Bad Behavior 2.0.26
February 1st, 2009 by Michael Hampton
Bad Behavior 2.0.26 has been released. It is a maintenance release and is recommended for certain users meeting the criteria described below.
MediaWiki and WordPress users should take note of special upgrade instructions below.
Who should upgrade?
Users who deploy Bad Behavior on a computer running Mac OS X, and users who have an IPv6-enabled web site, should upgrade to prevent IPv6 users, and users on localhost, from being blocked.
What’s new?
New in this release (since 2.0.25):
- Bad Behavior attempted to pass IPv6 addresses, in an incorrect format, to blacklists which are not themselves ready to handle IPv6 addresses. On Mac OS X, this also caused users on localhost to be blocked, since it uses the IPv6 address for localhost, even without another IPv6 network connection. A workaround has been placed to disable checking IPv6 addresses until the various blacklists are able to accept IPv6 addresses.
Support
If Bad Behavior has helped you, please make a financial contribution toward further development. Your contribution ensures that I can prioritize Bad Behavior development. Otherwise I must spend most of my time on other projects which pay the bills. Which is a shame, because I really enjoy making spammers miserable and drying up their revenue streams until it’s more profitable for them to work at McDonald’s than to send spam.
Download
Special Upgrade Instructions
Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions (from 2.0.21 or later, upgrade normally):
For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.
For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.
For other platforms: No changes to your upgrade procedures should be necessary.
Jeremy Says
So does this apply to IPv6-enabled hosts on Windows and Linux hosts, or only IPv6-enabled hosts on Mac OS X?
Feb 1st, 2009 at 9:03 am
Michael Hampton Says
It applies to all hosts serving web sites via IPv6, as stated above.
Feb 1st, 2009 at 9:17 am
tuxsoul Says
Hi, thank’s i have update the plugin to coppermine gallery to last version of bad-behavior, only have change from svn to git repository here:
Website:
http://code.google.com/p/cpg-dnsbl/
Repository:
http://github.com/tuxsoul/cpg-badbehavior/
Greeting’s.
Feb 2nd, 2009 at 12:27 am
anon Says
Can you release an vbulletin plugin integration?
Feb 4th, 2009 at 12:31 am
Michael Hampton Says
You left fake information, so I can’t contact you.
Feb 4th, 2009 at 5:17 am
Ipstenu Says
Michael, I ‘ported’ (and I use this term so loosely) your generic code to work with bbPress. Details in the link.
I can’t get it to work with the pretty WordPress integration, even though everything’s using the same DB, but I’m not too worried. Once I put Bad Behavior on, my spammers stopped being able to sign up. Thank you again for this cool tool!
http://bbpress.org/forums/topic/using-badbehavior-and-bbpress
Feb 5th, 2009 at 2:53 pm
Rogi Says
Hey Michael,
Just dropping by to say thinks for BB. I’ve been using it for years, most recently on ExpressionEngine (via the EE extension) and it’s a great help.
What prompted me to drop by especially today was to mention that I have been running without BB for a few days (for reasons that were not BB related) and out of curiosity checked my server logs this morning before reenabling BB. And, yea gads, the difference shows. Sans BB the amount of spam bots hitting the script genuinely rockets skwards (also this is evident by the extra load Defensio was having to cope with).
So, thanks.
Will happily fire my long-overdue donation your way within the next day or two – I only just got a PayPal account set up.
Rogi.
Feb 6th, 2009 at 11:38 am
Lincoln Says
Bad Behavior is now blocking Google bots:
74.125.75.20
User-Agent: Google-Sitemaps/1.0
2009-02-11 23:02:45
IP address found on http:BL blacklist
http:BL:
Suspicious
Harvester
Threat level 28
Age 3 days
I was wondering why Webmaster Tools could no longer verify my site, though this doesn’t appear to be a problem native to BB, but with the HoneyPot service and some moron over there probably screwed up.
For now I’ll whitelist the IP addresses. Still, the fact that it so casually blocked a Google Bot makes me nervous.
Feb 11th, 2009 at 11:12 pm
Michael Hampton Says
Lincoln, the root of the problem there is that Google is using the same IP address for some of its crawlers as for its proxies (e.g. Google Web Accelerator, Google Language Tools, Google Wireless Transcoder, etc.). Ideally it should not mix its own traffic with traffic originated by non-Google users on the same external IP address, but it does. Why, I don’t know. But that is why Google have gotten a few of their IP addresses into http:BL.
