Archive for the 'Bad Behavior' Category
Bad Behavior version 2.0.39 has been released. It is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All users should upgrade to ensure that the Microsoft Bing search engine crawler can correctly crawl your site.
What’s new?
New in this release (since 2.0.38):
- Microsoft has begun using a new IP address range for its msnbot search engine crawler, which provides data for the Bing search engine. This address range is now correctly recognized as belonging to Microsoft. (Reported by multiple users.)
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.7 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All development users should upgrade to ensure that web pages are indexed properly in the Bing search engine.
What’s new?
New in this release (since 2.1.6):
- Changes in the way Microsoft does round-trip DNS identification for its search engine IP addresses caused msnbot, the search engine crawler for Bing, to be intermittently blocked. This issue has been resolved. (This issue does not affect the 2.0 series, which uses a different method of identification.)
- Minor changes have been made to the way requests are handled when the web site uses the CloudFlare reverse proxy service. More changes may come in the near future; the ultimate intent is to be able to support any server behind any reverse proxy.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.6 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of the CloudFlare reverse proxy service should upgrade to ensure that legitimate requests are not blocked.
What’s new?
New in this release (since 2.1.5):
- A logic error in the CloudFlare detection code was causing legitimate requests to be intermittently blocked. This issue should be fixed.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.5 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of the CloudFlare reverse proxy service should upgrade to ensure that blocked requests display correct, usable technical support keys.
What’s new?
New in this release (since 2.1.4):
- A code omission was causing Bad Behavior to display incorrect technical support keys to blocked requests on sites using the CloudFlare reverse proxy service. This issue has been fixed.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.4 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All users should upgrade to prevent a fatal error which may cause sites to fail to load correctly.
Users of Bad Behavior who expect a significant amount of traffic from Facebook, or who use Facebook integration tools, should upgrade to ensure that these tools work correctly.
What’s new?
New in this release (since 2.1.3):
- A logic error in the CloudFlare code introduced in 2.1.3 caused installation or upgrading to fail under some circumstances, and caused a fatal error on systems which are using CloudFlare. This code has been rewritten.
- A web crawler used by Facebook was inadvertently blocked because it engages in some unusual behavior. This could cause links to protected pages to appear on Facebook without their title, photo or description. This issue with Facebook’s crawler has been worked around.
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.0.38 has been released. It is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of Bad Behavior who expect a significant amount of traffic from Facebook, or who use Facebook integration tools, should upgrade to ensure that these tools work correctly.
What’s new?
New in this release (since 2.0.37):
- A web crawler used by Facebook was inadvertently blocked because it engages in some unusual behavior. This could cause links to protected pages to appear on Facebook without their title, photo or description. This issue with Facebook’s crawler has been worked around.
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior versions 2.0.37 and 2.1.3 have been released. For the 2.0 stable branch, this release is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users deploying Bad Behavior on Microsoft IIS should upgrade to ensure that all Bad Behavior functionality works as intended.
Users who receive a significant amount of traffic from proxied connections (e.g. small business and enterprise users) should upgrade to prevent a tiny minority of these users from being blocked.
Users following the development branch should upgrade to take advantage of support for the CloudFlare reverse proxy service.
What’s new?
New in the 2.0.37 stable release (since 2.0.36):
- In rare configurations, the Firefox and Safari web browsers may send the nonexistent “Proxy-Connection” HTTP header. Old versions of Internet Explorer may also send this header in their default configurations. This usually occurs when the web browser is configured to connect to an (obsolete) HTTP/1.0 proxy or has been explicitly configured to use HTTP/1.0 when talking to a proxy, even if the proxy understands HTTP/1.1. This header originated with a proposal made by (then) Netscape which was rejected for inclusion in HTTP in 1998 due to its causing interoperability problems. Bad Behavior checks for this header as it has historically made an excellent indicator of malicious activity if it is seen at the origin server, because proxy servers are expected to strip the header. Because of the slight possibility of blocking legitimate users, this check is now active only in strict mode. (Thanks to Mark Nottingham for reporting this issue.)
- A workaround for a problem with PHP on IIS servers has been implemented. This issue caused various parts of Bad Behavior’s functionality to fail on IIS. (Thanks to Michael Kingery for reporting this issue.)
New in the 2.1.3 development release (since 2.1.2):
- The changes listed above for 2.0.37 have also been implemented.
- New code which implements “round-trip DNS” for verifying that an IP address belongs to a specific entity is now being used to verify Googlebot and MSNbot. This code replaces the old hard-coded IP addresses.
- Support for the CloudFlare reverse proxy service has been added. Users of this service should now be able to use Bad Behavior successfully. (Thanks to Matthew Prince at Project Honey Pot for his assistance with this implementation.)
Download
Download Bad Behavior now!
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility. Only stable releases will be offered through automatic upgrade.
Support
You’ve probably noticed that there hasn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Recently it was suggested to me that Bad Behavior could incorporate support for Stop Forum Spam.
Stop Forum Spam is meant to be a list of IP addresses, emails and usernames which spammers use when registering or posting spam to forums. It seems to work well, but it has some shortcomings.
First among them is it has no native support for DNSBL. Instead, it exports its data to a third party DNSBL where the data is commingled with other data from unknown sources, making it difficult to use effectively.
Second is that it has no clearly defined removal policy. It does provide a form where people can request manual removal, but it also implies that a “network administrator” has to request removal.
After much experimentation with blackhole lists over the years, Bad Behavior currently uses only the Project Honey Pot http:BL list (and it is disabled by default). This list works very well at catching actual spammers, and it provides instant automatic removal for the very few legitimate users who happen to get caught by it.
Bad Behavior is meant to provide as little inconvenience to legitimate users as possible. When it happens, the user must be given clear directions on how to resolve the problem and ideally must be able to restore their access as soon as possible, e.g., by removing the viruses from their computer, etc.
Because it lacks a removal policy and clear process, it will not be appropriate to incorporate Stop Forum Spam at this time. I will continue to monitor the service and if it changes to allow for easier removal by legitimate users, then it may be incorporated in the future.
Bad Behavior 2.1.2 has been released. This release fixes bugs and is recommended for affected users as described below.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users who use the new URL whitelisting feature should upgrade to ensure that whitelisting works correctly in all circumstances.
What’s new?
New in this release (since 2.1.1):
- A logic error in the URL whitelisting feature caused URLs to fail to match the whitelist if the if the web browser requested a URL containing a ? character. This issue has been fixed.
Download
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.
Download the 2.1.2 development release of Bad Behavior now!
Support
This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.
Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.
If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior 2.1.1 and 2.0.36 have been released. These are a security release and affected sites should upgrade as soon as is practical. This security issue was fixed in both the 2.1 development series and the 2.0 stable series, resulting in today’s simultaneous release.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
WordPress users should upgrade to prevent internal data from leaking to the web browser when the database encounters an error. Users of other platforms are not affected.
What’s new?
New in this release (since 2.1.0 and 2.0.35):
- Due to recent changes in the WordPress database code, any database errors that may occur because of WordPress, other plugins, or server trouble may be inappropriately displayed in the web browser. This could result in the leakage of information useful to attackers. This issue has been fixed. Thanks to Andrew Zhang for reporting this issue.
Download
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.
Download the 2.0.36 stable or 2.1.1 development release of Bad Behavior now!
Support
This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.
Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.
If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!