Integration with vBulletin - vB Bad Behavior

/**
* vB Bad Behavior is free software; you can redistribute it and/or modify it under
* the terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 3 of the License, or (at your option) any
* later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
* PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
*/

What is vB Bad Behavior?
This is an integration of the Bad Behavior software with vBulletin.

What is Bad Behavior?
Bad Behavior is a PHP-based solution for blocking link spam and the robots which deliver it. Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site's load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.

Visit http://bad-behavior.ioerror.us/ for more.

Features
For more information on the features of Bad Behavior (and subsequently this mod) please go to Bad Behavior's site:

http://bad-behavior.ioerror.us/documentation/benefits/

For features related to the mod itself, please take a look at the screenshots.

This mod should work with the entire 3.x series (well, beginning with 3.5), but it's only been tested on 3.8.x. I'm not sure if this works on vB 4.x yet, as I've not tested it - but if you try it out, let me know!

Installation
1. Extract the contents of the zip file.
2. Upload the contents of the `upload` folder to your forum root.
3. Enter your AdminCP and go to Plugins & Products > Manage Products > [Add/Import Product]
4. Import the product using the `product-vb_badbehavior.xml` file.
5. Configure the mod in AdminCP -> vBulletin Options -> vBulletin Options -> vB Bad Behavior Options

Upgrading

vB Bad Behavior
In many cases, all you'll need to do to upgrade is follow the installation instructions above.

The only difference, will be you'll need to allow the files to overwrite. Also, when re-importing the product file, you'll need to set "Allow Overwrite" to "Yes".

Bad Behavior
Bad Behavior's files are at `/includes/bad-behavior/`. If you wish to update manually go to:

http://bad-behavior.ioerror.us/download/

And download the latest development version. Extract the zip, and upload the contents of `bad-behavior` to `/includes/bad-behavior/` allowing the files to overwrite.

Versions
The current version of Bad Behavior this mod is using is: v2.2.14
The current version of Bad Behavior (development) is: v2.2.14

Changelog
Version 1.0.13, 04/23/2013

• Bad Behavior upgraded to 2.2.14

Version 1.0.12, 12/21/2012 -- Released: 02/05/2013

• Bad Behavior upgraded to 2.2.13
• Added some more ranges to whitelist.ini

Version 1.0.10, 09/09/2012

• Bad Behavior upgraded to 2.2.10

Version 1.0.9, 06/17/2012

• Bad Behavior upgraded to 2.2.7

Version 1.0.8, 06/12/2012

• Bad Behavior upgraded to 2.2.6
• New Setting: EU Cookie

Version 1.0.7, 05/04/2012

• Bad Behavior upgraded to 2.2.3
• Cron/Scheduled Task for automatic log pruning added.

Version 1.0.6, 01/04/2012

• Bad Behavior upgraded to 2.1.15

Version 1.0.5, 05/26/2011

• Added option for bypassing users/members.
• If the visitor is a user, and is in usergroup 5, 6, or 7 (admin/mod/super mod) - Bad Behavior is bypassed.
• Modified bad-behavior core to check for Google Web Preview
  • file edited: /includes/bad-behavior/core.inc.php
• Added a link beside the IP address in the log for WhoIs.

Version 1.0.4, 04/28/2011

• Bad Behavior upgraded to 2.1.13 (fixes search engine block issues)
• Added Paypal/Paypal IPN IP address to the whitelist.
• Added payment gateway file names to the whitelist.

Version 1.0.3, 04/21/2011

• Fix #1: Pruning log doesn't work.
• Fix #3: POST more than two days after GET (added support for BB's javascript)
• Fix #5: Cannot modify header information error (suppressed error in BB's function)
• Implemented #6: Filter per key (new admincp option to list keys not to be shown in log)
• Implemented #9: Show link to member profile (if userid is found in headers, link to profile)

Version 1.0.2, 04/10/2011

• Updated /includes/functions_vb_badbehavior.php to:
  • disable Reverse Proxy if Reverse Proxy Addresses are empty
  • distinguish SQL queries using "SET", for example: SET @@session.wait_timeout = 90 - which is used by BB
  • set "offsite_forms" to false by default, as it's not really needed in vB IMHO, and it can cause problems with certain setups
  • cleaned up the bb2_read_settings() function and fixed a typo in one of the vbulletin options calls
• Updated /includes/whitelist.ini to include the following GOOGLE ranges:
  • 74.125.0.0/16
  • 216.239.32.0/19
  • 209.85.128.0/17
  • 66.102.0.0/20
• Updated /admincp/vb_badbehavior.php
  • Log pruning was pruning all logs, despite what was entered for number of days

Version 1.0.1, 04/06/2011

• Bad Behavior upgraded to 2.1.12
• Changed files:
  • /includes/bad-behavior/core.inc.php
  • /includes/bad-behavior/searchengine.inc.php
• "Verbose" admin option now set to "No" by default.