Feb 12th, 2009 at 2:49 am
Lincoln Says
Boy that sucks. I’m going to have to screen my logs more carefully now to make sure these bots can still get through. I guess Google thinks they’re so big now that they can afford to be placed on blacklists. =P
Feb 12th, 2009 at 5:20 pm
Gabriël Says
Hi there,
I tried to find out something about BB plugin and the Joomla Shop component Virtuemart (JM 1.5.9. VM 1.1.3.)
Do they work together? I have been searching this website but couldn’t find. Great if it works, but please let us know before installing on my LIVE site.
Feb 12th, 2009 at 7:22 pm
loxley Says
Going to try out this script now, seems like it’s the best there is. I also like that you’ve brought in http:BL. Keep it up!
Feb 12th, 2009 at 10:26 pm
Michael Hampton Says
Google needs to learn how to be a good net neighbor all over again, I suspect. Since Google’s main crawler isn’t blocked by this, I doubt they care very much, and few other people are going to care, either. It’s just kind of silly to be mixing legitimate crawling traffic on the same IP as your open proxy servers.
Feb 13th, 2009 at 11:15 am
Anna Says
Michael, it is not working on WP 2.7.1 for me. I see this fatal error
require_once(/var/www/users/userweb30550/html/wp-content/plugins/bad-behavior/bad-behavior/version.inc.php) [function.require-once]: failed to open stream: No such file or directory in /var/www/users/userweb30550/html/wp-content/plugins/bad-behavior/bad-behavior-wordpress.php on line 158. Is this happening to anyone else?
Feb 22nd, 2009 at 10:05 pm
Jeremy Says
Anna, that is most likely a permissions problem. Make sure the files you uploaded have at least a permission of rw-r–r– (644), and the directories have at least a permission of rwxr-xr-x (755).
Feb 22nd, 2009 at 10:14 pm
Claire Hodgeson Says
Would it be possible in future versions of bb to have an option where you can add ip addresses to a safe list, so they don’t get blocked. I think this would be a good way to handle friendly ips which get blocked.
Feb 23rd, 2009 at 8:04 pm
Michael Hampton Says
You can already do that.
Feb 24th, 2009 at 5:51 am
Álvaro Degives-Más Says
Hi Michael, I just posted a topic on the WP forum about building support for BB into WP Super Cache, but I just realized that there’s also WP Widget Cache which, perhaps, might do with some BB love. Should I just slap myself or is there indeed some merit in calling BB in that widget caching plugin which complements WP Super Cache really well (at least for me it does)?
Feb 24th, 2009 at 6:24 am
Claire Hodgeson Says
thank you Michael. Where do i add the ip to the whitelist? Is it below the example ips you give in the whitelist?
// Includes four examples of whitelisting by IP address and netblock.
$bb2_whitelist_ip_ranges = array(
“64.191.203.34″, // Digg whitelisted as of 2.0.12
“208.67.217.130″, // Digg whitelisted as of 2.0.12
“10.0.0.0/8″,
“172.16.0.0/12″,
“192.168.0.0/16″,
// “127.0.0.1″,
new ip here? with “//” in front? removing other “//”?
);
Feb 24th, 2009 at 1:15 pm
Álvaro Degives-Más Says
Claire, assuming you want to whitelist e.g. IP “123.45.67.89″ you can put it here:
// Includes four examples of whitelisting by IP address and netblock.
$bb2_whitelist_ip_ranges = array(
"123.45.67.89", // <- here is your new whitelisted IP
"64.191.203.34", // Digg whitelisted as of 2.0.12
"208.67.217.130", // Digg whitelisted as of 2.0.12
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
// "127.0.0.1",
);
Just in case I’ll repeat the darn good advice that follows these lines in the commented lines right below it: Inappropriate whitelisting WILL expose you to spam, or cause Bad Behavior to stop functioning entirely! DO NOT WHITELIST unless you are 100% CERTAIN that you should.
Feb 25th, 2009 at 12:41 pm
Claire Hodgeson Says
thanks for your help, i was trying to unblock a friend who could no longer visit the site after i installed bb.
Another thing i have noticed is that google has not indexed my site since installing bb, when normally it comes every few days.
i looked at bb settings, and googlebot is being blocked. the message i get is
User-Agent claimed to be Googlebot, claim appears to be false.
is there anyway to unblock google?
