I have enabled Bad Behavior again. It immediately freed up my server from an insane server load. Server load went from 38 to 0.7 almost instantly.
I do see a valid members blocked. Details:
A very large number of these:
Quote:
Key: HTTP Response: 403
Explanation: You do not have permission to access this server. Before trying again, close your browser, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.
Log Message: POST more than two days after GET
User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
URI: /forum/ajax.php
Entity: security token present.
Headers: POST /forum/ajax.php HTTP/1.1
Host: www.my-forum.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://www.my-forum.com/forum/forumdisplay.php?f=398
Content-Length: 82
Cookie: bb2_screener_= [omitted by Alfa1]
DNT: 1
Pragma: no-cache
Cache-Control: no-cache
|
I dont understand how it is possible that a large number of valid user post more than 2 days after GET.
A large number of these:
Quote:
Key: HTTP Response: 403
Explanation: An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
Log Message: Required header 'Accept' missing
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
URI: /forum/misc.php?do=page&template=ncode_opensearch
Entity:
Headers: GET /forum/misc.php?do=page&template=ncode_opensearch HTTP/1.1
Host: www.my-forum.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bb2_screener_= [omitted by Alfa1
|
I find this one worrisome because its in the 2b021b1f key.
Quote:
Key: HTTP Response: 403
Explanation: You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.
Log Message: IP address found on http:BL blacklist
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
URI: /forum/ajax.php
Entity: securitytoken: xxxxxxxxxxxxxxxx
do: securitytoken
ajax: 1
Headers:POST /forum/ajax.php HTTP/1.1
Host: www.my-forum.com
Content-Length: 82
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://www.my-forum.com/forum/search...archid=2679481
Cookie: bb2_screener_=xxxxxxxxxxxxx
Pragma: no-cache
Connection: keep-alive
|
I see these valid members are using proxies like TOR and similar.
Quote:
Key:
UserAgent:
URI:
Entity:
Headers:
|
Feature request 1: for the log: filter per key, so that it is possible to see all entries except those with key 00000 and key 2b021b1f. Or just view all entries with a certain key. That makes it much easier to see the similarities of the entries with the same key.
Feature request 2: Alert the admin which members have been blocked by BB and why. This makes it easier to detect problems with BB and forum accounts registered by bots. I think the optimal way to notify the admin is by PM.
Feature request 3: Trace IP directly from the log.
Feature request 4: related to FR 2. If bbuserid is present in headers then show link to user profile in the log. This makes it easy to check if the blocked members was a valid user or not.