Archive for the 'Bad Behavior' Category
Bad Behavior version 2.1.9 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites. This release includes a security fix and all development users are strongly urged to upgrade as soon as possible.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All development users should upgrade to ensure that cross-site requests are screened properly and to protect against cross-site request forgery.
All development users who use a reverse proxy, load balancer, HTTP accelerator, or similar technology should upgrade to take advantage of new functionality supporting these deployments. (This includes CloudFlare. They say you’ll throw the first one away, and I certainly did.)
What’s new?
New in this release (since 2.1.8):
What’s coming?
I’ve set up an issue tracking system so that people can report bugs more easily. It’s bare bones at the moment, but you can use it to report bugs now. In the future it will be used to hold development information and a browsable source code repository.
I’ve also set up a git repository for Bad Behavior. The first code to be checked in will be the first 3.0 alpha, which I hope to have available within the next week or so. Details on how to access the repository will come at that time.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by making your most generous contribution for any amount. (BTW, I fixed all the broken donation links, I think. If you find any other broken ones, let me know!)
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.0.40 has been released. It is a security release. All users are strongly urged to upgrade as soon as possible.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All users should upgrade to ensure that cross-site requests are screened properly and to protect against cross-site request forgery.
What’s new?
New in this release (since 2.0.39):
- [Ticket 3] Bad Behavior provides an option to allow cross-site POST requests; these are meant to be blocked by default as most sites do not need to receive form data submitted from other sites. However, the option to enable it for those sites which do need it had inverted logic, resulting in cross-site requests being allowed when the option was set to disallow them, and vice versa. This issue has been fixed.
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by making your most generous contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.8 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All development users should upgrade to ensure that web pages are indexed properly in the Bing search engine, as well as to take advantage of new functionality described below.
CloudFlare users should upgrade to ensure that their sites remain accessible when using the CloudFlare reverse proxy service.
What’s new?
New in this release (since 2.1.7):
- Microsoft has begun using a new IP address range for its msnbot search engine crawler, which provides data for the Bing search engine. This address range is now correctly recognized as belonging to Microsoft. (Reported by multiple users.)
- Round-trip DNS detection code in previous versions was failing in strange ways due in part to a long-standing bug in PHP which is still not fixed as of this writing. This affected access by search engines as well as for anyone when the site uses CloudFlare. The round-trip DNS detection code has been temporarily disabled until a workaround or fix for PHP is available.
- Due to the above issue, Bad Behavior effectively disables itself when CloudFlare use is detected. This is temporary until certain tests can be rearranged.
- A number of very small files have been consolidated into slightly larger files to reduce disk I/O. Here we are targeting the typical 4K memory page (and future 4K disk block) boundary. More such consolidation will take place in the near future.
- A small number of additional user-agents have been added to the internal blacklist and one has been modified to eliminate a potential false positive.
What’s coming?
Bad Behavior’s system requirements have been specified for the first time, at user request. Bad Behavior 2.0 requires PHP 4.3 or later, and 2.1 requires PHP 5.2 or later (5.3 when running on Windows). Both releases require MySQL 4.0 or later when using a database. I have had code contributed which offers PostgreSQL support and I will be integrating this soon. Note that as 2.1 is still the development branch, requirements may change (up or down) as development progresses.
Thanks to Dave Reid, who has provided a basic class structure for Bad Behavior, the next major release will be (mostly) object oriented while maintaining high performance and compatibility with PHP scripts which don’t make extensive use of OO. This will actually make it easier to do ports to various systems such as Drupal and enable ports to replace parts of Bad Behavior’s functionality when it makes sense for them to do so.
Future versions of Bad Behavior, beginning with the next development release, will be licensed under the GNU Lesser General Public License version 3. This licensing change will make it easier to resolve legal issues with porting to certain non-free software such as Simple Machines Forum, vBulletin, ExpressionEngine, etc. by making it unnecessary to grant specific license exemptions for such software in most cases. If you’re planning a port and still have legal issues, contact me.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.0.39 has been released. It is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All users should upgrade to ensure that the Microsoft Bing search engine crawler can correctly crawl your site.
What’s new?
New in this release (since 2.0.38):
- Microsoft has begun using a new IP address range for its msnbot search engine crawler, which provides data for the Bing search engine. This address range is now correctly recognized as belonging to Microsoft. (Reported by multiple users.)
