Integration with vBulletin - vB Bad Behavior

/**
* vB Bad Behavior is free software; you can redistribute it and/or modify it under
* the terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 3 of the License, or (at your option) any
* later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
* PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
*/

What is vB Bad Behavior?
This is an integration of the Bad Behavior software with vBulletin.

What is Bad Behavior?
Bad Behavior is a PHP-based solution for blocking link spam and the robots which deliver it. Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site's load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.

Visit http://bad-behavior.ioerror.us/ for more.

Features
For more information on the features of Bad Behavior (and subsequently this mod) please go to Bad Behavior's site:

http://bad-behavior.ioerror.us/documentation/benefits/

For features related to the mod itself, please take a look at the screenshots.

This mod should work with the entire 3.x series (well, beginning with 3.5), but it's only been tested on 3.8.x. I'm not sure if this works on vB 4.x yet, as I've not tested it - but if you try it out, let me know!

Installation
1. Extract the contents of the zip file.
2. Upload the contents of the `upload` folder to your forum root.
3. Enter your AdminCP and go to Plugins & Products > Manage Products > [Add/Import Product]
4. Import the product using the `product-vb_badbehavior.xml` file.
5. Configure the mod in AdminCP -> vBulletin Options -> vBulletin Options -> vB Bad Behavior Options

Upgrading

vB Bad Behavior
In many cases, all you'll need to do to upgrade is follow the installation instructions above.

The only difference, will be you'll need to allow the files to overwrite. Also, when re-importing the product file, you'll need to set "Allow Overwrite" to "Yes".

Bad Behavior
Bad Behavior's files are at `/includes/bad-behavior/`. If you wish to update manually go to:

http://bad-behavior.ioerror.us/download/

And download the latest development version. Extract the zip, and upload the contents of `bad-behavior` to `/includes/bad-behavior/` allowing the files to overwrite.

Versions
The current version of Bad Behavior this mod is using is: v2.2.14
The current version of Bad Behavior (development) is: v2.2.14

Changelog
Version 1.0.13, 04/23/2013

• Bad Behavior upgraded to 2.2.14

Version 1.0.12, 12/21/2012 -- Released: 02/05/2013

• Bad Behavior upgraded to 2.2.13
• Added some more ranges to whitelist.ini

Version 1.0.10, 09/09/2012

• Bad Behavior upgraded to 2.2.10

Version 1.0.9, 06/17/2012

• Bad Behavior upgraded to 2.2.7

Version 1.0.8, 06/12/2012

• Bad Behavior upgraded to 2.2.6
• New Setting: EU Cookie

Version 1.0.7, 05/04/2012

• Bad Behavior upgraded to 2.2.3
• Cron/Scheduled Task for automatic log pruning added.

Version 1.0.6, 01/04/2012

• Bad Behavior upgraded to 2.1.15

Version 1.0.5, 05/26/2011

• Added option for bypassing users/members.
• If the visitor is a user, and is in usergroup 5, 6, or 7 (admin/mod/super mod) - Bad Behavior is bypassed.
• Modified bad-behavior core to check for Google Web Preview
  • file edited: /includes/bad-behavior/core.inc.php
• Added a link beside the IP address in the log for WhoIs.

Version 1.0.4, 04/28/2011

• Bad Behavior upgraded to 2.1.13 (fixes search engine block issues)
• Added Paypal/Paypal IPN IP address to the whitelist.
• Added payment gateway file names to the whitelist.

Version 1.0.3, 04/21/2011

• Fix #1: Pruning log doesn't work.
• Fix #3: POST more than two days after GET (added support for BB's javascript)
• Fix #5: Cannot modify header information error (suppressed error in BB's function)
• Implemented #6: Filter per key (new admincp option to list keys not to be shown in log)
• Implemented #9: Show link to member profile (if userid is found in headers, link to profile)

Version 1.0.2, 04/10/2011

• Updated /includes/functions_vb_badbehavior.php to:
  • disable Reverse Proxy if Reverse Proxy Addresses are empty
  • distinguish SQL queries using "SET", for example: SET @@session.wait_timeout = 90 - which is used by BB
  • set "offsite_forms" to false by default, as it's not really needed in vB IMHO, and it can cause problems with certain setups
  • cleaned up the bb2_read_settings() function and fixed a typo in one of the vbulletin options calls
• Updated /includes/whitelist.ini to include the following GOOGLE ranges:
  • 74.125.0.0/16
  • 216.239.32.0/19
  • 209.85.128.0/17
  • 66.102.0.0/20
• Updated /admincp/vb_badbehavior.php
  • Log pruning was pruning all logs, despite what was entered for number of days

Version 1.0.1, 04/06/2011

• Bad Behavior upgraded to 2.1.12
• Changed files:
  • /includes/bad-behavior/core.inc.php
  • /includes/bad-behavior/searchengine.inc.php
• "Verbose" admin option now set to "No" by default.