Feb 25th, 2009 at 8:25 pm
Álvaro Degives-Más Says
Claire, please look more closely at the message given by Bad Behavior: that bot claims to be Google, but isn’t. Now, if you’re truly willing to allow suspect strangers who falsely identify themselves as an authority into your site, along with a host of other dangerous critters, your best avenue is to uninstall Bad Behavior altogether.
Ask yourself this: why did you decide to install it in the first place?
If “improving security” is anywhere in your answer, you were right in installing it. Therefore, don’t uninstall it, and don’t defeat the protective measures it affords you.
It’s in theory possible that friend was a “false possible”, meaning that (s)he was incorrectly identified as a threat. In theory. In practice, odds are that (s)he is visiting from a bad neighborhood, meaning: a physical machine that is infected or still has signs of infection with malware, an IP address that previously has engaged repeatedly in nasty behavior, a system that is badly configured and providing incorrect credentials to assert harmlessness, or any possible combination thereof.
Bad Behavior is doing you a favor by blocking that phony “googlebot” (it saves you bandwidth to begin with, and more likely than not the worry of a later escalated attack on your site!) and your friend.
Finally: Bad Behavior provides helpful information to the human visitor, pointing more precisely to the cause and possible resolution of the problem why (s)he was denied access. Instead of complaining, a close look at the message and following up is more productive, and more generally wholesome for the internet as a whole.
On my site, I flatly discard any complaint about Bad Behavior, instead referring to the information already given – if a visitor is unwilling to follow those directions, (s)he is considered a threat and remains outside in the cold.
I’m intolerant of miscreants and fools alike; it saves me tons of worries, tons of uselessly wasted time, and tons more of appreciation for Michael Hampton’s work.
Conclusion: don’t defeat your own defenses, and leave BB as-is, or suffer the consequences.
Feb 25th, 2009 at 8:44 pm
Michael Hampton Says
Some of us have miscreants and fools for friends, and love them anyway. So no single approach is right for everyone.
That said, I can’t help you with the phony Googlebot. The real Googlebot should have no trouble. If you think it is the real Googlebot being blocked, then contact me privately with the IP addresses which were blocked, or look them up yourself.
Feb 25th, 2009 at 9:32 pm
Claire Hodgeson Says
Your completely right, bb does a good job blocking bad stuff from your site. But from what i have read elsewhere, it also blocks quite a few normal visitors.
My friend who i was trying to unblock is someone i speak with by email, so i know he is not bad. he contacted me to let me know about the problem, and we found out he was on a shared ip, and this ip was on the honeypot blacklist marked down as an email spammer. Hopefully now i have added his ip to the whitelist he will be able to visit the site again.
But i dont think the average user who gets blocked will bother to follow the instructions or contact me. They will most likely just go to another site, so it is unfortunate that bb blocks regular users. I imagine this would be a very hard problem to solve though.
The googlebot i asked about was what i saw in the logs to see if google was being blocked, as my site had not been indexed for awhile which was unusual. This only happened after i installed bb, so i was wondering if thats what caused it.
When i did a quick search on this i found this site which said they removed bb because it blocked google
http://expressionengine.com/forums/viewthread/63850/
But im not sure if this still applies to the latest version, as i thought i read this had been fixed.
I will give it another week and see if google can access my site, your probably right though that it is a fake.
Feb 25th, 2009 at 10:06 pm
Michael Hampton Says
The forum post you posted there incorrectly states that Bad Behavior blocks Googlebot. What they actually demonstrated there is that Bad Behavior blocks fake Googlebots. Unfortunately the thread is closed (and very old) so I can’t post a correction.
Feb 25th, 2009 at 10:23 pm
Álvaro Degives-Más Says
I’m giddy to drop some public news report here that Donncha O Caoimh now has built support for BB into WP Super Cache. Yay! No more fiddling with the plugin’s file to have the two play together nicely!
Mar 2nd, 2009 at 3:02 pm
Claire Hodgeson Says
hi Michael, just wanted to let you know that google has indexed my site, so bb wasn’t blocking it.
thanks to you and Alvaro for your help
Mar 4th, 2009 at 4:42 pm
Álvaro Degives-Más Says
Hi Michael, question: if someone uses a shared SSL connection to secure admin traffic on a VH, and therefore the domain name is different from the “standard” HTTP traffic (i.e., the blog) why would BB throw back any attempt to post a comment? I’ve just seen an otherwise perfectly valid commenter thrown out because: “Referer did not point to a form on this site.” And so I tested it myself, by opening a “fresh” browser with cache and cookies cleared, and… I got smacked in the kisser too. So, I had to simply unplug Admin SSL in its entirety (which handles the redirects to the VH’s shared SSL location of the admin pages, all routed to there).
