Bad Behavior Plugin For Blogs Behaves Badly
Every now and then another blacklist appears that claims it has the solution to the spam problem on the web. They never have a real solution and end up blocking legitimate users from accessing websites, doing email, etc.
The latest encounter I had with one is called bad behavior. This one even regularly locks the administrators of the blog out of their own blog. They have to rename the plugins folder just so they can get back in and they own the blog. So how can anyone expect it not to block legitimate users?
Bad behavior is really useless as with the case of most blacklists and related software. Seriously, the first time i visit a blog and get blocked, you expect I will bother to email the blogger? Nope. With millions of blogs that don’t block me I have plenty to read.
So all of you who have that claim bad behavior has cause a reduced load on your server, you might want to think that the reduced load is because of less readers and visitors to your blog.
Akismet deletes the spam just fine. I run about 50 blogs through my company. The extra “load” is not a real burden only an imagined one.
Here are some of the comments from the bad behavior blog;
I’m the admin of my blog and Bad Behavior is blocking me to get into the admin zone.
oops!
Yep, same here. My site was working fine, then a registered user told me they couldn’t get in. Went to check it out and the plugin won’t let me log in as admin!
uh oh
Same here. As soon as I am able to log into my blog that you’ve locked me out of, I’m going to remove this plugin, throw it on the floor and stomp on it.
That one was funny.
there is no reason in the world why a spam plugin should be allowed to override a top level administrative login, I would very strongly recommend against the use of this plugin to anyone who is considering it.
Me too.
Gotta say, great plugin, it works like a charm reducing load on my server.
Someone likes it! it’s reducing that huge load on his server.
same here, when activated BB i cannot browse my own sites. Also, i notice the same behaviour on www.teachmejoomla.net and www.dutchjoomla.org when using my regular desktop PC. (No matter if if use IE 7 or Firefox), When using another (linux) PC (behind the same router, firewall / ip) with Firefox i can visit the mentioned websites with no problem.
Have contacted the admins of the mentioned websites but they bounce the problem back : I have to check on viruses, spyware etc. or remove all firewall, anti-spyware software all together in order to access their websites ?!?!?!? What kind of advice is that. BTW : ie checked my desktop PC with various ant-virus/antispyware software with no result at all. When i suggest the admins to check their own configuration they reply a bit annoyed. All in all : i believe the BB plugin is a good concept but needs a serious bugfix. Untill then i stay away from www.teachmejoomla.net and www.dutchjoomla.org.
That last one sums it up. Users will stay away from a blog where they have problems accessing things. Go figure.
But for those of you wishing to defend bad behavior, which is more of a description of the plugin than a name, you can go get your own copy here and block your visitors from reading your blog too. If you are lucky it will block you out of your blog too.
Stumble it!
Wow, is that your normal writing style?
You’re welcome to your own opinions, but you also should know that the author released a fix for the problem only hours after it happened. Actually you probably did know, and failed to mention it, because it would have been a ray of sunshine to ruin your dark article.
Oh, you should know, the guy who wrote Bad Behavior also wrote parts of Akismet. Better stop using that, too, before it marks all your own comments as spam! Which it will start doing in about five minutes, if it hasn’t already done so.
Oh, here’s a thing that just pisses me off: A checkbox in this comment form with no text next to it. Are you trying to get email subscribers by cheating?
Comment by Michael Hampton — December 8, 2007 @ 8:22 pm
Bad Behavior is but one of several defense mechanisms that, alas, are part of the burden of being a publisher. Not only does it work quite effectively (certainly if used properly and in conjunction with other tools) it is provided as a service to the publishing community, by an author who believes — as I do — in the concept of responsible netizens. And yes, blacklists are such an effective ingredient - but there’s no magic wand or silver bullet against the manifold criminal organizations out there, and to expect such a singular magic solution is naive at best.
Not being able to tell an easily solved bit of circumstantial snafu from an idle claim of entitlement does not speak to the responsibility of volunteering programmers; either take ownership of the responsibility of operating a public restaurant, or get out of the kitchen business altogether.
One thing is to take (certainly righteous) issue with the author of Bad Behavior’s oversight in juggling a series of blacklists, another is to go overboard in seeking responsibility for one’s own shop. I’m not “defending” Bad Behavior or Michael Hampton here; I’m taking issue with a myopic and self-centered approach to seeking responsibility anywhere but where it lies first and foremost: at the feet of us publishers.
You get (and you get to complain about) what you pay for.
Comment by nv1962 — December 8, 2007 @ 8:32 pm
Verdorie, nu blijkt Michael zelf al te hebben gereageerd terwijl ik nog aan het typen was… Affijn. Hoor je ‘t dus van de auteur zelf!
