Lunacy Unleashed

Notes from the field in the War on Spam

Comments, pings closed due to spam

Comments and pings on this blog are closed until further notice.

This was, I regret to say, a last resort measure. I tend to dislike blogs which don’t accept comments and trackbacks. So why close comments?

Continue reading

October 16, 2006 Posted by | Akismet, Bad Behavior, | Comments Off on Comments, pings closed due to spam

Bad Behavior 2 Alpha 3/Alpha 4

Make a Donation.

Update: I’ve pushed a couple of fixes for the problems people had in this release as 2.0 Alpha 4. This fixes the issues with being unable to post on your own administrative screens on both platforms, and database insertion errors on MediaWiki. Download it below.

I’m getting ever closer to the final release of Bad Behavior 2.0, so close in fact that I’m not sure why I didn’t just call this series beta. The previous pre-releases have proved to be stable, solid and effective. With this release, I further close the gap and make the system even more effective.

For those of you who have been waiting ever so patiently for the MediaWiki port, it’s finally here. At the moment, much of it is a stub (you can help by expanding it), but it does block automated edits, which is what it’s supposed to do. The special page isn’t implemented yet; that will be coming soon. But it looks like it works on version 1.4 or later.

I’ve completed the technical support pages which are displayed to any rare unfortunate person who might be blocked by Bad Behavior. They all contain unique keys which, at the time of the final release, you’ll be able to plug into a form in the administrative screen, look up what went wrong, and get it fixed. They also contain a link the user can click to get detailed instructions on how to fix the problem from their end (e.g. you have viruses/malware; your old version of Opera has a bug; change this setting in Norton Internet Security; etc). For now, if you do get any false positive reports, mail me with the technical support key. So far in testing, there have been no false positive reports, that is a human being blocked inappropriately, and I’ve been watching the blocked accesses in realtime to see if I can see any, but I haven’t spotted one here yet.

What I have seen since 2.0 Alpha 2 is nearly all spam blocked. And I’ve taken the very little spam which escaped, all of it manually posted, and found a way to block it, too. Since implementation of that fix, Bad Behavior is showing 100% effective at blocking spam with no false positives. And while that may change in the future, it looks like for now I’m way ahead of the spammers again. I do, of course, need more extensive testing on MediaWiki, and reports of any spam that Bad Behavior doesn’t block. But if you’ve been waiting, now is the time to install it on MediaWiki; it’s stable enough for everyday use, (“Alpha” is a misnomer, I guess) and I use it in production on both WordPress and MediaWiki.

How to Install

If you upgrade from version 1, you can and should leave version 1 in place. This version installs to a different directory. For WordPress, remove any previous 2.x version first, unzip the file and upload the bb2 directory and its contents to your wp-content/plugins directory. For MediaWiki, unzip the file and upload the bb2 folder and its contents to your extensions directory. Keep the directory structure intact.

On WordPress, deactivate version 1 (if present) and activate version 2. On MediaWiki, edit LocalSettings.php, comment out the old extension (if present) and add in the new extension, for example:
include( 'extensions/bb2/bad-behavior-mediawiki.php' );

On MediaWiki, if you then receive an error saying you need to reconfigure the load balancer, (you don’t) you need to add the following line to LocalSettings.php, before the include line shown previously:
define('BB2_NO_CREATE', true);
Then you need to manually create Bad Behavior 2’s new table structure. The table name is mw1_bad_behavior, replacing mw1_ with your table prefix, of course, and you can find the table structure to create in bb2/bad-behavior/

To Do

The to-do list is pretty short, though it’s possible I’ve forgotten something. If I did, please leave a comment below.

WordPress: Implement the database search facility on the Options > Bad Behavior admin screen.

MediaWiki: Implement the special page. Implement the ability to save options.

ExpressionEngine: Targeted for next alpha/beta release.

Generic/Third Party Ports: Should be possible now, but I don’t have a generic template ready yet; e-mail me if you have questions.

And as always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit counts.

Download Bad Behavior Now!

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

April 29, 2006 Posted by | Akismet, Bad Behavior, Blog Spam, MediaWiki, Spam, WordPress | 94 Comments

Bad Behavior 2 Roadmap Update

Return to Bad Behavior

Make a Donation.

I’m preparing the second alpha test release of Bad Behavior now, and it should be out within the next day or so. It’s currently running live on my other blog, Homeland Stupidity, and so far, absolutely no spam has escaped it, and no false positives whatsoever. I’m happy with the way it’s come out, and once again, Bad Behavior will be well ahead of the spammers — and the other available anti-spam tools.

First, the bad news. I haven’t had time to prepare the MediaWiki port or the ExpressionEngine port. I hope to have them ready after some feedback comes in on this test release. It also might necessitate changes in the core, and since I’m preparing ports for three different platforms all by myself, it’s rather time consuming. As you’ll recall, I have to give priority to things that bring me income, and Bad Behavior isn’t normally one of those things.

