Bad Behavior version 2.1.7 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All development users should upgrade to ensure that web pages are indexed properly in the Bing search engine.
What’s new?
New in this release (since 2.1.6):
- Changes in the way Microsoft does round-trip DNS identification for its search engine IP addresses caused msnbot, the search engine crawler for Bing, to be intermittently blocked. This issue has been resolved. (This issue does not affect the 2.0 series, which uses a different method of identification.)
- Minor changes have been made to the way requests are handled when the web site uses the CloudFlare reverse proxy service. More changes may come in the near future; the ultimate intent is to be able to support any server behind any reverse proxy.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.6 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of the CloudFlare reverse proxy service should upgrade to ensure that legitimate requests are not blocked.
What’s new?
New in this release (since 2.1.5):
- A logic error in the CloudFlare detection code was causing legitimate requests to be intermittently blocked. This issue should be fixed.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.5 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of the CloudFlare reverse proxy service should upgrade to ensure that blocked requests display correct, usable technical support keys.
What’s new?
New in this release (since 2.1.4):
- A code omission was causing Bad Behavior to display incorrect technical support keys to blocked requests on sites using the CloudFlare reverse proxy service. This issue has been fixed.
What’s coming?
In the next few releases I will be rolling out a significant number of blocks intended to catch a wide variety of malicious robots. These include content scrapers, referrer spammers, automated cracking tools and more. Each of these is going through an extensive review prior to being released, to ensure that legitimate requests are not blocked.
Download
Download the latest development release of Bad Behavior now!
Support
I can only spend time on improving Bad Behavior when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.1.4 has been released. It is a development release intended for testing and verification of new functionality and should not normally be used on production sites.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
All users should upgrade to prevent a fatal error which may cause sites to fail to load correctly.
Users of Bad Behavior who expect a significant amount of traffic from Facebook, or who use Facebook integration tools, should upgrade to ensure that these tools work correctly.
What’s new?
New in this release (since 2.1.3):
- A logic error in the CloudFlare code introduced in 2.1.3 caused installation or upgrading to fail under some circumstances, and caused a fatal error on systems which are using CloudFlare. This code has been rewritten.
- A web crawler used by Facebook was inadvertently blocked because it engages in some unusual behavior. This could cause links to protected pages to appear on Facebook without their title, photo or description. This issue with Facebook’s crawler has been worked around.
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior version 2.0.38 has been released. It is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users of Bad Behavior who expect a significant amount of traffic from Facebook, or who use Facebook integration tools, should upgrade to ensure that these tools work correctly.
What’s new?
New in this release (since 2.0.37):
- A web crawler used by Facebook was inadvertently blocked because it engages in some unusual behavior. This could cause links to protected pages to appear on Facebook without their title, photo or description. This issue with Facebook’s crawler has been worked around.
Download
Download Bad Behavior now!
Support
You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior versions 2.0.37 and 2.1.3 have been released. For the 2.0 stable branch, this release is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users deploying Bad Behavior on Microsoft IIS should upgrade to ensure that all Bad Behavior functionality works as intended.
Users who receive a significant amount of traffic from proxied connections (e.g. small business and enterprise users) should upgrade to prevent a tiny minority of these users from being blocked.
Users following the development branch should upgrade to take advantage of support for the CloudFlare reverse proxy service.
What’s new?
New in the 2.0.37 stable release (since 2.0.36):
- In rare configurations, the Firefox and Safari web browsers may send the nonexistent “Proxy-Connection” HTTP header. Old versions of Internet Explorer may also send this header in their default configurations. This usually occurs when the web browser is configured to connect to an (obsolete) HTTP/1.0 proxy or has been explicitly configured to use HTTP/1.0 when talking to a proxy, even if the proxy understands HTTP/1.1. This header originated with a proposal made by (then) Netscape which was rejected for inclusion in HTTP in 1998 due to its causing interoperability problems. Bad Behavior checks for this header as it has historically made an excellent indicator of malicious activity if it is seen at the origin server, because proxy servers are expected to strip the header. Because of the slight possibility of blocking legitimate users, this check is now active only in strict mode. (Thanks to Mark Nottingham for reporting this issue.)
- A workaround for a problem with PHP on IIS servers has been implemented. This issue caused various parts of Bad Behavior’s functionality to fail on IIS. (Thanks to Michael Kingery for reporting this issue.)
New in the 2.1.3 development release (since 2.1.2):
- The changes listed above for 2.0.37 have also been implemented.
- New code which implements “round-trip DNS” for verifying that an IP address belongs to a specific entity is now being used to verify Googlebot and MSNbot. This code replaces the old hard-coded IP addresses.
- Support for the CloudFlare reverse proxy service has been added. Users of this service should now be able to use Bad Behavior successfully. (Thanks to Matthew Prince at Project Honey Pot for his assistance with this implementation.)
Download
Download Bad Behavior now!
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility. Only stable releases will be offered through automatic upgrade.
Support
You’ve probably noticed that there hasn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Recently it was suggested to me that Bad Behavior could incorporate support for Stop Forum Spam.
Stop Forum Spam is meant to be a list of IP addresses, emails and usernames which spammers use when registering or posting spam to forums. It seems to work well, but it has some shortcomings.
First among them is it has no native support for DNSBL. Instead, it exports its data to a third party DNSBL where the data is commingled with other data from unknown sources, making it difficult to use effectively.
