version.php @@ -2,9 +2,9 @@ Tags: comment,trackback,referrer,spam,robot,antispam Contributors: error, MarkJaquith, Firas, skeltoac Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=error%40ioerror%2eus&item_name=Bad%20Behavior%20%28From%20WordPress%20Page%29&no_shipping=1&cn=Comments%20about%20Bad%20Behavior&tax=0&currency_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8 -Requires at least: 1.5 -Tested up to: 2.6 -Stable tag: 2.0.20 +Requires at least: 2.1 +Tested up to: 2.7 +Stable tag: 2.0.21 Welcome to a whole new way of keeping your blog, forum, guestbook, wiki or content management system free of link spam. Bad Behavior is a PHP-based @@ -68,6 +68,11 @@ http://www.bad-behavior.ioerror.us/ * Bad Behavior may be unable to protect cached pages on MediaWiki. +* When upgrading from version 2.0.19 or prior on MediaWiki and WordPress, +you must remove the old version of Bad Behavior from your system manually +before manually installing the new version. Other platforms are not +affected by this issue. + * On WordPress when using WordPress Advanced Cache (WP-Cache) or WP-Super Cache, Bad Behavior requires a patch to WP-Cache 2 in order to protect cached pages. Bad-Behavior/README.txt @@ -37,7 +37,10 @@ $bb2_settings_defaults = array( 'display_stats' => true, 'strict' => false, 'verbose' => false, - 'logging' => true + 'logging' => true, + 'httpbl_key' => '', + 'httpbl_threat' => '25', + 'httpbl_maxage' => '30', ); // Bad Behavior callback functions. Bad-Behavior/bad-behavior-generic.php @@ -34,4 +34,18 @@ function bb2_blackhole($package) { } return false; } + +function bb2_httpbl($settings, $package) { + if (!$settings['httpbl_key']) return false; + + $find = implode('.', array_reverse(explode('.', $package['ip']))); + $result = gethostbynamel($settings['httpbl_key'].".${find}.dnsbl.httpbl.org."); + if (!empty($result)) { + $ip = explode('.', $result[0]); + if ($ip[0] == 127 && ($ip[3] & 7) && $ip[2] >= $settings['httpbl_threat'] && $ip[1] >= $settings['httpbl_maxage']) { + return '2b021b1f'; + } + } + return false; +} ?> Bad-Behavior/bad-behavior/blackhole.inc.php @@ -10,10 +10,12 @@ function bb2_blacklist($package) { "adwords", // referrer spam "autoemailspider", // spam harvester "blogsearchbot-martin", // from honeypot + "CherryPicker", // spam harvester + "core-project/", // FrontPage extension exploits + "Diamond", // delivers spyware/adware "Digger", // spam harvester "ecollector", // spam harvester "EmailCollector", // spam harvester - "Email Extractor", // spam harvester "Email Siphon", // spam harvester "EmailSiphon", // spam harvester "grub crawler", // misc comment/email spam @@ -26,7 +28,7 @@ function bb2_blacklist($package) { "LWP", // spambot scripts "Microsoft URL", // spam harvester "Missigua", // spam harvester - "MJ12bot", // crawls MUCH too fast + "MJ12bot/v1.0.8", // malicious botnet "Movable Type", // customised spambots "Mozilla ", // malicious software "Mozilla/4.0(", // from honeypot @@ -40,6 +42,7 @@ function bb2_blacklist($package) { "PycURL", // misc comment spam // "Shockwave Flash", // spam harvester // WP 2.5 now has Flash; FIXME + "Super Happy Fun ", // spam harvester "TrackBack/", // trackback spam "user", // suspicious harvester "User Agent: ", // spam harvester @@ -58,6 +61,7 @@ function bb2_blacklist($package) { "compatible ; MSIE", // misc comment/email spam "compatible-", // misc comment/email spam "DTS Agent", // misc comment/email spam + "Email Extractor", // spam harvester "Gecko/25", // revisit this in 500 years "grub-client", // search engine ignores robots.txt "hanzoweb", // very badly behaved crawler @@ -74,6 +78,7 @@ function bb2_blacklist($package) { "Windows NT 5.0;)", // wikispam bot "Windows NT 5.1;)", // wikispam bot "Windows XP 5", // spam harvester + "WordPress/4.01", // pingback spam "\\\\)", // spam harvester ); Bad-Behavior/bad-behavior/blacklist.inc.php @@ -20,6 +20,16 @@ function bb2_protocol($settings, $package) return false; } +function bb2_cookies($settings, $package) +{ + // Enforce RFC 2965 sec 3.3.5 and 9.1 + // Bots wanting new-style cookies should send Cookie2 + if (strpos($package['headers_mixed']['Cookie'], '$Version=0') !