwise caught, but it does have a few drawbacks.

First, since I don’t maintain any of the lists, it’s difficult for me to help anyone get removed from the lists, other than providing links back to the blacklist providers. I’ve seen a few positive hits which I don’t want to be blocking, such as dynamic IP addresses which once sent a spam two or three years ago and have been blacklisted ever since. (The list involved,, will be dropped in the next release, and you can edit the code and remove it yourself if you’re having problems with it.)

I envision the Bad Behavior Blackhole as much more responsive than other blacklists, as the users likely to be affected aren’t going to really know what’s going on, or why they should be blocked because somebody sent a spam back in 2003.

Specifically, Bad Behavior Blackhole will have the following features:

  • Immediate removal for anyone upon request, the first time. Removal will be delayed for further requests from the same IP, to prevent spammers from removing themselves and sending more spam.
  • Blacklisting only for a specific period of time, and only while spam is actually flowing from a given IP address. Once the spam stops, the address will be delisted automatically after a short time. If it restarts, then the address is relisted.
  • List sources which are actually sending spam, as well as sources which are demonstrated to have compromised security, such as open proxy servers and Trojaned machines, before they can send spam.
  • Usable from any platform. This covers Movable Type, WordPress, and just about anything else you can think of. Adding support for realtime blackhole lists to any given program is at most a 15-minute hack.

It needs about a day and a half worth of work to finish up and do the initial rollout. (Didn’t you notice the link for it was dead?) But as I said before, I’ve been delaying it due to lack of time. And this is where you come in. I work on Bad Behavior and related projects primarily as I have time, and I can afford to devote more time to it when more people contribute to its development.

Over the past couple of months I’ve been quietly setting up a honeypot blog, and collecting other sources of data on blog spammers, to feed the realtime blackhole list. The data is coming in. At this point it just needs to be connected to the Bad Behavior Blackhole, tested and released. Once this is done we’ll have a much more responsive list which actually keeps spammers out, keeps blocking of legitimate users to an absolute minimum, and provides an easy removal method for the rare person who might be blocked.

If you’d like to see this project completed sooner than later, contribute to further development of the Bad Behavior Blackhole.

And again, thank you all for your continued support in the war on web spam. Bad Behavior could not continue without it.


September 22, 2006 - Posted by | Bad Behavior, Blog Spam, Spam


  1. […] Bad Behavior Blackhole Update The Blackhole is going live? Excellent. (tags: badbehavior spam spammers scrappers hackers splogs) […]

    Pingback by links for 2006-09-23 at [MacStansbury] | September 23, 2006

  2. I don’t know if it’s becouse of this, but since today I cant log in to my admin. It happened with all the two dynamic ip’s I tryed today. BB says that both ip’s were used in 2005 to send spam. I think this database is a very bad idea for dynamic ip’s.

    Is there a way to disable this ip blackisting without deleting the whole bb directory in my server?

    Comment by stadi | September 27, 2006

  3. I think i spotted a bug. I was setting up a WP website for a friend, and when i was chosing WP options after the initial setup i was blocked (just afte turning BB on). BB said i was behind an open proxy – which may be true or half-true. What i am behind is an ISP router (i suppose).
    Anyway, i was blocked ONLY when i tried to save some WP option, and NOT when i was seeing the website, WP admin pages, or for that matter my own WP website where i run the same BB version (2.0.6). So, somehting must be wrong: either it should block me all the time, or never, right?
    And by the way, it seems a bad idea to have blacklisting. I am behind something, but that something is the ISP’s responsibility, i ahve no control over how it is run/configured.

    Comment by eduardo | September 30, 2006

  4. I addressed your concern in the body of the post. Go back to the top of the page. 🙂

    Comment by Michael Hampton | September 30, 2006

  5. […] Michael Hampton discussed the status of the Bad Behavior Blackhole project. […]

    Pingback by | Blogroll Dive: 10/2/06 | October 2, 2006

  6. I’ve removed dbsl from the list and had to remove spamhaus this morning as well. Would you consider making an option in the admin panel in the next version to turn blacklisting off entirely?

    Comment by zazamataz | October 8, 2006

  7. I’d also like to see, as I stated elsewhere, a ‘relaxed’ mode that shuts off blacklist checks.

    For the Blackhole project, one thing I’d urge is some granularity in reporting. If a host is blackholed for spamming blogs it should report as such, same with wikis, etc., maybe by returning a specific IPs made up of a bitmask with the bit set for each type of Bad Behavior install that reported the offending host.

    The reason I suggest this is because trojaned hosts which are spamming blogs may well not be spamming wikis, and so we may not want to throw the baby out with the bathwater and block somebody who’s been trojaned and is spamming some other medium than the one the human using the compromised machine is trying to post on.

    Yes, it’s extra work, but coming from the wiki world, I’m really loathe to lose good edits from compromised machines.

    Comment by Neurophyre | October 11, 2006

  8. […] 作者 Michael Hampton 亦知道有機會出現這個問題,因為那些 blacklist 並不是由他 maintain 的,所以他再次提出 Bad Behavior Blackhole project,但因為時間及經濟問題所以停止開發。 […]

    Pingback by Bad Behavior 檢查 Blacklist IP @ 天佑的自由天地 | October 12, 2006

Sorry, the comment form is closed at this time.

%d bloggers like this: