The Bad Behavior plugin for WordPress is an altogether novel way of blocking spambots. In the past, plugins have only looked at factors like the content of the spam submission, the IP of the sender. But what if the content doesn’t contain any “spammy” words and the IP isn’t on any blacklists? What if the bot fetches the entry page before leaving a comment, and scrapes the form for any “hidden values” you may have set? At that point, you have very little to go on.
The problem is that you are not considering enough factors.
Bad Behavior works its magic at “the door,” before spam bots can even try to post a comment or a trackback. It works by looking at the user agent (not a novel approach, but useful, nonetheless) as well as by looking at the HTTP headers. As it turns out, spam bots do a really poor job of hiding their identity in the HTTP headers. They do stupid stuff like changing their user agent to an Internet Explorer agent, but neglecting to send the headers that IE sends.
Bad Behavior was designed and built by watching actual spambots which harvested email addresses, posted comment spam, and used fake referrers. By logging their entire HTTP requests and comparing them to HTTP requests of legitimate users, it is possible to detect most spambots.
IO ERROR: Bad Behavior
So how well does it work? Let’s just say that Spam Karma 2 is getting very, very bored. Take a look at the footer on my site and see how many access attempts it has thwarted. And the great thing is that Bad Behavior works much more quickly than Spam Karma, taking literally 1 to 3 hundredths of a second.