Archive for the 'Open Source' Category
Bad Behavior 1.1.1 has been released.
Did you ever do something really stupid? Well, I have. And I even did it yesterday. I released some software without completely testing it and getting rid of all the bugs.
I unfortunately made a stupid error in one of the Bad Behavior filenames, which was causing some PHP warnings for some people. This has been fixed. I also have fixed a problem with msnbot being blocked which isn’t my fault at all; it turned out that Microsoft changed the IP address ranges that msnbot uses right as I was preparing Bad Behavior 1.1 for release.
Go get your fix: Download Bad Behavior now.
See also the permanent page for Bad Behavior.
Security Update: All users should update to Bad Behavior 1.1 immediately to prevent malicious attacks of various types on your Web site.
Bad Behavior 1.1 is now available! It includes a number of fixes and improvements over the 1.0 series, including:
- Improved MediaWiki support. Bad Behavior now installs on MediaWiki the same as any other extension and no longer requires any unusual hacking. If you’re upgrading, please remove the hack from your
index.php file.
- Trackbacks and trackback auto-discovery from Movable Type blogs work normally now. In previous versions trackback auto-discovery and trackbacks received from Movable Type blogs would be blocked in certain circumstances.
- Extensive security audit has been completed and a wide range of security fixes have been implemented.
- Several additional spambots, some masquerading as well-known search engines, have been identified and blocked.
I would like to thank everyone who has downloaded and used Bad Behavior, as well as everyone who has made monetary contributions. Stopping link spam has turned out to be an interesting and engaging project, and promises to be so for some time to come, and your support helps.
I also want to thank a few contributors to the Bad Behavior project, but they wish to remain anonymous. So here is your thanks. Download Bad Behavior now!
Security Update: All Bad Behavior users should update to version 1.0.1 immediately to prevent malicious code execution on your Web server.
A security issue has been identified in Bad Behavior 1.0 whereby an attacker can execute arbitrary PHP code. While this issue only affects a small percentage of Web hosts, I have released an immediate fix for this issue. You are affected if your Web host has the PHP initialization values register_globals on and allow_url_fopen on. If allow_url_fopen is off, but register_globals is on, then the attack can only be carried out by someone with local access to the same server. If register_globals is off, you are not vulnerable.
Bad Behavior 1.0.1 also includes a fix to allow receipt of trackbacks from Movable Type blogs. In 1.0, accesses by Movable Type were blocked because Movable Type uses exactly the same software to send HTTP requests that many spammers use. A fix has been placed in version 1.0.1 to allow sites to receive trackbacks and trackback auto-discovery. Please note, however, that while I have tried to make this fix narrowly apply only to Movable Type, this could make your site somewhat more vulnerable to certain spammers. As usual, I recommend defense in depth, and that means using more than one anti-spam solution.
First of all, I want to say thank you to the many people all over who have tried out pre-release versions of Bad Behavior and contributed feedback, comments, praise and code. This project would not have gone nearly as smoothly without all of your assistance. Shortly I’ll be setting up a thanks page for the major contributors with inbound links to your sites.
Bad Behavior
The home page for Bad Behavior explains what it is and why you want to install it, but for those of you who haven’t been keeping up, here’s the summary:
Gone over your bandwidth quota this month? Had to upgrade your web hosting plan? Who’s visiting your site so much? It’s those pesky spambots. They suck down your web pages repeatedly looking for links to post blog spam to, and email addresses to send conventional spam to. And then they come back the next day for more.
Bad Behavior is a PHP-based solution for keeping unwanted blog, wiki, forum, guestbook and referrer spam away from your site. Initially developed on WordPress, its modular architecture allows it to be ported to virtually any PHP-based application, and so far it has been ported to one wiki (MediaWiki) and a port to a forum (Geeklog) is in progress.
Download Bad Behavior now! And contact me with any questions or comments.
Changes
Since Release Candidate 3, there have been only a few changes.
- An additional spambot was identified and banned.
- An otherwise harmless PHP Notice was suppressed.
- The user-agent was being logged in the request_uri field in the database. This has been fixed.
Thanks Again
Thanks again to everyone who has been involved with Bad Behavior! Now comes the fun part, adding new features. If you have an idea for a feature that Bad Behavior lacks, please let me know!
See also the announcement for Bad Behavior 1.0.