Comment by nv1962 — December 8, 2007 @ 8:35 pm
To Michael Hampton
1st of all. The plugin is free. So yes I respect the writer of the plugin. But it is still blocking people from accessing or commenting certain blogs as of just today. So whether it is a problem with the plugin or that people do not update the plugin, people will not take the trouble to email the owner of the blog in order to post there. Again, there are other blogs they can go to.
If he wrote akismet then he is fantastic ion my opinion. That’s the best plugin ever. So no I do not only do “dark” reviews.
I will say that blacklists suck in general and that is what this is really about. They always end up blacklisting people who do not spam anyone and they make it a pain in the neck to get off the list once you have been added.
Your threat that I will be added to blacklists in akismet are really really scary. I don’t know what I will ever be able to do now. Seriously, if someone cannot take criticism, then they need to get a thicker skin to do business on the web.
As for the checkbox. I activated yet another plugin today to test it. At first the subscribe to comments plugin wasn’t even showing up in this blog and caused an error in another one. I deactivated it in the other blog and was about to here.
The blog that blocked me due to bad behavior’s plugin was the blog where you are supposed to ask questions about the subscribe to comments plugin. I was trying to ask questions but could not comment about it due to the bad bahavior plugin. That prompted this post.
So no. Not trying to trick anyone. I get enough traffic to my blogs without doing that and readers have asked for the subscibe to comments plugin so I was trying to give it to them. Buut was unable to ask questions about installing it since bad behavior denied me the ability to ask the questions in the blog set up for that.
So that is how this came about. Since you seem to be that interested.
Comment by namecritic — December 8, 2007 @ 10:31 pm
To nv1962
I cannot agree with you more and should have added to my post that the fact the programmer does this as a volunteer and does not charge for it is commendable and he should not be criticized personally.
The whole blacklist idea is not an effective solution in my opinion. The fact that they always end up with blocking people who do not spam should be enough to back up that argument.
I think it is good to try to solve any problem, but sometimes you have to realize when the cure is worse than the disease.
Again, it does not matter if it is the software or the publisher’s fault that it blocks the wrong people. The fact that it does block some legitimate users means a loss of legitimate traffic.
There is no heavy burden on my servers due to spammers hitting the blogs and the other plugin akismet works so well I want to hug the programmer.
It’s my opinion that you need akismet and do not need bad behavior.
I am entitled to that opinion as you said. i created a link back for those that disagree and want to install it anyway.
It always seems that people do not think someone has the right to their opinion unless it agrees with their own opinion.
Everything in this blog is my opinioon. It’s called Things That Just Piss ME Off. I’m the ME in that sentence. I also let other people put in things that piss them off. I don’t delete comments when people say I piss them off. Everyone is entitled to their opinion.
What I do try to do here is make people discuss things and get their opinion out there. It’s what this country is about. open discussions, debates, and even arguments can lead to better solutions.
Fortunately I never claim to always be right and do not want everyone to come here and agree with me. I want them to get pissed off at things and try to help solve them by speaking out.
So I appreciate everyone who comments here whether you agree with me or not.
Comment by namecritic — December 8, 2007 @ 10:41 pm
Well, that’s a huge step up the quality ladder in discussing internet security - thanks for the thoughtful reply, Namecritic.
I’ll step completely beyond matters of opinion here, as I think a single, adequate presentation of one’s position should suffice. Instead, I’ll respond to one point which I think goes — much beyond legitimate opinion — into a misrepresentation of facts.
You state about blacklists that “they always end up with blocking people who do not spam” (I’ll accept that statement for argument’s sake, even with reservations to your sweeping use of “all”) but then you go on to dismiss blacklists altogether based on that assertion. Let’s be clear: “spam” is only a part of the problem. As infuriating as it is that — due to a pathetic constellation of factors — spam continues to break records in staggering numbers, year after year, spam is only part of the problem. A far more serious and lately mushrooming threat is malware, botnets and the scourge of DDoS type attacks.
Besides, if you look into the murky world of “spam proper” you’ll see the distributed nature of crawling harvester networks (which collect addresses to target), operating separately from spamming networks (sending out the @#$% spam). And let’s not get into the in relative dwindling but overall still enormous role of “script kiddies” who trawl the Net for vulnerabilities to exploit. Of a different nature entirely are malicious outfits that all to often succeed in distributing malware by way of spamming search engines, luring unsuspecting (and understandbly un-savvy) users into an infection - or worse: virtual conquest of their insufficiently hardened system. On and on I could go.
My point is that blacklists target far, far more than “spammers” alone. Looking at the damage done (either in number of attempted attacks, or in amounts of money collectively spent on combating them) one might even argue that spam is almost a minor issue. More to the point: it’s true that an IP address that has been caught developing malicious or at the very least highly suspicious activity doesn’t necessarily imply that it’s spam-related. It could have been probing for certain vulnerabilities (that a legit surfer has no business in probing), it could have been caught in a dictionary attack on the server, it could have been involved in botnet operations (with or without the system owner’s knowledge or consent), and a really long list of other nefarious activities that are not strictly spam, but decidedly bad nonetheless.
