Lunacy Unleashed

Notes from the field in the War on Spam

Bad Behavior 2.0.9

Make a Donation.

Bad Behavior 2.0.9 has been released. It is a strongly recommended upgrade for all users.

This release is likely the final release in the 2.0 series as I make a major change in the development process; see below for details on this change.

This release addresses a further set of “false positive” reports received from various users which affect some uncommon circumstances.

New in this release (since 2.0.8):

  • A workaround has been placed for a problem with the Clearswift Web Policy Engine. Users behind this proxy server are no longer blocked.
  • A workaround has been placed for a bug in the LiveJournal OpenID process which Six Apart refuses to fix. Logins using OpenID will no longer fail.
  • A workaround has been placed for bugs in some versions of Internet Explorer and Safari web browsers which caused them to be blocked after leaving a comment on WordPress. These requests are no longer blocked.
  • A spam prevention feature was causing users to be blocked from their own blogs when they also subscribed to their own feed, or when they accessed the site with multiple web browsers at the same time; it has been disabled for rework.

Download Bad Behavior now!

The 2.0 series of Bad Behavior will be maintained as a legacy branch, with only bug fixes, false positive fixes and security fixes applied to this branch, if any such fixes are needed. No new checks for spammers will be added.

Shortly I will introduce a “development” 2.1 series on a much shorter development cycle, with days or perhaps even hours between releases. In this branch I’ll be experimenting with new spam prevention features, rolling them out quickly and rolling back quickly in case of actual trouble. I’ll also be rolling out a new packaging method which I’ve discussed previously, that will make Bad Behavior even more platform-independent than it currently is, and allow for the “core” to be updated separately from the “glue” which connects it to your host platform.

Once features prove themselves through development and testing to be stable, they’ll be rolled forward into a “stable” 2.2 series, intended for those users who are averse to the risks of blocking legitimate users or having the occasional crash. While I work very hard to ensure that every release, however labeled, does not crash, and does not generate false positives, things occasionally happen which are outside my control.

This parallel development scheme will help balance the needs of the two primary groups of Bad Behavior users.

The first group needs enterprise-grade code which ideally never blocks a single legitimate request and can quickly be rolled into production environments with a high degree of confidence. The tradeoff is the same as it has always been: to prevent any chance of false positives, Bad Behavior’s stable branch will permit some spam, anywhere from 0.1% to 10%, to pass through, and will require a backup solution such as Akismet. Even so, it will drastically reduce the amount of time and money spent managing spam, especially for deployments of dozens or hundreds or thousands of sites.

To serve this class of users more effectively, I’m also studying the feasibility of offering support contracts for enterprise users of Bad Behavior. Services offered under such contracts might include installation assistance, on-call support, hotfix development and deployment, and per-incident support. If your organization may need such a service, stay tuned for more details in the near future.

The second group, I believe, is the majority of Web sites: those for whom a rare blocked user is merely an annoyance rather than a critical problem, and who have much lower tolerance for spam because they aren’t being paid to manage their own blogs, wikis and forums. As much as possible, Bad Behavior’s development branch will limit spam for this class of users to 0.5% missed. The tradeoff is that you will be asked to do what you already do: to report any problems you encounter, whether they be missed spam or blocked users or plain old crashes.

And for users who would like to have their cake and eat it too, the development and stable versions will be installable side-by-side on the same site, and you will be able to switch back and forth between them at the click of a button.

Finally, prior to the first stable 2.2 release, I will be reworking all of Bad Behavior’s documentation and moving Bad Behavior from its current home to a new site dedicated solely to Bad Behavior. So you all will have to update your feed URLs to the new location soon. (Mailing list readers won’t have to do anything.)

In the meantime, Bad Behavior remains a user-supported project, with all code released under the GNU General Public License. If you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my limited spare time, and every contribution means I can devote more time to its development.

Advertisements

January 8, 2007 Posted by | Bad Behavior, Blog Spam, LifeType, MediaWiki, Spam, WordPress | Comments Off on Bad Behavior 2.0.9

Bad Behavior 2.0.8

Make a Donation.

Bad Behavior 2.0.8 has been released.

This version contains updates for various “false positive” reports and is recommended for all users.

Updated in this release (since 2.0.7):

  • Verizon Wireless EV-DO users are no longer blocked.
  • Blocked requests will be subject to a two-second delay before a response is sent. (See below.)
  • Some blackhole lists previously used in Bad Behavior have been scaled back or removed.
  • The address for the Bad Behavior Blackhole has been added. (See below.)
  • Some new spambots have been identified and blocked.

