« Bad Behavior 2.0.43 and 2.1.12
Bad Behavior 2.0.44 »

Bad Behavior 2.1.13

April 25th, 2011 by Michael Hampton

Bad Behavior 2.1.13 (development) has been released. For 2.1 users, this is a maintenance release and upgrading as soon as possible is recommended.

Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.

Who should upgrade?

All users should upgrade to ensure that their placements in the Google and Yahoo! search engines remain intact.

What’s new?

New in this release (since 2.1.12):

  • A logic error in the search engine handling code caused search engine requests to be subjected to additional checks not appropriate for them. This was causing Yahoo! crawler requests to be inadvertently blocked. This error has been fixed.
  • New IP address ranges for Google and Yahoo!, which were previously unused for crawling, have been added to Bad Behavior.

What’s coming?

I’m currently preparing to release the next major stable release of Bad Behavior, version 2.2. This release is sufficiently different that anyone maintaining a port needs to update their port to handle the new features immediately (such changes are backward compatible if implemented properly). A backward-incompatible change to the database schema is coming shortly; porters should stand by for further details.

For our enterprise users who require long-term support, the 2.0 branch will continue to receive long-term support through June 30, 2012, and the 2.2 branch (coming shortly) will be fully supported until the 3.0 release, and then receive long-term support through June 30, 2014.

Download

Download the latest release of Bad Behavior now!

Support

You’ve probably noticed that my development schedule for 2.2 and 3.0 continues to slip. The reason for this is that I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.

At this point I would need approximately US $2000 in donations to meet an end-of-May date for 2.2 and mid-July for a 3.0 alpha; in a typical month I generally see less than $40 in donations.

I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by making your most generous donation for any amount. (BTW, I fixed all the broken donation links, I think. If you find any other broken ones, let me know!)

Thank you again for supporting Bad Behavior development!

6 Responses to “Bad Behavior 2.1.13”

  1. 1

    G Piper Says

    Can you please place a dummy ‘whitelist.ini’ file, empty if you like, in the main BB directory of the default install so PHP doesn’t give errors every time it looks for it?

    Apr 27th, 2011 at 11:01 pm   

  2. 2

    m Schnell Says

    Dear Michael,

    We use bb since a while and are very satisfied. In our wp installation, BB blocks about 5000 to 10000 requests per week. However, we also have so ideas for improvements in the future I would like to mention.

    1. Resolving hostnames
    When showing the stats (normal logging), resolving hostnames takes most of the time and a page needs up to 30 seconds to display. We enhanced the bb-table with an additional hostname field and resolve the name at time the database is written.

    2. Excessive request rate
    Some sql injection attempt to log in to our installation (wp, mysql or other) while producing an excessive request rate, for example 2000 hits in one hour.
    We extended BB with an additional query and blocking request when a ceratin number of requests are logged within a time period. Ideally the critical request rate could be controlled whether they are get or post request since we consider post request to be more critical.

    3. sql injection
    We see lots of [php]eval(base64_decode … post requests on our installation and when all other bb tests do not trigger to stop them, this requests have to be blocked somewhere else. We extended the post.inc.php in order to allow us blocking dangerous post request, doing a loop within an array of known phrases. This is static, we know that, but it still helps to keep them out.

    4. Database optimisation
    At ceratain points (or at least one) you use the db query like or unlike key ’00000000′ insted of != ’00000000′.

    Overall, good work, keep on going.

    regards,
    M Schnell, lofthome.ch

    May 3rd, 2011 at 10:01 am   

  3. 3

    PJH Says

    What errors are you getting? I have `error_reporting = E_ALL | E_STRICT` set and I’m not getting any errors from BB – and I don’t think you should be; the line that includes it…

    $whitelists = @parse_ini_file(dirname(BB2_CORE) . “/whitelist.ini”);

    … should suppress any errors due to the @.

    May 3rd, 2011 at 3:25 pm   

  4. 4

    G Piper Says

    My mistake… Drupal module “Boost” is giving the errors becaus eit pre-processes the ini files. Still needed to put the whitelist.ini file in there to fix it though — might be nice if there was one already there so I don’t have to remember to put it in there. You used to include it by default, but…

    May 4th, 2011 at 5:25 am   

  5. 5

    PJH Says

    Sounds more like a complaint better directed to the makers of the “Boost” module to me – they’re ignoring (deliberately or otherwise) the @ directive of PHP.

    May 4th, 2011 at 6:39 am   

  6. 6

    G Piper Says

    FYI: The Drupal module is now up to date with the latest development version of your scripts, and I will be updating it as you release new dev versions.

    May 15th, 2011 at 3:01 pm