Version 1.0.0, 04/05/2011

• Initial release.

Screenshots
Screenshots can now be seen at: http://www.secondversion.com/images/vb/vb_badbehavior/

I was running out of room for attachments here on vB.org


Development

https://github.com/ericsizemore/vb_b...ree/master/vb3


Only those who "Mark As Installed" will receive support for this modification.

[viper357]

Quote:

Originally Posted by Alfa1

Please consider to make a third mode: 'medium mode' and add this to it.
This mode would be useful for boards that do not want to block valid users, even if it lets some bots through.
I really can not afford to block 80 registered members per day and thats what happening now. Most users just use security software without knowing how to manage it. They are not adjusting their browsing behavior after the notice from BB. Most would not know where to start.

Quote:

Originally Posted by error10

I think I have an idea of how to solve this problem without moving to strict mode. Give me a day or so.

Quote:

Originally Posted by Eric

Were you able to come up with something? I'll hold off on the next release if so, that way I can incorporate it first.

Quote:

Originally Posted by Eric

Updated...

Does this update include the above fix/mode? If it's blocking 80 registered users per day then that's about half of my active membership

[Alfa1]

Deepnet explorer and artabus are still trying to register spam accounts. My blacklist has this:

Quote:

// These user agent strings occur anywhere within the line.
$bb2_spambots = array(
"\r", // A really dumb bot
"; Widows ", // misc comment/email spam
"a href=", // referrer spam
"Bad Behavior Test", // Add this to your user-agent to test BB
"compatible ; MSIE", // misc comment/email spam
"compatible-", // misc comment/email spam
"DTS Agent", // misc comment/email spam
"Email Extractor", // spam harvester
"Gecko/25", // revisit this in 500 years
"grub-client", // search engine ignores robots.txt
"hanzoweb", // very badly behaved crawler
"Indy Library", // misc comment/email spam
"MSIE 7.0; Windows NT 5.2", // Cyveillance
"Murzillo compatible", // comment spam bot
".NET CLR 1)", // free poker, etc.
"POE-Component-Client", // free poker, etc.
"Turing Machine", // [URL="http://www.anonymizer.com"]www.anonymizer.com[/URL] abuse
"unspecified.mail", // stealth harvesters
"User-agent: ", // spam harvester/splogger
"WebaltBot", // spam harvester
"WISEbot", // spam harvester
"WISEnutbot", // spam harvester
"Windows NT 4.0;)", // wikispam bot
"Windows NT 5.0;)", // wikispam bot
"Windows NT 5.1;)", // wikispam bot
"Windows XP 5", // spam harvester
"WordPress/4.01", // pingback spam
"Xedant Human Emulator",// spammer script engine
"\\\\)", // spam harvester
"artabus",
"Deepnet Explorer",
"DigExt",
"MarketwireBot",
"SoftLayer Server",
"FairShare",
"MRSPUTNIK",
"HackerTarget.com",
"JoBo",
"EMail Exractor",
"radian6",
"Alexa",
"boardpulse",
"harvest",
"Wget",
"HTTrack",
"copy",
"copier",

);

What am I doing wrong?
Please add these bots to the default blacklist.

Quote:

Originally Posted by viper357

Does this update include the above fix/mode? If it's blocking 80 registered users per day then that's about half of my active membership

No, its not resolved yet.
http://trac.assembla.com/vb-bad-behavior/ticket/4

[Eric]

Quote:

Originally Posted by Alfa1

Deepnet explorer and artabus are still trying to register spam accounts. My blacklist has this:
What am I doing wrong?
Please add these bots to the default blacklist.




No, its not resolved yet.
http://trac.assembla.com/vb-bad-behavior/ticket/4

I'll see about adding them by default to the blacklist, maybe I could have error10 add them to BB itself as well.