In recent days spam attacks have been on the rise, with one especially obnoxious bot delivering requests so fast that some sites have been taken offline by them. While the requests aren’t especially numerous or resource-intensive, the most common software used by Web hosting providers is very inefficient at serving dynamic pages such as PHP-based Web sites. So even a moderate number of requests can take a whole server down, or lead the hosting provider to take the site down before the whole server goes down.

Bad Behavior now counters this by introducing a short two second delay to blocked requests, before the HTTP response is sent. Since most spambots wait for the response before going on to the next request, this should sufficiently slow down most of the overly aggressive spambots and give Web site operators some breathing room. While I would have liked to put in a delay of a minute or more, there remains the slight chance that an actual human being would be blocked, and they should be able to get a response back in a reasonable time.

With respect to realtime blackhole lists, all of the existing lists target e-mail spam, and since spambots who send link spam are almost always also sending e-mail spam through the same servers, these are a fairly effective means of blocking link spam. However, since they target e-mail spam, they also block legitimate users. The primary issue here is that while an IP address may be added to a blackhole list quickly, it is not removed quickly — or at all — once the spam stops. Thus, people with dynamic IP addresses are unfairly blocked because some other customer was sending spam.

Bad Behavior Blackhole, which should go online within the next few weeks, is designed specifically for link spam. It adds IP addresses to its database quickly when actual spam is received, and in addition, drops the IP addresses once the spam stops. This helps prevent dynamic IP customers from being blocked because another user’s computer was sending spam. Once Bad Behavior Blackhole is online, all other realtime blackhole lists will be dropped from Bad Behavior.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

December 15, 2006 Posted by | Bad Behavior, Blog Spam, Drupal, ExpressionEngine, LifeType, MediaWiki, Spam, WordPress | Comments Off on Bad Behavior 2.0.8

Spam Surge

In the last two days I’ve seen a tenfold increase in the amount of spam being delivered, both that is being blocked, and isn’t being blocked, by Bad Behavior.

While the spam started around the same time as I released Bad Behavior 2.0.7 yesterday, there doesn’t appear to be any correlation between the two. I inspected a few of the spams and they seem like the same old stuff, just cranked into very high gear.

I’ve personally seen over 3,000 spam attempts in the last day, with over 200 missed. This is spam that Bad Behavior is not yet capable of catching without blocking legitimate users as well.

This is why I have been working on the Bad Behavior Blackhole, in order to identify and block spam by its sources, wherever they are.

The Bad Behavior Blackhole is a feature that, once fully up and running, can identify known sources of blog spam and wiki vandalism and pre-emptively block them without affecting legitimate users.

Unfortunately, time constraints have not permitted me to put in much work on Bad Behavior Blackhole, as I’ve had to work on things which bring in revenue. As I’ve said before, while tens of thousands of people use Bad Behavior, only a few dozen have ever actually contributed back.

If you find Bad Behavior valuable, and you want to see this project up and running sooner rather than later, please contribute to its further development.

Thank you in advance for your support.

Update: Slashdot has coverage of the massive spam increase, which is hitting e-mail spam as well.

November 7, 2006 Posted by | Bad Behavior, Blog Spam, MediaWiki, Spam, WordPress | Comments Off on Spam Surge

Bad Behavior 2.0.6

Make a Donation.

Bad Behavior 2.0.6 has been released.

About four weeks ago I provided a pre-release copy of Bad Behavior 2.0.6 to a select group of testers in order to evaluate a new method of blocking spam, and it’s proved quite successful at blocking a large chunk of spam. On my testbed it blocked 953 spams and missed about 50. So I expect it to cut the spam flow even further.

I said last month I wasn’t generally releasing it immediately so that I could determine whether it blocked any legitimate users. It did indeed block two people that I know of: one was resolved in moments through the fix-it-yourself link, and the other was myself, while using a Wi-Fi access point. I determined that someone had recently sent spam through the same AP, causing the blockage. It had also caught a third person, before the pre-release, whose computer was actually sending spam at the time.

So I’m releasing 2.0.6 generally. If you received a pre-release copy, this copy is unchanged, and you don’t need to do anything.

