Marcin Cieślak <> changed:

           What    |Removed                     |Added
                 CC|                            |

--- Comment #8 from Marcin Cieślak <> 2011-01-13 
01:37:58 UTC ---
The way I understand this bug is that XFF IP addresses should be checked for
blocking *irrespective* the trusted XFF list. 

In August 2010 checkusers saw example of the email spammer that used 19
different IP addresses plus 4 /24 networks and 1 /network full of proxies. But
he only had
4 different IP addresses in his XFF headers from a single /16 range of the
dynmic IP provider. 

Many of those proxies where some located on some dynamic DSL loatons of unknown
provenience, so that marking them as "trusted" would be a recipe for disaster. 
We don't know whether they allow for private IP addresses, we don't know if
they allow fake XFF to be passsed over etc. 

Besides I don't believe that TrustedXFF list could (and should) be edited and
deployed so quickly to fight abuse like this. 

This feature could possibly be enabled by default - there is little damage if
someone fakes their XFF header and happens to use a blocked IP address, so be

It could become problematic with RFC1918 addresses - for example a
non-wikimedia wiki that wishes to block some local user would be
effectively be blocking all poor RFC1918 souls behind some proxies on the whole

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to