https://bugzilla.wikimedia.org/show_bug.cgi?id=23343

Marcin Cieślak <marcin.cies...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |marcin.cies...@gmail.com

--- Comment #8 from Marcin Cieślak <marcin.cies...@gmail.com> 2011-01-13 
01:37:58 UTC ---
The way I understand this bug is that XFF IP addresses should be checked for
blocking *irrespective* the trusted XFF list. 

In August 2010 checkusers saw example of the email spammer that used 19
different IP addresses plus 4 /24 networks and 1 /network full of proxies. But
he only had
4 different IP addresses in his XFF headers from a single /16 range of the
dynmic IP provider. 

Many of those proxies where some located on some dynamic DSL loatons of unknown
provenience, so that marking them as "trusted" would be a recipe for disaster. 
We don't know whether they allow for private IP addresses, we don't know if
they allow fake XFF to be passsed over etc. 

Besides I don't believe that TrustedXFF list could (and should) be edited and
deployed so quickly to fight abuse like this. 

This feature could possibly be enabled by default - there is little damage if
someone fakes their XFF header and happens to use a blocked IP address, so be
it.

It could become problematic with RFC1918 addresses - for example a
non-wikimedia wiki that wishes to block some local user 192.168.0.0/24 would be
effectively be blocking all poor RFC1918 souls behind some proxies on the whole
Internet.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to