== FALSE && !array_key_exists($package['headers_mixed']['Cookie2'])) { + return '6c502ff1'; + } + return false; +} + function bb2_misc_headers($settings, $package) { $ua = $package['headers_mixed']['User-Agent']; @@ -116,9 +126,10 @@ function bb2_misc_headers($settings, $package) } // "uk" is not a language (ISO 639) nor a country (ISO 3166) - if (preg_match('/\buk\b/', $package['headers_mixed']['Accept-Language'])) { - return "35ea7ffa"; - } + // oops, yes it is :( Please shoot any Ukrainian spammers you see. +# if (preg_match('/\buk\b/', $package['headers_mixed']['Accept-Language'])) { +# return "35ea7ffa"; +# } return false; } Bad-Behavior/bad-behavior/common_tests.inc.php @@ -137,9 +137,14 @@ function bb2_start($settings) require_once(BB2_CORE . "/blacklist.inc.php"); bb2_test($settings, $package, bb2_blacklist($package)); + // Check the http:BL + require_once(BB2_CORE . "/blackhole.inc.php"); + bb2_test($settings, $package, bb2_httpbl($settings, $package)); + // Check for common stuff require_once(BB2_CORE . "/common_tests.inc.php"); bb2_test($settings, $package, bb2_protocol($settings, $package)); + bb2_test($settings, $package, bb2_cookies($settings, $package)); bb2_test($settings, $package, bb2_misc_headers($settings, $package)); // Specific checks Bad-Behavior/bad-behavior/core.inc.php @@ -24,11 +24,16 @@ function bb2_post($settings, $package) // Catch a few completely broken spambots foreach ($request_entity as $key => $value) { $pos = strpos($key, " document.write"); - if ($pos !== FAlSE) { + if ($pos !== FALSE) { return "dfd9b1ad"; } } + // If Referer exists, it should refer to a page on our site + if (array_key_exists($package['headers_mixed']['Referer']) && stripos($package['headers_mixed']['Referer'], $package['headers_mixed']['Host']) === FALSE) { + return "cd361abb"; + } + // Screen by cookie/JavaScript form add if (isset($_COOKIE[BB2_COOKIE])) { $screener1 = explode(" ", $_COOKIE[BB2_COOKIE]); Bad-Behavior/bad-behavior/post.inc.php @@ -9,6 +9,7 @@ function bb2_get_response($key) { '17566707' => array('response' => 403, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept\' missing'), '17f4e8c8' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'User-Agent was found on blacklist'), '21f11d3f' => array('response' => 403, 'explanation' => 'An invalid request was received. You claimed to be a mobile Web device, but you do not actually appear to be a mobile Web device.', 'log' => 'User-Agent claimed to be AvantGo, claim appears false'), + '2b021b1f' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'IP address found on http:BL blacklist'), '2b90f772' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. If you are using the Opera browser, then Opera must appear in your user agent.', 'log' => 'Connection: TE present, not supported by MSIE'), '35ea7ffa' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Check your browser\'s language and locale settings.', 'log' => 'Invalid language specified'), '408d7e72' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'POST comes too quickly after GET'), @@ -17,6 +18,7 @@ function bb2_get_response($key) { '57796684' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'), '582ec5e4' => array('response' => 400, 'explanation' => 'An invalid request was received. If you are using a proxy server, bypass the proxy server or contact your proxy server administrator. This may also be caused by a bug in the Opera web browser.', 'log' => '"Header \'TE\' present but TE not specified in \'Connection\' header'), '69920ee5' => array('response' => 403, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Header \'Referer\' present but blank'), + '6c502ff1' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Bot not fully compliant with RFC 