Security Update: All Bad Behavior users should update to version 1.0.1 immediately to prevent malicious code execution on your Web server.
A security issue has been identified in Bad Behavior 1.0 whereby an attacker can execute arbitrary PHP code. While this issue only affects a small percentage of Web hosts, I have released an immediate fix for this issue. You are affected if your Web host has the PHP initialization values register_globals on and allow_url_fopen on. If allow_url_fopen is off, but register_globals is on, then the attack can only be carried out by someone with local access to the same server. If register_globals is off, you are not vulnerable.
Bad Behavior 1.0.1 also includes a fix to allow receipt of trackbacks from Movable Type blogs. In 1.0, accesses by Movable Type were blocked because Movable Type uses exactly the same software to send HTTP requests that many spammers use. A fix has been placed in version 1.0.1 to allow sites to receive trackbacks and trackback auto-discovery. Please note, however, that while I have tried to make this fix narrowly apply only to Movable Type, this could make your site somewhat more vulnerable to certain spammers. As usual, I recommend defense in depth, and that means using more than one anti-spam solution.
A few weeks ago I released the Bad Behavior software for preventing blog, wiki, forum and CMS spam, and it’s been successful far beyond my initial expectations. Like just about everything, it isn’t perfect, and while it isn’t the final solution or “silver bullet” for stopping this type of spam, it has made a big dent in the spam flow for sites that have installed it. Many sites using Bad Behavior have reported the level of spam reaching their site has dropped 99% or even 100%.
As I said, however, it isn’t perfect. It isn’t going to catch spam which is manually posted by a human being sitting at his computer using Internet Explorer and MultiProxy, for instance.
Enter the Bad Behavior Blackhole.
The Bad Behavior Blackhole is a realtime blackhole list which will record sources of spam so that they can be effectively blocked. It’s currently in the development phase, and you can watch its development progress at its own blog.
Also I should mention that while Bad Behavior and the Bad Behavior Blackhole are free for anyone to use, I do incur expenses in their development, testing, deployment and ongoing availability. That’s just the nature of the system we have right now. If you would like to contribute to the further development of Bad Behavior and Bad Behavior Blackhole, please donate $5 or more.
First of all, I want to say thank you to the many people all over who have tried out pre-release versions of Bad Behavior and contributed feedback, comments, praise and code. This project would not have gone nearly as smoothly without all of your assistance. Shortly I’ll be setting up a thanks page for the major contributors with inbound links to your sites.
Bad Behavior
The home page for Bad Behavior explains what it is and why you want to install it, but for those of you who haven’t been keeping up, here’s the summary:
Gone over your bandwidth quota this month? Had to upgrade your web hosting plan? Who’s visiting your site so much? It’s those pesky spambots. They suck down your web pages repeatedly looking for links to post blog spam to, and email addresses to send conventional spam to. And then they come back the next day for more.
Bad Behavior is a PHP-based solution for keeping unwanted blog, wiki, forum, guestbook and referrer spam away from your site. Initially developed on WordPress, its modular architecture allows it to be ported to virtually any PHP-based application, and so far it has been ported to one wiki (MediaWiki) and a port to a forum (Geeklog) is in progress.
Download Bad Behavior now! And contact me with any questions or comments.
Changes
Since Release Candidate 3, there have been only a few changes.
- An additional spambot was identified and banned.
- An otherwise harmless PHP Notice was suppressed.
- The user-agent was being logged in the request_uri field in the database. This has been fixed.
Thanks Again
Thanks again to everyone who has been involved with Bad Behavior! Now comes the fun part, adding new features. If you have an idea for a feature that Bad Behavior lacks, please let me know!