What has changed:

• Another whitelist issue has been fixed.
• A SQL injection attack against Windows servers running IIS has been identified and blocked.

Everybody who was using the new url whitelisting should update.

All users should upgrade to resolve issues with potential blocking of a major search engine. Users of specialized web services integrated into their host platforms, for which Bad Behavior should not screen requests, should upgrade to take advantage of this new functionality.

What’s new?

• Recent reports indicate that the msnbot web crawler, used by Microsoft’s Bing search engine, no longer identifies itself as msnbot, but now uses a User-Agent string which was previously seen only with malicious requests from email harvesters and site scrapers. Microsoft has been notified of the problem, but given the glacial pace at which they fix issues with their software, a resolution is not expected soon. Due to concerns that Bad Behavior users may be losing their rankings in the Bing search engine, this malicious User-Agent string has been temporarily removed from Bad Behavior’s internal blacklist so that requests from msnbot may be processed. This will increase your exposure to spam and other malicious traffic. You may send comments regarding this to msnbot@microsoft.com.
• Due to ongoing issues with various web services such as OpenID and PayPal IPN behaving in strange ways which trigger Bad Behavior, a new whitelist has been added. You may now add URLs of your site to Bad Behavior’s whitelist. When a URL is added, Bad Behavior will ignore any HTTP request to that particular URL. If you need this feature, please check the advance parameters of this plugin.
• A condition in which the HTTP Referer: header contains invalid data now returns a 400 Bad Request error instead of a 403 Forbidden error. This is intended to make clear the fact that robots triggering this condition are not in compliance with the HTTP specification.
• An additional spambot has been identified and blocked by its unique User-Agent string.

What’s new?

Users authenticating to a Bad Behavior-protected site using a third party OpenID were blocked with a message stating that: “Data may not be posted from offsite forms.” In most circumstances, your site does not want to receive a POST which originated from another site; however, OpenID requires this. A new option, offsite_forms, has been added to Bad Behavior to permit data to be posted to your site from other sites. Enabling this option will allow OpenID to work but may expose your site to spam which was previously blocked.

A few specialized web crawlers use an unusual form of the Range: HTTP header in their requests, requesting a range starting with 0. This behavior, while technically permitted by the HTTP specification, is most often seen with malicious crawlers; web browsers and major search engines do not use it. Bad Behavior will now block these requests only when strict mode is enabled.

What has changed in bad-behaviour:

• Calls to undefined function bb2_email().

More on the project page or joomla! extension site.

What has changed in bad-behaviour:

• A particularly nasty trackback spammer advertising various drugs was blocked in the 2.0.27 release. An error in the logic may have caused legitimate trackbacks to be blocked. This error has been corrected.
• A PHP warning which appeared in the IPv6 handling code has been corrected.

What has changed in the plugin:

• correct way of checking guest group id
• removed a var_dump() call

More on the project page or joomla! extension site.

Cookie check will be brought back in on the next release but using the Joomla! framework so are some modification to make up for logging and black hole lose, but that is still a bit of a secret…

You can however find hints on project page: plg_badbehaviour