I think I get the problem, but do you think there’s some way to set one shared HTTPS location somewhere, so that BB knows the good folks from the, um, miscreants and fools? Or am I stubborn by asking *all* /wp-admin/ traffic to go over SSL? (Admin SSL has that as an option, and I set it that way). Anyway… Thanks for looking.
Mar 5th, 2009 at 2:05 pm
Michael Hampton Says
No, using http vs. https (or a mix, as Admin SSL does) doesn’t matter. Only the hostname of the web site matters. In your case, since you’re using someone else’s SSL certificate, the hostname of the site is different, and you’re being blocked. If you get your own SSL certificate, it will work fine.
Mar 5th, 2009 at 2:31 pm
Álvaro Degives-Más Says
Yep, feared as much. Thanks for confirming!
Mar 5th, 2009 at 2:48 pm
Mark Says
Im confused here, how does I understand wheteher an Ip should have been blcoked or not I keep getting 2 errors i dont understand…
This
Required header ‘Accept’ missing
and this
Prohibited header ‘Range’ present
what are they, also still could anyone tip me on how I know if an Ip should have been clocked or not. Thanks
Mar 10th, 2009 at 8:33 pm
Claire Hodgeson Says
Michael, does bb work with hyper cache wordpress plugin?
http://www.satollo.com/english/wordpress/hyper-cache
Mar 11th, 2009 at 2:01 pm
Michael Hampton Says
Huh? Why wouldn’t it?
Mar 11th, 2009 at 4:11 pm
Claire Hodgeson Says
i saw this on your site where you mentioned advanced cache/super cache
http://www.bad-behavior.ioerror.us/documentation/wordpress/
so just wanted to check it worked ok with bb
Mar 11th, 2009 at 6:09 pm
Álvaro Degives-Más Says
Claire, the current version of WP Super Cache has built-in support for Bad Behavior. Just keep in mind that:
- You need to set Super Cache in “half on” mode to support BB;
- With the current version, you don’t have to change anything in the WP Super Cache files (i.e. contrary to the instructions Michael Hampton provided for previous WP Super Cache versions);
- It really helps to use the Bad Behavior built-in support for the http:BL remote blacklist, so don’t forget to obtain a http:BL key by registering at the Project Honeypot site. You’ll get a http:BL key that you can input into the BB options page.
- You have to rename the directory where the Bad Behavior plugin resides into “Bad Behavior” (i.e. you have to capitalize the two words) for WP Super Cache to recognize it properly and automatically.
- Optionally, also install and use the WP-Honeypot plugin, which allows you to install and transparently use a honeypot script (available from the same Project Honeypot site, once you’re registered and logged in there).
Mar 11th, 2009 at 6:54 pm
Michael Hampton Says
It is supposed to be in lowercase. Hopefully donncha will fix this very soon. Until he does, you should continue to follow the directions posted on this site.
Mar 11th, 2009 at 7:10 pm
Álvaro Degives-Más Says
I respectfully disagree with your recommendation to change that one line in the WP Super Cache file, Michael, as WP Super Cache since v0.9.1 transparently recognizes BB without any need whatsoever to change anything. See this topic: maybe you could post there and clarify that, at least since the later versions of BB, its directory is indeed in all lowercase.
Mar 11th, 2009 at 7:18 pm
Michael Hampton Says
I just read the forum topic you linked to, and responded to it. I stand by my advice, since WP Super Cache DOES NOT properly recognize Bad Behavior (yet).
Mar 11th, 2009 at 7:49 pm
Álvaro Degives-Más Says
Thanks for the clarification. Hmmm… With “properly” do you mean: supporting BB while offering “full on” caching of static files directly by the webserver, as opposed to caching via the PHP engine? If so, I switched that topic back to “not resolved” until I understand the issue better.
PS: I personally use this link to keep tabs…
Mar 11th, 2009 at 7:57 pm
john Says
How do I set it to allow certain Ip’s its blovking google keyword tool…
Mar 12th, 2009 at 4:24 pm
PaulH Says
Are you absolutely *sure* it’s Google, and not some spider saying it’s Google (i.e. it’s lying?)
