Bad Behavior Patch for Opera Users

Bad Behavior is an excellent ‘profiling’ plug-in that deters most spam bots and attacks on web-based scripts, especially blogs, wikis, and forums. It uses a very detailed and sophisticated combination of checks and algorithms to create a ‘spammer’s profile’ and if a visitor to your site fits it, it’ll block them.

The algorithm is so good that there are almost no false positives, and together with a decent spam plug-in like Akismet or Spam Karma 2, you’re blog will be forever clean. But it has a problem with Opera. Most builds of Opera trigger a false alarm, leaving your blog reader-less, especially with the release of Opera 9, an excellent browser in all rights, but there is a solution.

  1. Download and extract Bad Behavior
  2. Open ./bad-behavior/common_tests.inc.php
  3. Comment out the code beginning from line 57 to line 60 (inclusive). It should look like this when you’re done:
    [sourcecode lang='php']/*
    if (array_key_exists(‘Te’, $package['headers_mixed'])) {
    if (!preg_match(‘/\bTE\b/’, $package['headers_mixed']['Connection'])) {
    return “582ec5e4″;
    }
    }
    */[/sourcecode]
  4. Save the file, upload the directory to your wp-content/plugins folder, activate, and enjoy!

The Technical Stuff

What we just did is disable “TE Request-Header” checks. TE request-headers are from RFC2616, section 14.39; and although we have no doubt that the authors of this wonderful algorithm had their reasons for including TE request-header checks, and that certain spam bots do indeed employ this particular header-request for TE, as far as we can tell the benefits gained by using such a check are minor.

You can view the entire RFC here. At any rate, it doesn’t matter. Bad Behavior is famous for its excellence and cross compatibility, and lack of false positives, so we feel it should stay that way – without the TE request-header checks. An ideal solution would be to implement this function as a subset of ‘Strict Mode’ which is specially designed to block more illicit traffic, but with the knowledge that it may block some legitimate users.

7 thoughts on “Bad Behavior Patch for Opera Users

  1. Nothing is wrong with this particular check. It functions properly and does not block Opera.

    It does, however, block Opera users who are behind certain misconfigured proxy servers.

    As such, you should fix the proxy server, as Bad Behavior is not broken.

  2. The following comes from Opera and I have every reason to believe it is accurate:

    I am a developer at Opera Software ASA, the company developing the Opera browser. One of the areas I am working with is our HTTP support.

    I’ve recently noticed a few reports about users getting “Precondition failed” when trying to visit sites using your “Bad behaviour” package (see e.g. http://my.opera.com/community/forums/topic.dml?id=113252 ) . The most recent case involved the blog of one of our own employees, who just announced that he had disabled “Bad Behaviour” because of the difficulties, and implemented different antispam countermeasures.

    According to one report our use of the “TE” header may be involved, and that the cause of the problem is that the TE header is not listed in the “Connection” header.

    As far as Opera is concerned, the TE header is properly identified in the “Connection” header when requests are sent from us.

    If, indeed, a missing TE entry in the Connection header is the cause of the problem, the entry went missing in transit, and one possibility is a non-compliant proxy.

    However, in at least one case the user stated that he did not use a proxy (although a transparent proxy is a possibility, and I know utilities like Google Desktop Search have messed up our pipelined connections before), but there are several other reports indicating that proxies, in particular privacy and adbuster filtering proxies (which, as far as I am concerned, are notorius for bad behaviour with respect to HTTP 1.1 and pipelining) are involved.

    FYI, I might add that Opera will not use HTTP 1.1 on the first request to a proxy, and will only use HTTP 1.1 and pipelining against proxies in requests if the proxy responds with a HTTP 1.1 version response and HTTP 1.1 is enabled for proxies by the user. Also, we do not send the TE header to servers that we don’t know are HTTP 1.1 capable, which means that the first request to a server will not contain the TE header….

    –Sincerely,
    Yngve N. Pettersen

    If you disable HTTP/1.1 for proxies, that should take care of the problem.

    If not, feel free to send me log entries and I’ll investigate further. Your messages did not include any log entries showing that any legitimate users had been blocked.

  3. Hmmmmm..
    Interesting post, thanks for passing that letter on.

    I’m such a ‘real’ user, not behind any proxy, but I am on the RIPE network. If that is considered a proxy then that may be it – but then in that case I’d leave it, since I get much traffic from Europe – a great part of which is RIPE.

    I doubt it’s RIPE, and as a matter of fact, that letter doesn’t explain too much:
    i.e. why does it only happen with Opera and not IE or FF if it is indeed the proxy server at fault.

  4. I’m an Opera user and I get this “Precondition Failed” every once in a while. Disabled my proxy server and disabled HTTP/1.1 (whatever that is) – makes no difference. All my anti-virus stuff is bang up to date.

    All I want to say is that, to those sites who won’t let me in, “you lost a customer”.

  5. Bad Behavior is indeed at fault here.

    Now, granted proxies should not be passing through TE headers unless they themselves support TE (in which case the TE token would appear in the Connection header and the Bad Behavior check would catch that as correct behaviour) or if they do they shouldn’t report themselves as HTTP/1.1 (HTTP/1.0 proxies wouldn’t know any better) and Opera prudently doesn’t use TE on any connection until after that connection is shown to support 1.1.

    However it was precisely because TE headers and other as-yet-unspecified headers with point-to-point semantics (as opposed to headers intended to be passed all the way through to the server and back – or to appear to have done so should the proxy serve the request with its own cache) could get written through incorrectly that RFC 2616 has the rule about insisting that it should be mentioned in the Connection header.

    Hence:

    1. Opera does the right thing.

    2. Proxy does the wrong thing, possibly due to being built before HTTP/1.1 was finalised, more likely just a bug.

    3. RFC2616 is written with foresight and therefore contains a mechanism for servers to catch this and not use the transfer-encoding in question.

    4. Bad Behavior deliberately undoes that foresight by blocking the requests.

     

  6. Excellent post Jon..
    I’ve attempted to contact Michael (the author of Bad Behavior) in follow-up a couple of times, but I haven’t been successful.

    Bad Behavior blocks every single person behind a local, manual, or invisible (ISP) proxy that uses TE Headers via a client that properly supports them. This patch has been out forever now, but I guess blocking tens (hundreds??) of thousands of users isn’t enough to warrant an update. :(

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>