About Bad Behavior
Features and Benefits
Bad Behavior is designed to integrate into your PHP-based Web site, running as early as possible to throw out spam bots before they have the opportunity to vandalize your site with their junk, or even to scrape your pages for e-mail addresses and forms to fill out.
Not only does Bad Behavior block actual vandalism to your site, it also blocks many e-mail address harvesters, resulting in less e-mail spam, and many automated Web site cracking tools, helping to improve your Web site’s security.
Bad Behavior runs before your software on each request to your Web site, so if a spam bot does visit, it will receive nothing, and your software never runs. This reduces the amount of server CPU time, database activity and bandwidth spent on processing robots which are just harvesting your site and delivering junk.
Bad Behavior rejects spam bots outright, sending an appropriate 4xx error code. This lets you filter them out of your server’s logs when you do log analysis, making them cleaner and more accurate and giving you better insight into the human beings visiting your site, rather than the spammers.
Bad Behavior is fully compatible with reverse proxies, HTTP accelerators, load balancers and content distribution networks. It is fully Section 508/WAI compliant. And it stores personally identifying information for a maximum of seven days, (it is usually not stored at all) making it compatible with virtually any corporate or government privacy requirements.
Bad Behavior is designed as a platform-independent package which uses a connector to integrate with a given software package (MediaWiki, WordPress, etc.). This lets Bad Behavior run on a very wide variety of Web applications, including personalized custom scripts you may have written. With some Web servers, Bad Behavior can even be used to protect static HTML pages.
How it Works
It’s black magic.
Bad Behavior manages to block nearly all link spam without ever looking at the spam. While it might be useful to do so, for performance reasons, Bad Behavior does not analyze received spam. I’ve found that this way lies madness; spammers are constantly buying new domain names, so it’s possible to miss a lot of spam by looking at it.
Instead, Bad Behavior pioneered an HTTP fingerprinting approach. Instead of looking at the spam, we look at the spammer. Bad Behavior analyzes the HTTP headers, IP address, and other metadata regarding the request to determine if it is spammy or malicious. This approach has proved, as one user said, “shockingly effective.” After all, spammers write their bots on the cheap, and have little incentive to code very well. If they could code very well, they probably wouldn’t be spammers.
When Bad Behavior looks at a request, it determines if the request matches a profile of known malicious or spammy activity, and falls outside the bounds of a normal human browsing the web. If so, the request is blocked. But a way out is provided for any human beings with unusual configurations or viruses/Trojans on their computer who may be blocked.
From the start, Bad Behavior has had two overriding design requirements. The first is that it must be fast. Users will get annoyed by waiting around for their traffic to be screened for spamminess. (Is that a word?) Especially since Bad Behavior screens all requests in order to block email harvesters and certain malicious robots, speed is paramount. I’ve had to abandon good ideas because they would add significantly to Bad Behavior’s run time, which is typically measured in milliseconds, and can be cut to hundreds of microseconds for very high traffic sites.
The second requirement is that it must block as few legitimate users as possible, and when one is blocked, they must be able to unblock themselves through an action simple and fast enough that they can simply hit the browser’s reload button once they’ve completed the action. Bad Behavior provides a technical support key to each blocked request which allows the requester, if it’s a legitimate human being, to get immediate, self-service support to fix the problem (e.g. virus removal, change of browser preference, etc.) and go back to browsing. Out of countless millions of requests served daily, an average of 50 people use the technical support system, and virtually all of those resolve the problem themselves in under five minutes.
Spam Prevention Strategy
Despite the best efforts of the brightest minds on the Internet, spam isn’t going away anytime soon. (We just haven’t figured out how to deliver electric shock over the Internet yet.) And to be most effective at blocking it, you may need to apply a variety of techniques.
Bad Behavior is completely different from any other anti-spam solution out there, in that it doesn’t specifically target spam itself. Rather, it targets the methods by which the spam is delivered. Until I released the first version in 2005, this approach had never been tried. It proved very effective at stopping a lot of malicious activity, not just spam: It also blocks many email address harvesters, meaning less e-mail spam, and some types of automated cracking attempts, improving your server’s security.
While a somewhat similar solution called mod_security exists, it has a rather different purpose, doesn’t target spam, and regular people can’t install mod_security on their shared web hosting accounts. Bad Behavior blocks spam as well as other malicious activity and can be installed by anyone.
On some high traffic sites, or those specifically targeted by spammers, the traffic from these spam attacks can be so excessive as to exceed your account’s bandwidth limits, or overload the server, and cause your account to be suspended. Bad Behavior helps to prevent both of these situations by blocking malicious activity as soon as possible, before either bandwidth or CPU are expended on a request which will turn out to be bogus.
But because Bad Behavior intends to block no legitimate users whatsoever, it must necessarily let some things pass. Consider it your first line of defense, and back it up with a secondary line of defense in the form of a more traditional anti-spam tool for your platform. For WordPress, this can include Akismet or Spam Karma 2.