Quote:

Originally Posted by viper357

Does this update include the above fix/mode? If it's blocking 80 registered users per day then that's about half of my active membership

Right now, I have not heard back from error10 yet, so no that was not included. Even if installed, you won't necessarily block many (if any) users - just seems to be users that may be using "private" software w/their browser.

[Lee G]

I found another Google range has been getting denied access

User agent
Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13

IP range
72.14.192.0 - 72.14.255.255 or 72.14.192.0/18

Alpha1. If you think a user agent is not being denied, try it over at bits vrs browsers on the user agent test page
http://www.botsvsbrowsers.com/SimulateUserAgent.asp
You might find your artabus block needs a capital A

Fairshare from memory are a limited ip range.
I know I block them via my htaccess. But I cant remember what their ip range is

[Alfa1]

I added 2 important feature requests:

http://trac.assembla.com/vb-bad-behavior/ticket/12

Quote:

When a registered member is blocked by BB for one of the following reasons, send the member a message by PM which explains the issue and informs the member how to resolve it.
17f4e8c8 User-Agent was found on blacklist
2b021b1f IP address found on http:BL blacklist

This allows valid members to address the issue and switch anonymous proxies, or take other measures to resolve.

http://trac.assembla.com/vb-bad-behavior/ticket/13

Quote:

Please add a admincp setting to turn off blocking of registered members.
This setting can be extremely valuable for admins that encounter problems with registered members being blocked by vb BB.

I can envision two versions of this setting:
1. IF bbuserid is found, then bypass BB
2. IF bbuserid is found AND joindate is older than 60 days, then bypass BB

Currently I see a lot of users blocked by the accept issue and must disable BB because of this. The above function would allow me to keep BB running while the issue is addressed.

IMO this ticket about the accept issue should be reopened, as you are trying to resolve the issue:
http://trac.assembla.com/vb-bad-behavior/ticket/4

[Lee G]

If only this hooked up with the Stop Forum Spam database. It would take out even more of the proxies the scrapers and low life hit from.

Project honey pot only seems to mark ips that have been caught trying to send emails

Im presently running it set on 1 rather than the default 20 or 25 that is set default

None of my members have been blocked. Then again, unless they are trying to avoid bans, they dont use proxies

[Eric]

Quote:

Originally Posted by Lee G

I found another Google range has been getting denied access

User agent
Mozilla/5.0 (en-us) AppleWebKit/525.13 (KHTML, like Gecko; Google Web Preview) Version/3.1 Safari/525.13

IP range
72.14.192.0 - 72.14.255.255 or 72.14.192.0/18

Alpha1. If you think a user agent is not being denied, try it over at bits vrs browsers on the user agent test page
http://www.botsvsbrowsers.com/SimulateUserAgent.asp
You might find your artabus block needs a capital A

Fairshare from memory are a limited ip range.
I know I block them via my htaccess. But I cant remember what their ip range is

That range for Google is already listed - how are you checking if it's denied, or is it in your log?

[Eric]

Quote:

Originally Posted by Lee G

If only this hooked up with the Stop Forum Spam database. It would take out even more of the proxies the scrapers and low life hit from.

Project honey pot only seems to mark ips that have been caught trying to send emails

Im presently running it set on 1 rather than the default 20 or 25 that is set default

None of my members have been blocked. Then again, unless they are trying to avoid bans, they dont use proxies

I plan on adding stopForumSpam actually.

Quote:

Originally Posted by Alfa1

I added 2 important feature requests:

http://trac.assembla.com/vb-bad-behavior/ticket/12
http://trac.assembla.com/vb-bad-behavior/ticket/13
Currently I see a lot of users blocked by the accept issue and must disable BB because of this. The above function would allow me to keep BB running while the issue is addressed.

IMO this ticket about the accept issue should be reopened, as you are trying to resolve the issue:
http://trac.assembla.com/vb-bad-behavior/ticket/4

The best way to handle bypassing members would be to only run the plugin for guests - which I can code that in.

[Lee G]

Hi Eric
The google range that was being blocked, I found in my logs.
Put the range in the white list and it cured the problem

As for adding the stop forum spam database, you have just made my day

[Simon Lloyd]

I have stopforumspam installed and did use it for a little while but i was getting many many real people getting blocked & it was allowing registrations if they didn't provide an email address, so now i just have it set to allow but log evrything. It needs a bit of extra work to work better but another great tool

Sounds great though Eric.