403 errors because of wildcards in referrer spam list

[yodahome@…]

Well, I consider this a bug but judge for yourself:

I just spend about 10 hours looking for a problem when certain pages and functions like /edit /info etc. on certain pages suddenly returned 403 errors. (I actually phoned my webhosters because I thought of it as a server problem) It turned out that all the pages didn't show up because I opened them from a Wikka page called "AssassinsKontakt". As you can see the magic word 'Kontakt' (=contact) caused the problem because the spamlist in .htaccess effectively blocks all connections from a referrer url that includes the listed words (e.g. 'Kontakt'). You might want to re-consider the words used in your list or whether only the name of the top level domain should be checked. This way it's much too strict for my taste and it's confusing although I (of course) understand the necessity to block spam.

Related tickets

#68 #1057 (Anti-spam tools)

[DarTar]

YodaHome, the current .htaccess-based filtering is really a quick and dirty hack to block spam. The list of bad words is supposed to be user-maintained, but I agree it's not a very 'usable' technique. I wouldn't consider this a major issue, though (precisely because it can be easily solved by editing the .htaccess file). In the future we should implement better (more effective/flexible) tools against spam. See #68

As for "Kontakt" I guess it was included in the list because of some previous spammer using this word in the hostname. I agree that we should review the list and make the filter more selective.

(Marking this ticket for 1.1.7)

[yodahome@…]

Sorry, wasn't meant to be a major. However, I only consider this a problem since it is the default behaviour and usually you wouldn't expect someone to find and actually control the list. A less experienced user might not even know that .htaccess could be the problem (and thus not change it). And you wouldn't exspect it to block requests from the same domain and server (although spammers could use this hole once known). However, I understand this is not meant to be a final solution but I thought it was worth a ticket.

[steve@…]

I want to thank yodahome@… for posting this. I just spent three hours researching the same problem, then found this post. Now at least I know I am not crazy. Thanks again, Steve

[DarTar]

Retargeting to 1.3. Code for this ticket may have already been committed to trunk, from which 1.3 will be branched. Consider backporting urgent issues to 1.2.X

[BrianKoontz]

(In [1881]) This one fell through the cracks. Agreed that this is a really antiquated way of dealing with spammers, probably just needs to be removed. Refs #341.