2965'), '799165c2' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Rotating user-agents detected'), '7a06532b' => array('response' => 400, 'explanation' => 'An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.', 'log' => 'Required header \'Accept-Encoding\' missing'), '7ad04a8a' => array('response' => 400, 'explanation' => 'The automated program you are using is not permitted to access this server. Please use a different program or a standard Web browser.', 'log' => 'Prohibited header \'Range\' present'), @@ -30,6 +32,7 @@ function bb2_get_response($key) { 'b7830251' => array('response' => 400, 'explanation' => 'Your proxy server sent an invalid request. Please contact the proxy server administrator to have this problem fixed.', 'log' => 'Prohibited header \'Proxy-Connection\' present'), 'b9cc1d86' => array('response' => 403, 'explanation' => 'The proxy server you are using is not permitted to access this server. Please bypass the proxy server, or contact your proxy server administrator.', 'log' => 'Prohibited header \'X-Aaaaaaaaaa\' or \'X-Aaaaaaaaaaaa\' present'), 'c1fa729b' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.', 'log' => 'Use of rotating proxy servers detected'), + 'cd361abb' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Data may not be posted from offsite forms.', 'log' => 'Referer did not point to a form on this site'), 'd60b87c7' => array('response' => 403, 'explanation' => 'You do not have permission to access this server. Before trying again, please remove any viruses or spyware from your computer.', 'log' => 'Trackback received via proxy server'), 'dfd9b1ad' => array('response' => 403, 'explanation' => 'You do not have permission to access this server.', 'log' => 'Request contained a malicious JavaScript or SQL injection attack'), 'e4de0453' => array('response' => 403, 'explanation' => 'An invalid request was received. You claimed to be a major search engine, but you do not appear to actually be a major search engine.', 'log' => 'User-Agent claimed to be msnbot, claim appears to be false'), Bad-Behavior/bad-behavior/responses.inc.php @@ -1,3 +1,3 @@ <?php if (!defined('BB2_CWD')) die("I said no cheating!"); -define('BB2_VERSION', "2.0.20"); +define('BB2_VERSION', "2.0.21"); ?> Bad-Behavior/bad-behavior/version.inc.php @@ -3,7 +3,14 @@ CHANGELOG ================================================================================ -------------------------------------------------------------------------------- -2008-01-28 - v0.3 +2008-08-05 - v0.4 +-------------------------------------------------------------------------------- +* Update Bad-Behavior to v2.0.21 +* Fixed CHANGELOG dates in release v0.3 +* Add version.php + +-------------------------------------------------------------------------------- +2008-08-02 - v0.3 -------------------------------------------------------------------------------- * Update Bad-Behavior to v2.0.20 CHANGELOG @@ -18,10 +18,12 @@ if (!defined('IN_COPPERMINE')) die('Not in Coppermine...'); -$name='CPG-BadBehavior Plugin'; -$description='Get out spammers of you gallery using project Bad-Behavior v2.0.20.'; -$author='Mario Oyorzabal Salgado'; -$version='0.1'; +include "version.php"; + +$name = 'CPG-BadBehavior Plugin'; +$description = 'Get out spammers of you gallery using project Bad-Behavior v' . CPG_BADBEHAVIOR_VERSION_CORE; +$author = 'Mario Oyorzabal Salgado'; +$version = CPG_BADBEHAVIOR_VERSION; /* * $extra_info is displayed with the title of a plugin that is NOT installed and configuration.php 69b88d30471a45e6bd3235a79b99a4ede0b4b85f Mario Oyorzabal Salgado tuxsoul@tuxsoul.com http://github.com/tuxsoul/cpg-badbehavior/commit/5d730bf75684520a2aaea7df51b1d56766f92045 5d730bf75684520a2aaea7df51b1d56766f92045 2008-08-05T20:27:50-07:00 2008-08-05T20:27:50-07:00 Update to v0.4, minor changes. Signed-off-by: Mario Oyorzabal Salgado <tuxsoul@tuxsoul.com> 743153277f3c50b8f76d64271d1dff5d5ef70445 Mario Oyorzabal Salgado tuxsoul@tuxsoul.com