Bad Behavior Feature
Since 1.0 we have provided "Bad Behavior" anti spam functionality included. I'm curious if this is still useful to anyone.
The BB software has not been seriously updated in some time, and many of the checks are very dated. Bots are much cleaner now than when the core of BB was written to catch issues and the bots are no clumsy these days.
While scanning one set of logs, I found (3) main reasons to BB actions
1) The main one was "Required header 'Accept' missing". TBH there are a share of these hits that are incorrect. Several of checks that flag this issue are so-so at this point. There are various exceptions for things like like PlayStation 3 or Yahoo hot jobs Seeker, or Window ME among others, just listing those to show the patina on the code. I know there are specific issues with mobile devices and this check.
2) The next major BB block was not really BB, but calls made to the http:BL service provided by Project Honey Pot. These are logged as "IP address found on http:BL blacklist" This function could also easily be added without the need for BB
3) The last seemed to be "User-Agent was found on blacklist" This is detected since BB simply checks IP's with spamhaus.org SBL / XBL lists. That is easy to add without having to rely on BB.
I've also seen a few "URL pattern found on blacklist" which is generally someone trying to inject sql via the url, that would not go anywhere w/o BB anyway.
So for those of you using BB, useful or not? What detections are you seeing?
Re: Bad Behavior Feature
Reply #3 –
Huh, interesting stats.
I'd also be curious which user agents you're blocking because what I'm finding is that there are a host of 'search engine bots' that are pretty awful and unlikely to return much traffic, e.g. Aspiegel/Petalbot, Mauibot, Ahrefsbot, to the point where I block them entirely from even getting to the server if the user agent mentions that.
But I think we can agree that you don't need to integrate BB as is at this stage, and just do the integrations you do care about.
I will say that the measures I added to SMF on the CAPTCHA validations (especially registration) have proven reasonably effective at keeping things at the door without too much effort - time gating and a mandatory-empty field.
Re: Bad Behavior Feature
Reply #4 –
Kind of says its not really doing much, its those outside services that are doing the bulk of the lifting. The rest could be done with a couple of simple checks -or- blocked at the server level for those that can make changes there.
I think I have data access to another site, so I'll take a look at its logs and see what/why of the blocking.
I've tended to use some nginx items "conn_limit_per_ip", "req_limit", "php_limit" to throttle requests / activity. The only things that seem to trip those limits are bots. Then I have a couple of fail2ban rules, so if you trip those breakers a few times in a given period, you get blocked for some period of time.
Re: Bad Behavior Feature
Reply #9 –
What are the odds that that Firefox 52 header is really FF 52? I’d suggest not high since that isn’t how FF normally operates, but I’m not sure this is good evidence for keeping this filter… it might have worked back in the day for WP bots but I don’t believe it’s that significant now.
Re: Bad Behavior Feature
Reply #10 –
Agree ... I'm sure its whatever was coded in to the program, the Fx16 one was pretty funny as well. I'm feeling that I'll be removing BB and just replace it with a couple of easy settings in the ACP. It will be just as effective and cleaner.