Bad Behavior 2.0.31 has been released. It is a maintenance release and is recommended for specific users identified below.
MediaWiki and WordPress users who have not updated in the last year or so should take note of special upgrade instructions below.
Who should upgrade?
Users of specialized web services integrated into their host platforms, for which Bad Behavior should not screen requests, should upgrade to take advantage of new functionality introduced in the previous release.
What’s new?
New in this release (since 2.0.30):
- Due to ongoing issues with various web services such as OpenID and PayPal IPN behaving in strange ways which trigger Bad Behavior, a new whitelist was added in version 2.0.30. You may now add URLs of your site to Bad Behavior’s whitelist. When a URL is added, Bad Behavior will ignore any HTTP request to that particular URL. If you need this feature, please check the
bad-behavior/whitelist.inc.php file for further information. In version 2.0.30 this feature was comparing the whitelisted URLs to the wrong field in the HTTP header. This has been fixed. (Thanks to Magnus Wester for catching this error.)
Support
Thank you to everyone who has chosen to make a financial contribution toward further development of Bad Behavior. Your contributions ensure that I can prioritize Bad Behavior development and make more frequent and timely releases, like this one.
Download
Download Bad Behavior now!
Special Upgrade Instructions
Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions (from 2.0.21 or later, upgrade normally):
For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.
For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.
For other platforms: No changes to your upgrade procedures should be necessary.
Bad Behavior 2.0.30 has been released. It is a maintenance release and is recommended for all users.
MediaWiki and WordPress users who have not updated in the last year or so should take note of special upgrade instructions below.
Who should upgrade?
All users should upgrade to resolve issues with potential blocking of a major search engine. Users of specialized web services integrated into their host platforms, for which Bad Behavior should not screen requests, should upgrade to take advantage of this new functionality.
What’s new?
New in this release (since 2.0.29):
- Recent reports indicate that the msnbot web crawler, used by Microsoft’s Bing search engine, no longer identifies itself as msnbot, but now uses a User-Agent string which was previously seen only with malicious requests from email harvesters and site scrapers. Microsoft has been notified of the problem, but given the glacial pace at which they fix issues with their software, a resolution is not expected soon. Due to concerns that Bad Behavior users may be losing their rankings in the Bing search engine, this malicious User-Agent string has been temporarily removed from Bad Behavior’s internal blacklist so that requests from msnbot may be processed. This will increase your exposure to spam and other malicious traffic. You may send comments regarding this to msnbot@microsoft.com.
- Due to ongoing issues with various web services such as OpenID and PayPal IPN behaving in strange ways which trigger Bad Behavior, a new whitelist has been added. You may now add URLs of your site to Bad Behavior’s whitelist. When a URL is added, Bad Behavior will ignore any HTTP request to that particular URL. If you need this feature, please check the
bad-behavior/whitelist.inc.php file for further information. This feature was driven largely by the PayPal IPN web service, which sends POST requests with no User-Agent string, a common indicator of malicious activity. PayPal has refused to add a User-Agent string for years and has never given a reason, good or bad, for not including it. Reports from PayPal merchants who have contacted me indicate that PayPal is finally considering adding a User-Agent string to IPN requests; interested merchants should contact PayPal to express their support for this feature.
- On some web servers, a WordPress installation sending a trackback (not a pingback) to another WordPress installation would sometimes cause Bad Behavior to block the request as a fake trackback. This issue has been fixed.
- A condition in which the HTTP Referer: header contains invalid data now returns a 400 Bad Request error instead of a 403 Forbidden error. This is intended to make clear the fact that robots triggering this condition are not in compliance with the HTTP specification.
- An additional spambot has been identified and blocked by its unique User-Agent string.
Support
Thank you to everyone who has chosen to make a financial contribution toward further development of Bad Behavior. Your contributions ensure that I can prioritize Bad Behavior development and make more frequent and timely releases, like this one.
Download
Download Bad Behavior now!
Special Upgrade Instructions
Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions (from 2.0.21 or later, upgrade normally):
For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.
For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.
For other platforms: No changes to your upgrade procedures should be necessary.