But let’s stretch that point to the limit: let’s present the case of someone who, due to (typically) a malconfiguration of a firewall, doesn’t really engage in “bad behavior” but is flagged nonetheless. Well, that’s the classic case of the dreaded “false positive”. It’s therefore inevitable that blacklist-related security measures end up catching false positives. That “weakness” doesn’t affect only Bad Behavior: it also affects related tools such as Akismet, Spam Karma 2, and http:BL - all of which have a staggeringly high effectiveness if and when deployed properly.
Furthermore, and if you’re really dead against false positives in the first place and on principle, classic anti-spam tools like content filtering (e.g. SpamAssassin, or dedicated solutions such as offered by IronPort) would also be out of the question, as those also present loopholes for false positives.
Also: there are blacklists and blacklists - not to mention the necessary distinction / relationships with graylists and whitelists. Highly effective (and therefore popular) tools like Akismet, Bad Behavior, Spam Karma 2 and http:BL don’t “just” use any and all blacklists. If you go through the support and discussion forums via places like SpamCop.net or CastleCops.com you’ll quickly learn that there are fundamental (functional) differences between the many blacklists out there. And turning to one of my personal faves, i.e. the one produced via Project Honeypot, the already impressively low degree of “false positives” is (in my opinion…) far outstripped by the tremendous value in blocking out the most dangerous and damaging addresses out there.
Finally: I believe one should make a fundamental distinction between a programming error (as in this case with BB) and the inevitable victims of statistics (the “false positives”). The former is prone to crop up anywhere programming code appears (a circumstance which can’t be held against a single type of tools, e.g. blacklist-based ones) while the latter, as I already tried to point out, are sadly inevitable. Only a judicious and carefully combined use of tools will provide a maximum degree of protection while causing a minimum number of collateral victims (false positives) - without guaranteeing either to a full extent.
It’s a little bit like law enforcement “versus” education: you can’t “choose”, you need to apply both in sage doses - and work hard to weed out the occasional misfires that will pop up in either field.
Once again, this long winded piece isn’t about opinion, but about the place and effect of Internet security in general, which (once again) goes far beyond spam. This is mainly why I insisted so much on the responsibility of each and every publisher on the Internet: it takes one weak spot to create a massive headache for many, many other users. With the ascent of “popular” and easy to use tools (such as WordPress and “even” Bad Behavior) people sadly tend to mistake “ease of use” with a license to treat the security of other users of the Internet irrationally, or worse: with indifferent prejudice.
While fully agreeing with the need to avoid (and where necessary, combat) infringements on legally framed free speech, your right to exert your freedom ends right there where it touches my personal security. In other words: a reasonable effort to maximize accessibility of one’s site is anything but juxtaposed to one’s responsibility toward the Internet as a whole. Blacklists aren’t “the” problem here - misused, malconfigured, and indiscriminately applied ones are.
In my experience, Bad Behavior is, overall, truly stellar in its conservative approach to using blacklists - precisely to avert the dreaded false positives.
Comment by nv1962 — December 8, 2007 @ 11:49 pm
Well nv1962 I have to say that you definitely know way more about this topic than I do. Maybe I don’t see the whole problem as I should.
I do know that it really causes headaches for people with the false positives and can discourage people from posting to a blog when that happens.
In my business, I focus on user experience and ways to drive traffic. So my interest is much less technical.
I have had a domain name blacklisted before when that domain name had never even had the capability of sending out email let alone spamming anyone.
The blacklist people wanted to “fine” me $50 to remove me from their blacklist. They said it would go to charity. I found out the charity was their own legal defense fund in case someone sues them.
I refused and wrote an article about it. They removed my domain name from the blacklist.
So if i am biased against these blacklists and the so-called spam police it is from personal experience.
I agree with you that blacklists are not just about spam as i was looking at it. The fact that people do watch out for the malicious hackers and script kiddies is actually appreciated.
And again, the post was not an attack on a programmer who spends his time for free to try to make a solution.
I really appreciate you adding this information.
Comment by namecritic — December 9, 2007 @ 12:36 am
[...] A blog post made on the Things That Just Piss Me Off Blog has raised a little controversy about the bad behavior wordpress plugin. [...]
Pingback by » Controversy Over Bad Behavior Has Two Sides to The Story - Blog Content Provider .com » Archivio Blog — December 9, 2007 @ 12:55 am
In the case of Bad Behavior, I think it’s important to remember that old versions of Bad Behavior are blocking people because of a blacklist that has been decommissioned and is no longer in operation.
Comment by Michael Hampton — December 9, 2007 @ 1:41 am
Web Publishing
Is anyone having problem publish thing to there web site sense yahoo new update.i cannot publish help needed?
Trackback by Desktop Publishing And Web — January 30, 2008 @ 7:33 am