Tag Archive for 'anti-spam'

Bad Behavior and Squid’s default caching behavior don’t play nice

Published
by
Tummblr
on November 19, 2007
in Site News, Web Development and WordPress
. Comments

I wrote earlier about Bad Behavior sporadically blocking me from my own site. It turns out the problem was Squid’s default behavior of caching error messages for 5 minutes (my host deploys Squid in front of its server clusters for load balancing and other purposes). Thus, if a spambot or other undesirable gets blocked by Bad Behavior, and I or anyone happens to visit the site within 5 minutes, Squid will serve up the 403 access forbidden message.

Bad Behavior’s devevloper Michael Hampton and Jeff from my host NearlyFreeSpeech were both extremely patient and helpful in helping me solve this problem. They both independently provided me with this very simple solution: add

header("Vary: *");

after line25 in banned.inc.php in the Bad Behavior plugin.

The “Vary: *” header tells the cache (like Squid) that the content of this particular page changes based on unknown factors. Since the criteria for whether the cache should serve the same version of this page to future requests is unknown, the cache shouldn’t cache the page. Contrast the “Vary: *” header with the “Vary: accept-encoding” header where the cache will serve up the same version of the page to requesters with the same “accept-encoding” value, and get a fresh copy if the value is different.

I am told that, in the ideal world, Bad Behavior should not have to send such a header with its error messages because the official HTTP standards (RFC 2616) state that content should not be cached unless the Cache-Control headers explicitly allow it. However, Squid is “non-compliant” in this particular case as it caches error messages for 5 minutes unless the default negative_ttl setting is changed. Luckily, it’s not a painful choice to choose between being compliant with HTTP standards and being complaint with default Squid settings (which I assume are widely used). Sending an extra “Vary: *” header doesn’t seem to have any downsides.

Thanks again, Michael and Jeff, for helping me debug this problem and humoring my newbish questions.

If you liked this post, please subscribe to my feed. Thanks for visiting!

Bad Behavior false positives: blocked from my own site

Published
by
Tummblr
on November 12, 2007
in Security, Site News and WordPress
. Comments

Update: My mistake. Michael Hampton is still supporting Bad Behavior. Maybe I’ll figure out what’s wrong after all.

I’ve disabled the Bad Behavior plugin because it was sporadically blocking me from my own site. Bad Behavior in theory blocks spambots and other desirables from viewing your website altogether, saving your bandwidth and resources and acting as a first-line defense, complementing anti-spam solutions like Akismet and the new Defensio.

I really love the concept, but since Bad Behavior blocks access entirely, false positives are very costly. Unwittingly blocking genuine visitors to my site would be very very bad. I’ve tried to find the problem following instructions from the FAQ and this blog post on false positives, to no avail.

Unfortunately, the plugin doesn’t seem to be in active development, and the email for reporting false positives appears to be dead. Oh well, I guess Akismet alone will have to do.