Second is that it has no clearly defined removal policy. It does provide a form where people can request manual removal, but it also implies that a “network administrator” has to request removal.
After much experimentation with blackhole lists over the years, Bad Behavior currently uses only the Project Honey Pot http:BL list (and it is disabled by default). This list works very well at catching actual spammers, and it provides instant automatic removal for the very few legitimate users who happen to get caught by it.
Bad Behavior is meant to provide as little inconvenience to legitimate users as possible. When it happens, the user must be given clear directions on how to resolve the problem and ideally must be able to restore their access as soon as possible, e.g., by removing the viruses from their computer, etc.
Because it lacks a removal policy and clear process, it will not be appropriate to incorporate Stop Forum Spam at this time. I will continue to monitor the service and if it changes to allow for easier removal by legitimate users, then it may be incorporated in the future.
Bad Behavior 2.1.2 has been released. This release fixes bugs and is recommended for affected users as described below.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users who use the new URL whitelisting feature should upgrade to ensure that whitelisting works correctly in all circumstances.
What’s new?
New in this release (since 2.1.1):
- A logic error in the URL whitelisting feature caused URLs to fail to match the whitelist if the if the web browser requested a URL containing a ? character. This issue has been fixed.
Download
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.
Download the 2.1.2 development release of Bad Behavior now!
Support
This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.
Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.
If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Bad Behavior 2.1.1 and 2.0.36 have been released. These are a security release and affected sites should upgrade as soon as is practical. This security issue was fixed in both the 2.1 development series and the 2.0 stable series, resulting in today’s simultaneous release.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
WordPress users should upgrade to prevent internal data from leaking to the web browser when the database encounters an error. Users of other platforms are not affected.
What’s new?
New in this release (since 2.1.0 and 2.0.35):
- Due to recent changes in the WordPress database code, any database errors that may occur because of WordPress, other plugins, or server trouble may be inappropriately displayed in the web browser. This could result in the leakage of information useful to attackers. This issue has been fixed. Thanks to Andrew Zhang for reporting this issue.
Download
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.
Download the 2.0.36 stable or 2.1.1 development release of Bad Behavior now!
Support
This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.
Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.
If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
The first 2.1 development release of Bad Behavior is now available. It contains a number of new and frequently requested features, and may be appropriate for you. Please review the information given, and if you do not find it appropriate for you, then continue to use the latest 2.0 stable releases.
Who should upgrade?
Users who use Bad Behavior’s whitelisting features, or who customize Bad Behavior’s settings on a platform other than WordPress or LifeType, should upgrade to take advantage of new features offered in this release.
What’s new?
Development of Bad Behavior 2.1 generally follows the roadmap outlined earlier. In this initial release, the following features have been implemented:
- Bad Behavior now reads whitelists from a separate file which is preserved through updates. See below for preliminary instructions on using this feature.
- On platforms where Bad Behavior cannot store settings in the host platform’s database, Bad Behavior now reads settings from a separate file which is preserved through updates. See below for preliminary instructions on using this feature.
- Bad Behavior’s core has been reworked to facilitate testing its core logic. While the actual logic tests have not yet been written, a test mode is available for developers to experiment with. See below for preliminary instructions on using this feature.
Whitelists
Bad Behavior now reads its whitelists from a separate file named whitelist.ini. This file is not distributed with Bad Behavior, so that future upgrades do not disturb the whitelist. This means that anyone who wants to use the whitelist must download the whitelist.ini, customize it, then upload it to their server. Place the whitelist.ini in Bad Behavior’s top level directory (the same directory that contains bad-behavior-wordpress.php, README.txt, etc.).
Note for IPv6 users: At this time, single IPv6 addresses can be whitelisted, but IPv6 networks cannot be. This will be fixed in a future release.
Settings
On some platforms, such as WordPress and LifeType, Bad Behavior stores its settings in the host platform’s database and provides an interface through the host platform for changing the settings. On other platforms, Bad Behavior is not capable of storing its settings in the host platform’s database, either because there is no database, or because the database cannot be used in that way.
On these platforms, Bad Behavior can now read settings customizations from a settings.ini file. This file is not distributed with Bad Behavior, so that future upgrades do not disturb your settings. This means that on those platforms, anyone who wants to customize their settings must download the settings.ini, customize it, then upload it to their server. Place the settings.ini in Bad Behavior’s top level directory (the same directory that contains bad-behavior-wordpress.php, README.txt, etc.). This feature has been implemented for the MediaWiki and generic ports; other platforms will need to implement the feature in their platform connectors before it is available to you.
Testing
Bad Behavior’s core logic now supports “black box” testing. This won’t be of much interest to most people, except that testing will help improve the quality of the product. A test suite is still planned and will be released later.
In addition, Bad Behavior now supports a live “test mode” in which it will not actually block any requests, but will report on whether they would have been blocked. This is fully implemented in the WordPress port; to use it on other ports, the platform connector must provide a method for the platform to report the results. To enable test mode, define a PHP constant BB2_TEST.
Download
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.
Download this development release of Bad Behavior now! You can install Bad Behavior using the usual installation instructions; there are no special requirements for this release.
Remember to subscribe to the Bad Behavior RSS feed to receive notice when Bad Behavior development updates are available.
Support
This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.
Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.
If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