Now the good news. Bad Behavior 2 is still fairly simple and quite fast, as it’s actually smaller than the previous version while containing more functionality. Don’t ask me how I did that; it’s a trade secret. 🙂

Stay tuned; the test release is imminent.

April 26, 2006 Posted by | Akismet, Bad Behavior, Blog Spam, Spam, WordPress | 6 Comments

Akismet – Automattic Kismet

Last week I told you all about Automattic Spam Stopper, the new anti-spam solution for WordPress from Matt Mullenweg. There’s been some new news, and you’re going to hear it here first.

First off, the plugin has been renamed to Automattic Kismet, or Akismet for short.

Second, it now requires a API key, which you can find on your Profile page. (Click My Dashboard, then Profile.) If you don’t have a account, you won’t be able to use Akismet at this time, until you somehow finagle yourself an account. The fastest way is probably to use Flock. You don’t actually have to blog at to use Akismet, you just need the account to get the API key. You can use the API key at more than one blog, too.

Matt plans to have Akismet free for personal use, and charge “pro” bloggers $5 per month for the service. He’s defined pro bloggers as anyone making over $500 per month from their blogs. He also has a program set up for large enterprise installations, though I only know of one customer for that right now. However, anyone who participated in testing Akismet prior to today will be grandfathered in and have a free enterprise account forever.

Akismet is surprisingly effective at stopping spam. After having built a sufficiently large corpus of spam to draw from, it’s killing about 99.9% of incoming spam, and has a false positive rate less than 0.1%. However, when the central service goes down, all comments go into the moderation queue. The service has had some downtime, and on the sites where I’ve been testing Akismet, I’ve had to watch the moderation queue fairly closely. Matt says he’s working on new more reliable hosting for the service.

So where does Akismet fit into the overall spam prevention picture?

Akismet has a great advantage over most anti-spam solutions: by seeing incoming spam from all over the Internet, it can identify new spam very quickly, perhaps as soon as seconds after a spam run begins, once it’s in wider usage. It also is better in spam management, having to sort through hundreds of spams to find a legitimate one that might have been blocked by mistake. It presents spam in a compact format that makes it pretty easy to scan through and spot legitimate comments.

However, Akismet has a couple of drawbacks which are common to most anti-spam solutions for WordPress, and a couple of unique drawbacks of its own. The obvious ones are that it’s a for-pay solution for many people who might want to use it. It uses a central server which is subject to downtime. Though Matt hasn’t said much about the secret sauce, it definitely analyzes the content of incoming posts. And finally, it does nothing to keep the spammers from using up your bandwidth and database space.

For most people running a personal WordPress blog, Akismet is the ideal second line of defense. It will entirely replace plugins such as wp-hashcash, Spam Karma 2, AuthImage, etc. In fact, it makes most other anti-spam plugins entirely redundant.

The one anti-spam plugin which Akismet will not make redundant is Bad Behavior. There are several reasons for this. Bad Behavior is a first line of defense, stopping spammers before they can read your site at all, waste your bandwidth, or drop junk in your database. This is especially important for self-hosted sites, or sites hosted on dedicated or virtual dedicated servers, where CPU time and bandwidth are precious. Like most other anti-spam plugins, Akismet does not and cannot conserve its users’ bandwidth, CPU and disk usage from a spam attack. Bad Behavior does, meaning it will continue to be an integral part of most people’s anti-spam arsenals.

You may not think this is important, especially if you have never received a large amount of spam at once. But the day is coming when you will, and having that first line of defense can mean the difference between your site staying up, and your Web host shutting off your site. Spammers can easily hit you so hard as to create denial-of-service conditions, and Bad Behavior has been proven to mitigate this effect. In fact, it’s even stood up to the Slashdot effect without blinking.

I should disclaim at this point. I am involved in the development of Akismet, having rewritten a significant amount of the code from the time it was known as ASS, and integrating CJD’s Spam Nuker into the plugin. I continue to remain involved with Akismet as long as there’s work to do on it (and there are a couple of bugs I need to fix).

As I said yesterday, however, I remain committed to the development of Bad Behavior. It is still sorely needed as a first line of defense for WordPress, not to mention all of the other platforms on which it now runs.

What the future holds? Nobody can say for sure, but I predict that for WordPress users wanting to remain spam-free, the combination of Akismet with Bad Behavior will prove to be a double whammy to blog spammers. For everyone else, Bad Behavior remains the first line of defense, and Matt has said that Akismet could be ported to other platforms as well. Someone else, I think, will have to take up that challenge. My hands are full already. 🙂

P.S. Matt’s started a web site for Akismet, where you can find more information.

October 26, 2005 Posted by | Akismet, Blog Spam, Spam, WordPress, | 15 Comments