Not unknown.
Mar 12th, 2009 at 11:16 pm
john Says
Yep definately because it was me that was using the keyword tool to oick up keywords from my page.
Mar 13th, 2009 at 12:52 am
Michael Hampton Says
I’d love to help with Google’s keyword tool, if it really is being blocked, but you didn’t email me with any details. Please send me an email with the Bad Behavior log entries from your site showing where it was blocked.
Mar 13th, 2009 at 1:13 am
Mark Says
Accept-Encoding: gzip
Host: http://www.mmdogtraining101.com
User-Agent: Mozilla/5.0 (compatible; Google Keyword Tool; +https://adwords.google.com/select/KeywordToolExternal)
there it is, could you please notify me how I allow Ip’s as in the future Im sure i will need to know about it.
Mar 13th, 2009 at 9:06 pm
john Says
Accept-Encoding: gzip
Host: http://www.mmdogtraining101.com
User-Agent: Mozilla/5.0 (compatible; Google Keyword Tool; +https://adwords.google.com/select/KeywordToolExternal)
There you go, thats the log and aslo if you oculd please let me know how to “unblock an ip” i would be vert grateful.
Mar 14th, 2009 at 2:40 pm
Michael Hampton Says
That’s odd, but I still haven’t gotten a message from you with the details showing that Google’s keyword tool was blocked.
Mar 14th, 2009 at 5:04 pm
Mark Says
Accept-Encoding: gzip
Host: http://www.mmdogtraining101.com
User-Agent: Mozilla/5.0 (compatible; Google Keyword Tool; +https://adwords.google.com/select/KeywordToolExternal)
There is the log for bad behaviour blocking google keyword tool all I need to know is how I unblock that IP?
Thanks
Mar 14th, 2009 at 8:48 pm
Michael Hampton Says
That’s the third time you’ve posted that, and it doesn’t help. For one thing, you didn’t include the IP address! For another, I have no idea if it’s even complete or not, since, well, you didn’t include the IP address! For the second time, please e-mail me.
Mar 15th, 2009 at 2:13 am
john Says
Please Michael I need to know one thing, that is how I unblock an IP?
Mar 16th, 2009 at 4:34 pm
Michael Hampton Says
You add it to the whitelist. And PLEASE e-mail me the information so I can take it to Google and yell at them for the problem with their product.
Mar 16th, 2009 at 5:15 pm
john Says
Thanks Michael but I dont know how to do that…
Mar 16th, 2009 at 5:17 pm
john Says
Oh Michale it has started to allow the tool again, maybe they changed the Ip range, thank you for your continued support will be returning to make a donation once Im back into the money making game.
Mar 16th, 2009 at 5:19 pm
john Says
Actually sorry it doesnt, it allow on the frontpage but none of the other pages.
Mar 16th, 2009 at 5:20 pm
Michael Hampton Says
Well, if you aren’t going to contact me, then at least contact Google and let them know that their tool has a problem.
Mar 16th, 2009 at 5:45 pm
Michel Fortin Says
Hmmm. A ton of people are still getting blocked (with IE) from my blog, and for the life of me I can’t seem to figure it out (in the blacklist file).
Mar 17th, 2009 at 5:41 pm
Michael Hampton Says
How do you know they’re real people? (And such reports don’t belong here anyway.)
Mar 17th, 2009 at 6:15 pm
Michel Fortin Says
Yes, Michael.
(I’m sorry about posting here. I didn’t know you had a helpdesk or support center.)
This 4th complaint I’ve had (one of my clients) sent me this email:
“Nope, I’m still blocked now. I tried clearing out my cache and changed one of my settings in IE on the privacy, I moved it to Lower. I made you a quick Jing video just in case you wanted to see my settings. I think most everything is set to default except a couple things you’ll see at the end. I have the Google Toolbar and Roboform toolbar running so I didn’t want to disable them.
http://screencast.com/t/lNXVKH67u
Hope this helps. And please let me know where the support/bug center is, since there is no link at the top of your blog for this. Thanks!
Mar 17th, 2009 at 6:27 pm
Michael Hampton Says
I e-mailed you the instructions on what to do about the malicious software on that particular user’s computer. Speaking of e-mail, in case it wasn’t abundantly clear, that’s where support requests go.
Mar 17th, 2009 at 7:12 pm