Security Update: All Bad Behavior users should update to 1.0-rc3 immediately to prevent malicious attacks on your database.
I’ll skip the usual mumbo jumbo and skip right to the important parts:
Fixed in this release:
- A security issue has been identified and fixed which prevents malicious attackers from attempting SQL injection attacks by sending specially crafted data in the HTTP headers. While no exploits are known at this time, all users are urged to update immediately.
- A few more false positives have been fixed.
- A few more spambots are now banned.
- An email address now appears on the error page for people to contact if they are having trouble. You have the option of changing it to your own email address or leaving as the default, in which case email will come here. Keep in mind that email address will be visible to spammers!
Important: Some files in the plugin were renamed in Release Candidate 2. If you are upgrading from Release Candidate 1, you will need to remove the Bad Behavior files from your server, upload the new files, and re-enable the plugin in your WordPress admin panel. You do not need to do this if you are upgrading from Release Candidate 2.
Thank you again to everyone who has tried out Bad Behavior and provided valuable feedback. Both the praise and the trouble reports are greatly appreciated! Please feel free to contact me if you have either.
See also the blog entry announcing 1.0 Release Candidate 3.
Spam, spam, spam, baked beans and spam
On Sunday I announced Bad Behavior 1.0 Release Candidate 1. Go read that page for all the details on what it is.
I was quite pleasantly surprised that the response has been overwhelmingly positive. People from all over have tried out Bad Behavior and reported back that their spam levels have dropped to almost nothing. It’s the “almost” that concerns me. I was going to wait a little longer before doing this, but a few problems did crop up with the first release candidate.
Today I announce Bad Behavior 1.0 Release Candidate 2. Surprisingly, only two problems were found, so barring any new issues that might crop up, this will probably end up being the final 1.0 release.
Fixed in this release:
- PHP Warning for gmdate() in generic mode.
- A few instances of false positive matches were reported. Each one of these has been investigated and fixed.
- A few additional spambots have been identified and blocked.
- Because so many people asked for it, the run time for Bad Behavior is now placed in an XHTML comment in the header of the blog’s pages.
Still to come: Built-in log viewing. (Yep, you still gotta use phpMyAdmin to view the logs for now.)
Important: Some files in the plugin have been renamed in this release. If you are upgrading from Release Candidate 1, you will need to remove the Bad Behavior files from your server, upload the new files, and re-enable the plugin in your WordPress admin panel.
Oh, and to answer one other question: Yes, Bad Behavior runs here. If you’re reading this, it’s working. 
As always, feel free to contact me about Bad Behavior.
See also the blog entry announcing Bad Behavior 1.0-rc2.
Have you got anything without spam?
Gone over your bandwidth quota this month? Had to upgrade your web hosting plan? Who’s visiting your site so much? It’s those pesky spambots. They suck down your web pages repeatedly looking for links to post blog spam to, and email addresses to send conventional spam to. And then they come back the next day for more.
There has been no good way to sort out the spambots from the real users, since most of the spambots pretend to be real users. Until now.
Bad Behavior
Bad Behavior analyzes incoming requests to your server. If they match a profile of a known spambot, the spammer gets a nice error message instead of your blog.
While Bad Behavior has been tested extensively prior to this release, it is possible that there are still bugs. It’s possible that a spambot might slip through the cracks somewhere, and it’s possible that a human might be misidentified as a spambot. (They’ll get an error message explaining the situation and giving possible solutions.) If this happens please let me know so I can fix it!
Installation and Usage
Bad Behavior works as a WordPress plugin. Install it in the usual way: unzip the file and upload the bad-behavior directory to wp-content/plugins. Before running it, you may want to customize some of the variables in bad-behavior/bad-behavior-wordpress-plugin.php.
Bad Behavior can also be customized for other PHP-based software; see the bad-behavior/bad-behavior-generic.php file to get started. It will provide basic spambot blocking out of the box, but it won’t be able to keep logs (or later, some more advanced stuff) unless it’s customized to your particular PHP-based software. Just require_once("bad-behavior/bad-behavior-generic.php"); somewhere in your common PHP code to use it this way.
Thanks!
Special thanks to Mark Jaquith, Firas Durri and many others in #wordpress who assisted greatly in shaking loose and squashing many, many bugs, as well as making the code a little friendlier, before this initial release.