Lunacy Unleashed

Notes from the field in the War on Spam

Bad Behavior 2.0.8

Make a Donation.

Bad Behavior 2.0.8 has been released.

This version contains updates for various “false positive” reports and is recommended for all users.

Updated in this release (since 2.0.7):

  • Verizon Wireless EV-DO users are no longer blocked.
  • Blocked requests will be subject to a two-second delay before a response is sent. (See below.)
  • Some blackhole lists previously used in Bad Behavior have been scaled back or removed.
  • The address for the Bad Behavior Blackhole has been added. (See below.)
  • Some new spambots have been identified and blocked.

In recent days spam attacks have been on the rise, with one especially obnoxious bot delivering requests so fast that some sites have been taken offline by them. While the requests aren’t especially numerous or resource-intensive, the most common software used by Web hosting providers is very inefficient at serving dynamic pages such as PHP-based Web sites. So even a moderate number of requests can take a whole server down, or lead the hosting provider to take the site down before the whole server goes down.

Bad Behavior now counters this by introducing a short two second delay to blocked requests, before the HTTP response is sent. Since most spambots wait for the response before going on to the next request, this should sufficiently slow down most of the overly aggressive spambots and give Web site operators some breathing room. While I would have liked to put in a delay of a minute or more, there remains the slight chance that an actual human being would be blocked, and they should be able to get a response back in a reasonable time.

With respect to realtime blackhole lists, all of the existing lists target e-mail spam, and since spambots who send link spam are almost always also sending e-mail spam through the same servers, these are a fairly effective means of blocking link spam. However, since they target e-mail spam, they also block legitimate users. The primary issue here is that while an IP address may be added to a blackhole list quickly, it is not removed quickly — or at all — once the spam stops. Thus, people with dynamic IP addresses are unfairly blocked because some other customer was sending spam.

Bad Behavior Blackhole, which should go online within the next few weeks, is designed specifically for link spam. It adds IP addresses to its database quickly when actual spam is received, and in addition, drops the IP addresses once the spam stops. This helps prevent dynamic IP customers from being blocked because another user’s computer was sending spam. Once Bad Behavior Blackhole is online, all other realtime blackhole lists will be dropped from Bad Behavior.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

December 15, 2006 Posted by | Bad Behavior, Blog Spam, Drupal, ExpressionEngine, LifeType, MediaWiki, Spam, WordPress | Comments Off on Bad Behavior 2.0.8

Bad Behavior 2.1 and 3.0 Roadmap

When I released Bad Behavior 2, I noted that due to time constraints I was unable to complete everything on the roadmap. Most of that is because spammers have dramatically stepped up their activity in recent weeks and the new version provides greatly improved protection against their attacks. Part of it is that as an unpaid project, I can only devote so much spare time to it.

Now that Bad Behavior 2.0 has stabilized, it’s time to update the roadmap in preparation for the next minor (2.1) and major (3.0) releases.

Continue reading

August 5, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, Firefox, Internet Explorer, LifeType, MediaWiki, Spam, WordPress | 15 Comments

Bad Behavior 2.0.5

Make a Donation.

Bad Behavior 2.0.5 has been released to provide small bug fixes.

New in this release (since 2.0.4):

  • A bug affecting MediaWiki and ExpressionEngine users, and possibly others, caused database errors to be thrown when a POST request was received. This has been fixed. (I thought I’d fixed this previously, but apparently not. This one should fix it for real.)
  • A couple of additional spambots have been identified and blocked.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

August 5, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 8 Comments

Bad Behavior 2.0.4

Make a Donation.

Bad Behavior 2.0.4 has been released to provide small bug fixes.

New in this release (since 2.0.3):

  • A bug affecting MediaWiki and ExpressionEngine users, and possibly others, caused database errors to be thrown when a POST request was received. This has been fixed.
  • A confusing entry in the generic code, which was causing PHP warnings for people who mistakenly used it without changing it, has been altered. The section of code, which users of the generic code are expected to change, referred to a variable which did not exist, and users who failed to change the code for their particular installation received warnings.
  • A part of the housekeeping code which optimizes Bad Behavior’s log table has been rescheduled to run in only one of 1000 blocked requests. Under a heavy spam attack this was running much too frequently at its old schedule of one in 25 blocked requests, causing at least one shared hosting provider to complain.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

Update: Due to some errors which creeped in, I’ve repacked the 2.0.4 release. If you already downloaded it and are having strange problems, please re-download it.

July 27, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 17 Comments

Bad Behavior 2.0.3

Make a Donation.

Before I get into the release announcement, I just want to ask all of you to send me money so I can buy a T-shirt here at the HOPE conference. Oh, and eat too. NYC has drained my wallet to just about empty. Thanks!

Bad Behavior 2.0.3 has been released to provide additional protection from certain Ukrainian spammers and to prevent certain users from being blocked inappropriately.

New in this release (since 2.0.2):

  • A check has been added for a high-volume Ukrainian spammer who can generate 500,000 spams per day (and quite possibly much more).
  • A blacklist entry has been relaxed in order to prevent inappropriate blocking of a few rare legitimate users and bots.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 23, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 6 Comments

Bad Behavior 2.0.2

Make a Donation.

Bad Behavior 2.0.2 has been released to provide additional protection from certain blog and wiki spammers and email address harvesters.

New in this release (since 2.0.1):

  • A check has been added for certain types of blog comment and wiki spam.
  • Several email address harvesters have been added to the blacklists.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 16, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 6 Comments

Bad Behavior 2 for ExpressionEngine

Paul Burdick of pMachine has managed to put out a port of Bad Behavior 2 for ExpressionEngine in the record time of “an hour this afternoon,” he wrote on the EE forums Thursday.

I took a quick look through the extension and to my eye it looks good. I haven’t tested it myself, but the early results on the forum suggest that it works OK.

Check out the EE forum thread for more info and to download the extension.

Please note these special installation instructions:

You need BOTH the bad_behavior extension from EE AND the standard Bad Behavior download.

To install it: Unpack the stock Bad Behavior download, and you’ll find a Bad-Behavior folder. Inside THAT folder is a bad-behavior folder. Upload ONLY the bad-behavior folder from the stock download, along with the ext.bad_behavior.php from the EE download, to your EE ./system/extensions folder. Then upload the lang.bad_behavior.php file to your EE ./system/language/english folder.

You can then activate and configure Bad Behavior from the Extensions Manager. The ‘strict’ and ‘verbose’ settings should work as for the other ports. I don’t know if the ‘display_stats’ setting has been implemented; I think on EE it probably requires a template change at least…

Thanks, Paul!

July 7, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, Spam | 15 Comments