Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.

Who should upgrade?

All users should upgrade to prevent a fatal error which may cause sites to fail to load correctly.

Users of Bad Behavior who expect a significant amount of traffic from Facebook, or who use Facebook integration tools, should upgrade to ensure that these tools work correctly.

What’s new?

New in this release (since 2.1.3):

• A logic error in the CloudFlare code introduced in 2.1.3 caused installation or upgrading to fail under some circumstances, and caused a fatal error on systems which are using CloudFlare. This code has been rewritten.
• A web crawler used by Facebook was inadvertently blocked because it engages in some unusual behavior. This could cause links to protected pages to appear on Facebook without their title, photo or description. This issue with Facebook’s crawler has been worked around.

Download

Download Bad Behavior now!

Support

You’ve probably noticed that until recently there hadn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.

I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.

Thank you again for supporting Bad Behavior development!

Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.

Who should upgrade?

Users deploying Bad Behavior on Microsoft IIS should upgrade to ensure that all Bad Behavior functionality works as intended.

Users who receive a significant amount of traffic from proxied connections (e.g. small business and enterprise users) should upgrade to prevent a tiny minority of these users from being blocked.

Users following the development branch should upgrade to take advantage of support for the CloudFlare reverse proxy service.

What’s new?

New in the 2.0.37 stable release (since 2.0.36):

• In rare configurations, the Firefox and Safari web browsers may send the nonexistent “Proxy-Connection” HTTP header. Old versions of Internet Explorer may also send this header in their default configurations. This usually occurs when the web browser is configured to connect to an (obsolete) HTTP/1.0 proxy or has been explicitly configured to use HTTP/1.0 when talking to a proxy, even if the proxy understands HTTP/1.1. This header originated with a proposal made by (then) Netscape which was rejected for inclusion in HTTP in 1998 due to its causing interoperability problems. Bad Behavior checks for this header as it has historically made an excellent indicator of malicious activity if it is seen at the origin server, because proxy servers are expected to strip the header. Because of the slight possibility of blocking legitimate users, this check is now active only in strict mode. (Thanks to Mark Nottingham for reporting this issue.)
• A workaround for a problem with PHP on IIS servers has been implemented. This issue caused various parts of Bad Behavior’s functionality to fail on IIS. (Thanks to Michael Kingery for reporting this issue.)

New in the 2.1.3 development release (since 2.1.2):

• The changes listed above for 2.0.37 have also been implemented.
• New code which implements “round-trip DNS” for verifying that an IP address belongs to a specific entity is now being used to verify Googlebot and MSNbot. This code replaces the old hard-coded IP addresses.
• Support for the CloudFlare reverse proxy service has been added. Users of this service should now be able to use Bad Behavior successfully. (Thanks to Matthew Prince at Project Honey Pot for his assistance with this implementation.)

Download

Download Bad Behavior now!

The 2.1 development releases will not be offered through the WordPress automatic upgrade facility. Only stable releases will be offered through automatic upgrade.

Support

You’ve probably noticed that there hasn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.

I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.

Thank you again for supporting Bad Behavior development!

Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.

Who should upgrade?

Users who use the new URL whitelisting feature should upgrade to ensure that whitelisting works correctly in all circumstances.

What’s new?

New in this release (since 2.1.1):

• A logic error in the URL whitelisting feature caused URLs to fail to match the whitelist if the if the web browser requested a URL containing a ? character. This issue has been fixed.

Download

The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.

Download the 2.1.2 development release of Bad Behavior now!

Support

This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.

Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.

If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.

Thank you again for supporting Bad Behavior development!

Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.

Who should upgrade?

WordPress users should upgrade to prevent internal data from leaking to the web browser when the database encounters an error. Users of other platforms are not affected.

What’s new?

New in this release (since 2.1.0 and 2.0.35):

• Due to recent changes in the WordPress database code, any database errors that may occur because of WordPress, other plugins, or server trouble may be inappropriately displayed in the web browser. This could result in the leakage of information useful to attackers. This issue has been fixed. Thanks to Andrew Zhang for reporting this issue.

Download

The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.

Download the 2.0.36 stable or 2.1.1 development release of Bad Behavior now!

Support

This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.

Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.

If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.

Thank you again for supporting Bad Behavior development!

Who should upgrade?

Users who use Bad Behavior’s whitelisting features, or who customize Bad Behavior’s settings on a platform other than WordPress or LifeType, should upgrade to take advantage of new features offered in this release.

What’s new?

Development of Bad Behavior 2.1 generally follows the roadmap outlined earlier. In this initial release, the following features have been implemented:

• Bad Behavior now reads whitelists from a separate file which is preserved through updates. See below for preliminary instructions on using this feature.
• On platforms where Bad Behavior cannot store settings in the host platform’s database, Bad Behavior now reads settings from a separate file which is preserved through updates. See below for preliminary instructions on using this feature.
• Bad Behavior’s core has been reworked to facilitate testing its core logic. While the actual logic tests have not yet been written, a test mode is available for developers to experiment with. See below for preliminary instructions on using this feature.

Whitelists

Bad Behavior now reads its whitelists from a separate file named whitelist.ini. This file is not distributed with Bad Behavior, so that future upgrades do not disturb the whitelist. This means that anyone who wants to use the whitelist must download the whitelist.ini, customize it, then upload it to their server. Place the whitelist.ini in Bad Behavior’s top level directory (the same directory that contains bad-behavior-wordpress.php, README.txt, etc.).

Note for IPv6 users: At this time, single IPv6 addresses can be whitelisted, but IPv6 networks cannot be. This will be fixed in a future release.

Settings

On some platforms, such as WordPress and LifeType, Bad Behavior stores its settings in the host platform’s database and provides an interface through the host platform for changing the settings. On other platforms, Bad Behavior is not capable of storing its settings in the host platform’s database, either because there is no database, or because the database cannot be used in that way.

On these platforms, Bad Behavior can now read settings customizations from a settings.ini file. This file is not distributed with Bad Behavior, so that future upgrades do not disturb your settings. This means that on those platforms, anyone who wants to customize their settings must download the settings.ini, customize it, then upload it to their server. Place the settings.ini in Bad Behavior’s top level directory (the same directory that contains bad-behavior-wordpress.php, README.txt, etc.). This feature has been implemented for the MediaWiki and generic ports; other platforms will need to implement the feature in their platform connectors before it is available to you.

Testing

Bad Behavior’s core logic now supports “black box” testing. This won’t be of much interest to most people, except that testing will help improve the quality of the product. A test suite is still planned and will be released later.

In addition, Bad Behavior now supports a live “test mode” in which it will not actually block any requests, but will report on whether they would have been blocked. This is fully implemented in the WordPress port; to use it on other ports, the platform connector must provide a method for the platform to report the results. To enable test mode, define a PHP constant BB2_TEST.

Download

The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.

Download this development release of Bad Behavior now! You can install Bad Behavior using the usual installation instructions; there are no special requirements for this release.

Remember to subscribe to the Bad Behavior RSS feed to receive notice when Bad Behavior development updates are available.

Support

This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.

Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.

If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.

Thank you again for supporting Bad Behavior development!