Version 1.0.0, 04/05/2011

• Initial release.

Screenshots
Screenshots can now be seen at: http://www.secondversion.com/images/vb/vb_badbehavior/

I was running out of room for attachments here on vB.org


Development

https://github.com/ericsizemore/vb_b...ree/master/vb3


Only those who "Mark As Installed" will receive support for this modification.

[error10]

Quote:

Originally Posted by Simon Lloyd

Error10, thanks very much for the detailed explanation, as i've never been blocked by badbehaviour i would not have seen it, when i click the link in the logs for the key i have never seen a link or technical key

I should hope most people will never see it. In any case you can advise your user to click the fix it yourself link and to use the registry cleaner provided. (He will have to reboot the computer after using it, but the page also explains that.)

[Simon Lloyd]

Great, thanks for that, soooooooo one last question (i guess for Eric) where are these custom pages stored so we can make the message more prominant, add our forums css and maybe add a link to a helpdesk (this is how i was contacted by my user)?

[Simon Lloyd]

Quote:

Originally Posted by error10

..I also think that an option should exist to allow for registered users to bypass some or all of Bad Behavior's tests. A formal API for this is on the 3.0 roadmap, though I think Eric could whip up some hackery to add this in.

Sounds great but wouldn't that mean storing all useragents & IP's used by each user in the database?, i say this because BB would need to know to allow that user to even view the site in the first place, naturally if the user gets to login they've gone as far as the need to anyway. I'm not sure how you would police it without storing that added information for every user, unless i've misread how BB works.

[error10]

Hey, let's see if I can learn to multi-quote!

Quote:

Originally Posted by Simon Lloyd

Great, thanks for that, soooooooo one last question (i guess for Eric) where are these custom pages stored so we can make the message more prominant, add our forums css and maybe add a link to a helpdesk (this is how i was contacted by my user)?

Right now Bad Behavior doesn't have any way to theme the page shown to blocked requests; it's all hard coded. Since it has to run under so many platforms, I basically just internalized everything, including the technical support pages. I'll make sure this gets on the roadmap.

Quote:

Originally Posted by Simon Lloyd

Sounds great but wouldn't that mean storing all useragents & IP's used by each user in the database?, i say this because BB would need to know to allow that user to even view the site in the first place, naturally if the user gets to login they've gone as far as the need to anyway. I'm not sure how you would police it without storing that added information for every user, unless i've misread how BB works.

Ha, you've clearly seen to the root of the problem. So I guess that won't work very well, or at all. As you can see, sorting malicious actors from real people in real time is a rather hard problem.

[Simon Lloyd]

Again, thanks for the responses, i've tinkered ever so slightly with responses.inc.php to add the url to my helpdesk just before

Quote:

', 'log' =>

I assume the url won't be parsed in this fashion, it's not a problem if it doesn't.

I see that what you're trying to do is commendable and fantastic, you've saved my bandwidth usage no end (when next months revenue comes in i'll make a donation....already did to project honey pot as i thought that was yours, was still a worthy donation), what i do see is that if you did fill the request to have every visitors user agent...etc checked with projecthoneypot, htppBL and every entry in your own database to summise it's a registered user then the server load and resource usage would kill your forum (on a busy one anyway or if you are running VPS or VM's).

I believe the way you are tackling it is the most sensible, the honing of this software and minimising the effect on honest organics is definitely the way to go. I guess the only other option for "suspect" real users is to filter those through to another list or moderated usergroup so they can then be contacted through the forum for an organic response this way you would also capture any secondary ip they may be using to allow you to whitelist them, perhaps to this end is it possible to add to your roadmap 3.0 to have the whitelist (and maybe a blacklist) integrated into vBBB so that it can be edited directly in admincp>vb Bad Behaviour Options (probably one for Eric?)?

