Archive for the 'Open Source' Category
There’s a whole lot of buzz about the newest WordPress spam-fighting plugin on the block, and so I decided to go take a look and see if WP-SpamFree lives up to its hype.
“The WP-SpamFree plugin virtually eliminates automated comment spam from bots, including trackback and pingback spam,” its author, Scott Allen, claims. “It takes a different approach than most and stops spam at the door.”
Indeed, everyone who’s tried it reports that their spam has dropped off to virtually zero and that they haven’t heard from anybody who had problems leaving comments. Sounds like the Holy Grail of spam prevention, right?
Not so fast.
WP-SpamFree, it turns out, uses JavaScript and cookies to verify that someone is using an actual web browser to access your site and leave a comment. These approaches are not that different from what other plugins have done in the past. What distinguishes WP-SpamFree in this respect is that it requires both JavaScript and cookies in order for someone to post a comment. This will certainly keep out virtually every spambot out there.
Unfortunately, it will also block most mobile web browsers and some disabled users. In both cases the browsers being used aren’t capable of JavaScript, cookies, or both. If your blog targets mobile web users or people with disabilities, WP-SpamFree might not be for you.
Then there is WP-SpamFree’s method of blocking trackback and pingback spam. These are always automated, so using JavaScript and cookies is impossible. WP-SpamFree, it turns out, uses several extensive internal lists of IP addresses, URL fragments, and keywords to block this type of spam.
This works fairly well; however, the way it’s implemented in the current version of WP-SpamFree (1.9.6.2) is quite strange. It appears the author didn’t want to use arrays and loops to iterate through his lists and instead unrolled all his loops, resulting in a huge plugin clocking in at over 3,700 lines. There’s no obvious good reason for this; it would seem in PHP that the plugin would be much slower than it would otherwise. The gain of not having the loops doesn’t seem nearly as much as the overhead of compiling thousands of extra lines of bytecode. In addition there are several other examples of duplicate code which could have been split into functions.
These technical implementation issues make me wonder at how much experience the programmer has. If they were intentionally done by an experienced programmer, I would have expected them to be mentioned in the README or release notes or a blog entry, but especially in the code comments.
Despite those issues, the plugin works pretty well for what it does. I hope that the author addresses those implementation issues for his next major version, though, to make the plugin even better.
And there are things that WP-SpamFree does not do. It does not block email harvesters, for instance. It also does not block spambots when they scrape your site looking for your comment forms, nor block denial of service attacks. Indeed, under a heavy spam attack, its size and CPU usage could cause limited web hosting resources to be exhausted.
That’s all just a long way of saying that WP-SpamFree has its pros and cons, and if you choose to use WP-SpamFree, you still should keep Bad Behavior around as part of your overall spam prevention strategy.
Running behind the scenes of Matt Mullenweg’s new commercial WordPress project, WordPress.com, is of course WordPress, everyone’s favorite blogging platform. And running on WordPress.com is Bad Behavior, the premier solution for blog spam.
Continue reading ‘Bad Behavior protects WordPress.com’
Update August 19: Bad Behavior is now available for Drupal.
Bad Behavior 1.2 has been released. Bad Behavior stops link spam at the front door by denying spammers the ability to access your PHP-based web site at all.
Thanks to all of you who tested the release candidates, and actually found fewer bugs than I was expecting. Either I’m getting better at this, or you guys aren’t actually installing the software. 
Continue reading ‘Bad Behavior 1.2′
Bad Behavior 1.2 Release Candidate 3 has been posted. Bad Behavior stops link spam at the front door by denying spammers the ability to access your PHP-based web site at all.
As I close in on a final 1.2 release, the reports I have gotten have been quite encouraging. Most testers have reported a complete elimination of link spam to their sites. So I’ve cleaned up a bit, fixed one problem, and this will probably be the final 1.2 release, or very close to it.
Continue reading ‘Bad Behavior 1.2 Release Candidate 3′
The second release candidate of version 1.2 of Bad Behavior is now available! Bad Behavior stops link spam at the front door by denying spammers the ability to access your PHP-based web site at all.
