The Bad Behavior Spam Blocker Part 1
Anyone with a blog has seen comment spam. This is the stuff that shows up talking about Viagra, written in Russia and are usually stuffed with links.
There are a couple tactics for combating this sort of thing; some sites require registration to comment, some people manually delete the stuff and some sites use technology to help.
Bad Behavior
What to do? What to do…?
Well, I don’t think it’s a good idea to add barriers in front of users participating in a discussion, so registration is out. I’m pretty lazy and don’t want to manually delete comment spam so moderation isn’t going to work. I am a programmer though so I have an innate confidence in technology to deal with this (mostly anyway). To that end I like to use 2 different services to deal with comment spam; Akismet, which I’m not going to talk about now, and Bad Behavior.
According to the official site:
Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.
Thankfully, there are already WordPress plugins for both Akismet and Bad Behavior, so my blog is pretty well protected, but I also work on custom programs and need to protect them too. This got me thinking about how to to get Bad Behavior up and running on your systems; which is why you’re here I’m sure.
Like most things php, installing Bad Behavior is pretty easy. To install just download the files, unzip and place the files somewhere in your applications include path. Then just include the below preferably in a file included in all your pages after you upload the files. Using the below will only protect your site
1 2 3 4 | <?php $path_to_bb = '/path/to/'; require_once("$path_to_bb/bad-behavior-generic.php"); ?> |
The above is nice and all; your site’s pretty well protected from there but it would be nice to know what was happening behind the scenes. Just how many spam attempts are being blocked?
Bad Behavior does include a logging system but, oddly, at the time of this writing using 2.0.26, they don’t include any sort of install script. The instructions state:
If you just can’t live without logging, you will need to provide a database connection. Bad Behavior uses callbacks whenever it needs to run a database query; in order to provide this functionality, you will need to provide the appropriate hooks into your PHP-based software’s database and add them into the bad-behavior-generic.php file. The code has stub functions which show what is needed, and you can use the bad-behavior-wordpress.php file as an example to work from, though your implementation will necessarily be different.
I’ll go into detail in the next post; I’m still sick so I can’t write anymore.
Email
Twitter
I agree with you that registration is a bad option to prevent spam. I find that I will just walk away from commenting on a blog if a see a registration form (with the exception of cnet, who have a really nice registration form that doesn’t take you away from the post, although you do have to deal with an activation email which sort of defeats the point).
I feel almost sorry for bloggers who have registration forms, because they probably lose a lot of comments that way, and commenting provides a good way for readers to stay interested in a blog.
At least there don’t seem to be many blogs around using captchas. I’ve started to get really fed up with captchas; there seems to be a new breed about which I find difficult to read. It’s one thing stopping bots, but if a human can’t use it then you’ve failed anyway.
I am tempted to install Bad Behaviour on my blog, but I’m not keen on the fact that it stops them from even commenting. What I like about Akismet is that I can check the spam to see if it caught something it shouldn’t, which it actually did to a pingback just last week. I find myself not being able to trust automated spam blockers to be 100% accurate. It’s fine if I can correct the mistake like with the pingback, but if I lost a reader because it mistook them to be a spammer, I’d be sad.
They’re being pretty lazy with that log set up. I’m still pretty new to wordpress, but other plugins seem to manage. They could at least have it write the logs to files and tell you how to convert it to database use.
*short interlude*
I just had a look at how they say it works. It’s an interesting approach to be sure, but it still doesn’t convince me. They use IP addresses, which can change and be re-used by other people (I think?). All I have to do to change my IP adress is re-connect my broadband. They also use header data etc, but from your poll exploit post http://blog.ericlamb.net/2009/04/how-to-exploit-an-online-poll/ it seems this info can be changed, which I’d have thought spammers would do as much as possible.
But, people use it and say it’s effective. Haha, I just don’t know what to think about this one
I’m sure spammers could get around it if they wanted to though. Please let me know if I’m mistaken about any of this though. If my knowledge is flawed I must fix it ^_^
Eldris,
I agree, Bad Behavior isn’t perfect but nothing single technology really is. I still get comments through Akismet and Bad Behavior and legitimate comments get false positived (yeah, positived could be a word) by Akismet.
One thing I like about Bad Behavior is that it doesn’t actually stop bots from commenting directly; it stops bots from even seeing your blog (so they don’t even know about the comment form). To protect against false positives, a user being flagged as a bot, there’s a confirmation screen just in case. (I admit the confirmation scenario is pretty weak; but until I can come up with something more clever it’ll have to do.)
Before I installed the Bad Behavior plugin into my blog, I was getting around 30 spam comments a day. Almost half of my reported traffic was spam! Everyday I would log into my admin and have to scan every comment to see what was real and what wasn’t.
Even though this process only took a few minutes it was still disruptive to my day. Plus, you know, $Eric = ‘Lazy’ so I try to keep my mental load low. This was just too much to do every, single, day.
I had used Bad Behavior on a client site once, and was pretty happy with it’s results, so I installed the Bad Behavior WordPress plugin. My comment spam dropped to about 2 a week. I’m not exaggerating.
As to the IP issue; also not ideal but it’s not the sole criteria to block something. Bad Behavior also looks at the headers and stuff (stuff is the technical term) which are also pretty easy to manipulate.
You just have to keep in mind that programmers who work for spammers are usually the bottom of the barrel. Seriously, the good programmers get better jobs so the majority of the spammers are pretty bad and don’t implement the advanced techniques to hide their tracks.
Thanks for providing even more of your insight on it
I’ll definitely keep it in mind for if ever my blog gets more popular, either with spammers or legit readers. This could probably be a useful tool for a lot of bloggers.
Hey very nice blog!! Man .. Beautiful .. Amazing .. I will bookmark your blog and take the feeds also…
No. The Blackjack runs Windows Mobile 5 Smartphone edition or Windows Mobile 6 Standard. Both of these are very limited versions of the Windows Mobile operating system. I doubt that Cisco is even inclined to make a VPN client for these versions. Windows Mobile 5 Pocket PC and Windows Mobile 6 Professional are much more likely candidates for the VPN client. Unfortunately, even if Cisco makes a VPN client for these operating systems the Blackjack cannot run them. Sorry.