You absolutely should use both, as what will happen if you use only the secondary line of defense is that your administrative screen will rapidly fill with so much spam that you won’t be able to find and recover the occasional legitimate comment that those tools block. By blocking most spammers before you ever see it, the amount of garbage you have to sift through to find legitimate comments, or the number of edits you have to revert on your wiki, is greatly reduced.
In this way Bad Behavior saves you time and frustration and gives you peace of mind by turning spam from a colossal nightmare into, well, not much at all.
I WAS ACCIDENTLY PRESSING THE MARK-SPAM “X”.. LIKE YOU DO IN THE UPPER RIGHT CORNER ON PICTURES.
What is this I don’t even
If only you could prevent advertisers from attaching cookies to users of your amazing sites! I’ve had many friends stop visiting your sites because of this.
Respectfully,
Peter
Peter, what are you talking about?
i got banned as a user who dont spam.. or being spambot?! lol
i hope ur service died like all other crappy sites with crappy bullsh
banning users from sites they cant ever use it again
is a blocking of normally inet-users, net-future, and its a NONO!!
i hope u receive mass of packages u cant block ever
white magic roxx
Sorry you gout blocked. But you should have fixed the problem yourself. After all, you were using an open proxy. You shouldn’t be surprised that somebody choose to block open proxies. In any case it isn’t my fault.
lol, funny posts…
however I just checked out your site and will now give your module a try.
please go ahead with your great work!
regards
Hello Michael Hampton and whoever does read this…
Well I had the same error now as “anonymouz” had.
I was locked out of my site with this error msg:
Error 400
We’re sorry, but we could not fulfill your request for / on this server.
An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
Your technical support key is: 5c48-3059-6992-0ee5
You can use this key to fix this problem yourself.
If you are unable to fix the problem yourself, please contact abuse at wsecure.de and be sure to provide the technical support key shown above.
so… I am using a “malfunctioning proxy server” which cannot be…
I use FF latest version and do not have any browser addons which could produce this error.
I even tried then to connect localhost on the machine with iexplorer to drupal and had the exact same error msg?!
the only way to get access back in was to rename the folders I copied before into drupal to some other name.
any hints?
regards
WSecure,
This means that the browser sent an invalid Referer: value. This is either a proxy server or malfunctioning privacy software.
If you are 100% sure that you haven’t installed any privacy software, then try using the Change Referer Button extension for Firefox to reset the setting to its default value (2).
I’m also getting the same problem. Error 400 and I can no longer access my own website (in Drupal). I’ve also installed the Change Referrer button and set it to 2, but still no luck. Unless you have another solution, I’ll probably need to go into the directory and remove the module.
Did you try a different web browser or another computer? Something is interfering with your connection and it would be good to figure out what it is so that this doesn’t happen again.
Does this block such proxies like hidemyass.com? Those are the tricky ones I’m having issues with keeping away.
Hi S,
Bad Beahvior avoids blocking services which have significant legitimate uses, such as web-based proxies. Currently we do block certain proxy servers based on misconfiguration or obvious abuse, but this covers only a small fraction of open proxy servers. In the future we may block additional open proxy servers, but this turns out to be more difficult than it appears at first glance.
Instead of blocking anything with an unknown user agent, you’d be better off blocking based on a known list of bad user agents.
Some of us write software tools to automate tasks and Bad Behaviour breaks them.
I’m annoyed at spoofing user agents just for you!
Dan,
Bad Behavior doesn’t block everything with an unknown user agent.
As far as spoofing goes, why don’t you try using a proper user agent?
Do you have a specific plugin for wordpress?
Yes, see the installation instructions.
Where can I find a Joomla 1.5 port or instructions?
I don’t see Joomla! listed among the available ports. There was one at some point in the distant past, but I don’t think it’s been maintained in years.
Not exactly correct. I am not certain about Joomla 1.5, but AdminTools Pro uses your service at least for Joomla 1.6+. In fact, I am currently using it on my site and being bombarded with emails alerting of spam attempts. Those should die down over time, but it is nice to see they are working.
First time I’ve ever heard of ‘Admin Tools Pro’. And I’m not very happy that they’re apparently selling access to my code without contributing a single cent back.
I am not certain if they are using your code. Contact me and we can take a conversation offline so I can provide you what I have for review. I am not that great of a code monkey myself. There is a contact me on my website which is linked to my name in here. Actually, the email address should be linked as well.
If I bought something that uses your code for which you are not being paid, I for my part will at least make up for it with a donation. In fact, I will donate either way once payday hits.
Actually, I just looked at your donations page and Akeeba Backup (the producer of Admin Tools Pro) is the only $75 donor listed.
Oh, so that’s who they are. No problem then, I guess.