Surprisingly, no one reported any bugs in the first release candidate, but a very few spammers are still making it through. So I’ve made an update which attempts to address this and get that last 0.1% of the spam.
New from version 1.2 Release Candidate 1: When logging is turned on, Bad Behavior will identify spammers it has recently seen, even if their profile changes, and continue to block them. I believe this simple change should eliminate virtually all spam, even at the highest-traffic sites, while remaining fast.
Again, I still need reports of any spammers which escape Bad Behavior’s notice. Please contact me and include output from phpMyAdmin showing the relevant records for the spammer. Verbose logging has been turned on for this build so that the necessary records will be available if this happens.
Update August 11: Please see the newer version Bad Behavior 1.2 Release Candidate 3.
The first release candidate for Bad Behavior 1.2 is now available. Bad Behavior, the bane of link spammers everywhere, has been strong and stable. I’ve added some new features and need your feedback.
Continue reading ‘Bad Behavior 1.2 Release Candidate 1′
Bad Behavior 1.1.4 has been released.
This release fixes a problem with the W3C Validator being blocked inadvertently. The downside is you’re going to get a few more spammers who were also being blocked. A more permanent solution is in the works, but this should get you XHTML freaks who revalidate your pages daily back in business.
If you don’t care at all about the W3C Validator then feel free to use 1.1.3 as it may block a few more spammers than 1.1.4. This will be resolved in a future release.
First, say “I Hate Perl” three times, and then Download Bad Behavior now!
Bad Behavior 1.1.3 has now been released. I’ve been holding this a little longer than some of you would like; because of a rise in spam attacks and some slightly smarter spammers, a few spams have been getting through to your sites, and because they’re getting smarter I’ve wanted to ensure that I could block the spammers and only the spammers. I’ve blocked all the spammers I can reasonably block and maintain no false positives.
I also fixed a (very uncommon) update service being recognized as a spambot. I have a policy of zero false positives, so if you see traffic that should be getting through and is being blocked, or if you are getting spam to your site, please report it immediately.
Changed in this release:
- Several additional spambots have been identified and blocked thanks to user contributions.
- Mozilla Blog Updates is no longer blocked.
- A typo causing a PHP warning in
bad-behavior-http-headers.php has been fixed.
It’s that time again, so Download Bad Behavior now!
It’s been two months now since I started the Bad Behavior project. I’m stopping for a moment to take a look back to see how far it’s come, and to glance at the journey ahead.
In case you somehow don’t know what I’m talking about, let me fill you in. Bad Behavior is PHP-based software which blocks automated link spam. And link spam is the growing problem of spammers taking advantage of blogs, wikis, forums, guestbooks, CMS, and similar software to post spam. Link spam has been a serious problem for a couple of years, and many people have tackled it with varying degrees of success.
Continue reading ‘Punishing Bad Behavior’
Bad Behavior 1.1.2, the latest version of the Web’s only portable link spam killer, has been released.
Fixed in this release:
- Due to recent changes made by Microsoft, MSNBot was being blocked about 70% of the time. This has been fixed.
Changed in this release:
- A very surprisingly large number of people wanted to have individual
bad_behavior_log tables for each installation of WordPress, MediaWiki, Geeklog, etc., rather than a combined table. This is now supported and Bad Behavior will create a table using the table prefix provided by each individual software. This means, for instance, instead of a bad_behavior_log table, you will have a wp_bad_behavior_log table on WordPress, or a mw1_bad_behavior_log table on MediaWiki. The table prefix, of course, will vary depending on the settings of the software on which Bad Behavior is installed. The old combined bad_behavior_log table will be left in place; you will need to rename or remove it yourself if you desire.
I’m also moving closer to having the Geeklog port stabilized and included in the mainline Bad Behavior release. Currently it is built and distributed separately.
Thanks again to everyone who has written me, and written on their own sites, about their successes with Bad Behavior. It’s that time again, so Download Bad Behavior now!
