We've had to disable Bad Behavior 7 because it blocks a normal Drupal action.

When a new user registers, Drupal emails a confirmation link that must be clicked. But Bad Behavior does not allow the Drupal registration confirmation link to be executed. The link goes to our site, but shows the user an Error 400 declaring: "An invalid request was received from your browser. This may be caused by a malfunctioning proxy server or browser privacy software."

We tried the confirmation link in Chrome and in Thunderbird (Mozilla email client with embedded Firefox), same problem. Since the entire registration/confirmation process is built into Drupal 7, we have no clue what "invalid request" means.

Our settings:
Strict mode disabled
BL Threat Level 25
BL Maximum Threat Age 30
Enable reverse proxy support disabled (if our ISP has something running in front of our site, we don't know of it, we've never had any similar problem in 4 years on the same server).

When this happens there's no log entry to shed any light.

It's not a solution to tell users to diddle with proxy servers (usually out of their control) or privacy software (whatever that might be). Besides, we don't have either running in our tests.

ALSO: The Administrator email address presented to the user by Bad Behavior is NOT the exact email address we entered in BB configuration. BB adds "+nospam" before @ and "nospam." after it. We COULD make such an address work, but how would we know to do so? It is bizarre that BB asks us for the address we want to use, then alters it without telling us. How many legit users have been blocked by BB, tried to email us at this bogus address, and been further frustrated?

We have no choice but to stop using Bad Behavior 7.

Note that we've been using BB 6 on a different site for quite some time without any problems. BUT we have never heard from a user who emailed us due to being blocked, and NOW we are worried that the email address we configured is not actually being used by BB in the visitor message. We have no idea how to test BB to find out what it really does.

Comments

gregarios’s picture

Issue #1:
For more precise help, please post a screenshot of the corresponding message found at this (log) location:
<yoursite.com>/admin/reports/badbehavior

Issue #2:
The email address has "nospam" attached to it so bots will not capture the email address and use it to perpetuate email spam to the administrator. It is universally (enough) understood that the "nospam" section of emails is to be removed prior to hitting "send" to send an email. However, if you wish to submit an issue about that particular portion of Bad Behavior, it must be done to the BB Script author at the following link, as it is not part of the module: http://bad-behavior.ioerror.us/support/troubleshooting

hawkdrupal’s picture

Thanks for the explanation.

The Reports log link is not there, probably because Bad Behavior module has been disabled. (No other evident way to have it stop its own bad behavior.)

The notion that someone who receives the Bad Behavior warning will understand to remove "nospam" segments from the address after clicking to generate an email is similar to the other assumptions about the technical sophistication of the site user, such as suggestions regarding proxy server and privacy tools. It's much too obscure to be useful on a site serving the general public. So we will leave this module disabled.

PS: We're having good results with BOTCHA plus CAPTCHA. (Which replaced Mollom which did virtually nothing.)

gregarios’s picture

Status: Active » Needs review

If we get more users who are having an issue with the registration process being interrupted I'll look into this. For now it sounds like it may be an issue with your hosting provider.

gregarios’s picture

Status: Needs review » Postponed (maintainer needs more info)
Cadeyrn’s picture

Status: Postponed (maintainer needs more info) » Active

I think I also have this bug, and that it spans more than just registration. I didn't try registering a new user, but after installing and enabling Bad Behavior and then logging out of the administrative account, every page on my Drupal site gives the error 400 on every computer in this network (haven't tested access from another network), and when I click on "fix this problem yourself," it goes to a page named "Bad Behavior Technical Support" that says an invalid request was made by my browser. This is very serious, as I disabled Bad Behavior via SQL and nothing's changed. I may be permanently locked out of this website, unless removing the files can fix it.

EDIT: Removing Bad Behavior's files fixed it. I don't understand why just disabling the module wasn't enough.

gregarios’s picture

If anyone can post a screenshot of the actual error message generated by Bad Behavior library, I might be able to help. (although it sounds like a job for the maintainer at http://bad-behavior.ioerror.us/support/troubleshooting)

gregarios’s picture

Status: Active » Closed (won't fix)

Still waiting on further information. This is not a problem with the Drupal Module anyway — but with the source scripts found at http://bad-behavior.ioerror.us so I will not fix this issue. (unless further information is provided which leads us to believe it is BB module)

I will alert the source maintainer of this issue, however.

DigitalFrontiersMedia’s picture