New in this release (since 2.0.5):

  • A new blocking method using realtime blackhole lists is being used to determine if a post originates from a known spam source, open proxy, etc. GET requests are not screened. Links are provided to blackhole list removal procedures through the fix it yourself link.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

September 18, 2006 Posted by | Bad Behavior, Blog Spam, MediaWiki, Spam, WordPress | 11 Comments

Bad Behavior 2.1 and 3.0 Roadmap

When I released Bad Behavior 2, I noted that due to time constraints I was unable to complete everything on the roadmap. Most of that is because spammers have dramatically stepped up their activity in recent weeks and the new version provides greatly improved protection against their attacks. Part of it is that as an unpaid project, I can only devote so much spare time to it.

Now that Bad Behavior 2.0 has stabilized, it’s time to update the roadmap in preparation for the next minor (2.1) and major (3.0) releases.

Continue reading

August 5, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, Firefox, Internet Explorer, LifeType, MediaWiki, Spam, WordPress | 15 Comments

Bad Behavior 2.0.5

Make a Donation.

Bad Behavior 2.0.5 has been released to provide small bug fixes.

New in this release (since 2.0.4):

  • A bug affecting MediaWiki and ExpressionEngine users, and possibly others, caused database errors to be thrown when a POST request was received. This has been fixed. (I thought I’d fixed this previously, but apparently not. This one should fix it for real.)
  • A couple of additional spambots have been identified and blocked.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

August 5, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 8 Comments

Bad Behavior 2.0.4

Make a Donation.

Bad Behavior 2.0.4 has been released to provide small bug fixes.

New in this release (since 2.0.3):

  • A bug affecting MediaWiki and ExpressionEngine users, and possibly others, caused database errors to be thrown when a POST request was received. This has been fixed.
  • A confusing entry in the generic code, which was causing PHP warnings for people who mistakenly used it without changing it, has been altered. The section of code, which users of the generic code are expected to change, referred to a variable which did not exist, and users who failed to change the code for their particular installation received warnings.
  • A part of the housekeeping code which optimizes Bad Behavior’s log table has been rescheduled to run in only one of 1000 blocked requests. Under a heavy spam attack this was running much too frequently at its old schedule of one in 25 blocked requests, causing at least one shared hosting provider to complain.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

Update: Due to some errors which creeped in, I’ve repacked the 2.0.4 release. If you already downloaded it and are having strange problems, please re-download it.

July 27, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 17 Comments

Bad Behavior 2.0.3

Make a Donation.

Before I get into the release announcement, I just want to ask all of you to send me money so I can buy a T-shirt here at the HOPE conference. Oh, and eat too. NYC has drained my wallet to just about empty. Thanks!

Bad Behavior 2.0.3 has been released to provide additional protection from certain Ukrainian spammers and to prevent certain users from being blocked inappropriately.

New in this release (since 2.0.2):

  • A check has been added for a high-volume Ukrainian spammer who can generate 500,000 spams per day (and quite possibly much more).
  • A blacklist entry has been relaxed in order to prevent inappropriate blocking of a few rare legitimate users and bots.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 23, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 6 Comments

Bad Behavior 2.0.2

Make a Donation.

Bad Behavior 2.0.2 has been released to provide additional protection from certain blog and wiki spammers and email address harvesters.

New in this release (since 2.0.1):

  • A check has been added for certain types of blog comment and wiki spam.
  • Several email address harvesters have been added to the blacklists.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 16, 2006 Posted by | Bad Behavior, Blog Spam, ExpressionEngine, MediaWiki, Spam, WordPress | 6 Comments

Bad Behavior 2.0.1

Make a Donation.

Bad Behavior 2.0.1 has been released to address a critical bug in the whitelisting code. All users who use or plan to use the whitelisting feature of Bad Behavior should upgrade to version 2.0.1.

New in this release (since 2.0.0):

  • A bug causing the whitelist to fail on some POST requests has been fixed.
  • Support for the LifeType blog platform has been added. This support was graciously provided by Mark Wu. Unfortunately, I don’t know much about LifeType, so I can’t really give any support for it. You can find more information at Mark’s blog.
  • Some additional checks for trackback spam have been added.

Download Bad Behavior now!

As always, if you find Bad Behavior valuable, please consider making a financial contribution. I develop Bad Behavior in my spare time, and every little bit means I have more spare time to devote to its development.

And don’t forget to subscribe to the RSS feed or the mailing list. (They’re the same content.)

July 9, 2006 Posted by | Bad Behavior, Blog Spam, LifeType, MediaWiki, Spam, WordPress | 9 Comments