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.7 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All development users should upgrade to ensure that web pages are indexed properly in the Bing search engine.
What’s new?
New in this release (since 2.1.6):
- Changes in the way Microsoft does round-trip DNS identification for its search engine IP addresses caused msnbot, the search engine crawler for Bing, to be intermittently blocked. This issue has been resolved. (This issue does not affect the 2.0 series, which uses a different method of identification.)
- Minor changes have been made to the way requests are handled when the web site uses the CloudFlare reverse proxy service. More changes may come in the near future; the ultimate intent is to be able to support any server behind any reverse proxy.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.6 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of the CloudFlare reverse proxy service should upgrade to ensure that legitimate requests are not blocked.
What’s new?
New in this release (since 2.1.5):
- A logic error in the CloudFlare detection code was causing legitimate requests to be intermittently blocked. This issue should be fixed.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.5 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of the CloudFlare reverse proxy service should upgrade to ensure that blocked requests display correct, usable technical support keys.
What’s new?
New in this release (since 2.1.4):
- A code omission was causing Bad Behavior to display incorrect technical support keys to blocked requests on sites using the CloudFlare reverse proxy service. This issue has been fixed.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.4 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All users should upgrade to prevent a fatal error which may cause sites to fail to load correctly.
Users of Bad Behavior who expect a significant amount of traffic from Facebook, or who use Facebook integration tools, should upgrade to ensure that these tools work correctly.
What’s new?
New in this release (since 2.1.3):
- A logic error in the CloudFlare code introduced in 2.1.3 caused installation or upgrading to fail under some circumstances, and caused a fatal error on systems which are using CloudFlare. This code has been rewritten.
- A web crawler used by Facebook was inadvertently blocked because it engages in some unusual behavior. This could cause links to protected pages to appear on Facebook without their title, photo or description. This issue with Facebook’s crawler has been worked around.
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.0.38 has been released. It is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of Bad Behavior who expect a significant amount of traffic from Facebook, or who use Facebook integration tools, should upgrade to ensure that these tools work correctly.
What’s new?
New in this release (since 2.0.37):
- A web crawler used by Facebook was inadvertently blocked because it engages in some unusual behavior. This could cause links to protected pages to appear on Facebook without their title, photo or description. This issue with Facebook’s crawler has been worked around.
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior versions 2.0.37 and 2.1.3 have been released. For the 2.0 stable branch, this release is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users deploying Bad Behavior on Microsoft IIS should upgrade to ensure that all Bad Behavior functionality works as intended.
Users who receive a significant amount of traffic from proxied connections (e.g. small business and enterprise users) should upgrade to prevent a tiny minority of these users from being blocked.
Users following the development branch should upgrade to take advantage of support for the CloudFlare reverse proxy service.
What’s new?
New in the 2.0.37 stable release (since 2.0.36):
- In rare configurations, the Firefox and Safari web browsers may send the nonexistent “Proxy-Connection” HTTP header. Old versions of Internet Explorer may also send this header in their default configurations. This usually occurs when the web browser is configured to connect to an (obsolete) HTTP/1.0 proxy or has been explicitly configured to use HTTP/1.0 when talking to a proxy, even if the proxy understands HTTP/1.1. This header originated with a proposal made by (then) Netscape which was rejected for inclusion in HTTP in 1998 due to its causing interoperability problems. Bad Behavior checks for this header as it has historically made an excellent indicator of malicious activity if it is seen at the origin server, because proxy servers are expected to strip the header. Because of the slight possibility of blocking legitimate users, this check is now active only in strict mode. (Thanks to Mark Nottingham for reporting this issue.)
- A workaround for a problem with PHP on IIS servers has been implemented. This issue caused various parts of Bad Behavior’s functionality to fail on IIS. (Thanks to Michael Kingery for reporting this issue.)
New in the 2.1.3 development release (since 2.1.2):
- The changes listed above for 2.0.37 have also been implemented.
- New code which implements “round-trip DNS” for verifying that an IP address belongs to a specific entity is now being used to verify Googlebot and MSNbot. This code replaces the old hard-coded IP addresses.
- Support for the CloudFlare reverse proxy service has been added. Users of this service should now be able to use Bad Behavior successfully. (Thanks to Matthew Prince at Project Honey Pot for his assistance with this implementation.)
Download
Download Bad Behavior now!
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility. Only stable releases will be offered through automatic upgrade.
Support
You’ve probably noticed that there hasn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!