Anyway above all, another great big thanks to you guys, nominated MOTM

[error10]

Thanks for your compliments.

One thing to note: Bad Behavior is not intended to be a complete anti-spam solution; it should not be the only thing you run. Bad Behavior should also not do certain things and indeed, a close inspection of the code will reveal quite a few things which have been either partially implemented, or tested and found to not work and therefore disabled.

Bad Behavior is meant to block a majority of obvious spam, in order to reduce server load and reduce the amount of spam messages and registrations to a level that is manageable with more traditional tools. Because this is done by completely blocking the request and stopping vBulletin (or other software) from completing loading, it's simply not possible for me to do everything. Some things must be let through because I can't reliably distinguish them in real time.

Bad Behavior is also not meant to be a general purpose blacklisting tool, as a few people here have tried to use it. While it does contain an internal blacklist, these items are limited to well known malicious user-agents which scrape, harvest addresses, deliver spam or execute attacks. Things like ht:track and wget are intentionally not on the blacklist because many people want such software to visit their sites, and they are not designed as malicious tools. It's better to add such things to your local .htaccess (or equivalent) if you intend to block them. Perishable Press has some really good starting points.

[Alfa1]

Quote:

Originally Posted by error10

The one you posted in ticket 4 doesn't look like a legitimate user. Are you absolutely 100% certain that it is?

I cleared my logs, but it was a registered member. I think it was a valid member.
Just to make sure, here are some more. All from valid members:

Please check out: OpenSearch
By far most issues seem to be related to this.

Quote:

Key: HTTP Response: 403
Explanation: An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
Log Message: Required header 'Accept' missing
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
URI: /forum/misc.php?do=page&template=ncode_opensearch
Entity:
Headers: GET /forum/misc.php?do=page&template=ncode_opensearch HTTP/1.1
Host: www.my-forum.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [omitted data] bbcybfr_redtopage=newthread.php%3Fdo%3Dnewthread%2 6f%3D123; [omited data]

Quote:

Key: HTTP Response: 403
Explanation: An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
Log Message: Required header 'Accept' missing
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.57 Safari/534.24
URI: /forum/misc.php?do=page&template=ncode_opensearch
Entity:
Headers: GET /forum/misc.php?do=page&template=ncode_opensearch HTTP/1.1
Host: www.my-forum.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.57 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [data omitted]

Quote:

Key: HTTP Response: 403
Explanation: An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
Log Message: Required header 'Accept' missing
UserAgent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
URI: /forum/misc.php?do=page&template=ncode_opensearch
Entity:
Headers: GET /forum/misc.php?do=page&template=ncode_opensearch HTTP/1.1
Host: www.my-forum.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [data omitted]

Quote:

Key: HTTP Response: 403
Explanation: An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software.
Log Message: Required header 'Accept' missing
UserAgent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
URI: /forum/local_links.php?action=jump&catid=57&id=7208
Entity:
Headers: GET /forum/local_links.php?action=jump&catid=57&id=7208 HTTP/1.1
Host: www.my-forum.com
Connection: keep-alive
Referer: http://www.my-forum.com/forum/local_links.php?catid=57
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: [data omitted]

[Alfa1]

Quote:

Originally Posted by Eric

The best way to handle bypassing members would be to only run the plugin for guests - which I can code that in.

That would be a good option to have.

Quote:

Originally Posted by error10

Right now Bad Behavior doesn't have any way to theme the page shown to blocked requests; it's all hard coded. Since it has to run under so many platforms, I basically just internalized everything, including the technical support pages. I'll make sure this gets on the roadmap.

It would be very useful if legitimate members who face difficulties can be pointed to our helpdesk url.

[Simon Lloyd]

Quote:

Originally Posted by Simon Lloyd

Again, thanks for the responses, i've tinkered ever so slightly with responses.inc.php to add the url to my helpdesk just before I assume the url won't be parsed in this fashion, it's not a problem if it doesn't.

Quote:

Originally Posted by Alfa1

It would be very useful if legitimate members who face difficulties can be pointed to our helpdesk url.

See my quote above?

Quote:

HTTP Response: 403
Explanation: You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses, malware or spyware from your computer.If you need further help then contact Our HelpDesk
Log Message: IP address found on http:BL blacklist

[Alfa1]

Thanks! I assume I can just use html in there?