The Bad Behavior2 plugin that is bundled with glFusion has been updated to v2.0.32 and is available for download . All users should upgrade to resolve issues with potential blocking of a major search engine. Users of specialized web services integrated into their host platforms, for which Bad Behavior should not screen requests, should upgrade to take advantage of this new functionality. To upgrade your version of Bad Behavior, please upload this release using the plugin auto installer located in your Plugin Admin screen.
- Recent reports indicate that the msnbot web crawler, used by Microsoft’s Bing search engine, no longer identifies itself as msnbot, but now uses a User-Agent string which was previously seen only with malicious requests from email harvesters and site scrapers. Microsoft has been notified of the problem, but given the glacial pace at which they fix issues with their software, a resolution is not expected soon. Due to concerns that Bad Behavior users may be losing their rankings in the Bing search engine, this malicious User-Agent string has been temporarily removed from Bad Behavior’s internal blacklist so that requests from msnbot may be processed. This will increase your exposure to spam and other malicious traffic. You may send comments regarding this to email@example.com.
- Due to ongoing issues with various web services such as OpenID and PayPal IPN behaving in strange ways which trigger Bad Behavior, a new whitelist has been added. You may now add URLs of your site to Bad Behavior’s whitelist. When a URL is added, Bad Behavior will ignore any HTTP request to that particular URL. If you need this feature, please check the bad-behavior/whitelist.inc.php file for further information. This feature was driven largely by the PayPal IPN web service, which sends POST requests with no User-Agent string, a common indicator of malicious activity. PayPal has refused to add a User-Agent string for years and has never given a reason, good or bad, for not including it. Reports from PayPal merchants who have contacted me indicate that PayPal is finally considering adding a User-Agent string to IPN requests; interested merchants should contact PayPal to express their support for this feature.
- On some web servers, a WordPress installation sending a trackback (not a pingback) to another WordPress installation would sometimes cause Bad Behavior to block the request as a fake trackback. This issue has been fixed.
- A condition in which the HTTP Referer: header contains invalid data now returns a 400 Bad Request error instead of a 403 Forbidden error. This is intended to make clear the fact that robots triggering this condition are not in compliance with the HTTP specification.
- An additional spambot has been identified and blocked by its unique User-Agent string.
- Users whose sites are accessible using IPv6 may find IPv6 users are blocked by Bad Behavior when the http:BL feature is enabled and certain versions of PHP are in use. This issue has been fixed.
- A SQL injection attack against Windows servers running IIS has been identified and blocked.