Page MenuHomePhabricator

false-positives on SORBS DNSBL when editing MW1.9 pages from dynamic IP's
Closed, ResolvedPublic

Description

Author: carlb613

Description:
User blocked: Your user account or IP address have been blocked by SORBS DNSBL;
IP is listed as an SORBS DNSBL open proxy. You may contact SORBS DNSBL or one of
the other administrators... your IP address is 66.102.74.xxx...

Server configuration is:
MW1.9-svn (current as of yesterday), recently upgraded from MW1.8alpha
one standalone dedicated server, Fedora5, using both memcached and squid on
same localhost (127.0.0.1)
Apache's bound to 127.0.0.1:80, Squid is bound to :80 on one of the
datacentre's external static IP's

So, enable SORBS on MW1.9 and suddenly it won't let me edit any page from my
dynamic IP address.

This is happening only on wikis that I've upgraded to MW1.9alpha and then only
if I try to edit any page on these sites from a dynamic IP connection (PPPoE in
my case). It broke as soon as I upgraded to 1.9

If I edit by running lynx on a shell account on the server, everything works
fine and any edit appears in recentchanges as the server's external static IP.

It just doesn't want to let me edit from a dynamic IP.

Turning off $wgEnableSorbs makes the error go away, evidently.

I'd tried looking up my own address on SORBS' site and it reports the block as a
dynamic IP range (ADSL or dialup) but not as anything else particularly nasty.
And no, I'm not seeing this on MW1.8, just on the new upgrade.


Version: 1.9.x
Severity: normal
OS: Linux
Platform: PC

Details

Reference
bz8401

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:33 PM
bzimport set Reference to bz8401.
bzimport added a subscriber: Unknown Object (MLST).

carlb613 wrote:

*** Bug 8402 has been marked as a duplicate of this bug. ***

I don't get any matches testing with a few random IPs in the range you gave.

Please give an exact IP address to test.

carlb613 wrote:

My current IP is (client) 66.102.73.140

I can edit unless $wgEnableSorbs = true; is present, using today's MW 1.9 SVN
version.

SORBS has many false positives, probably more than the number of true positives.
You shouldn't use it unless you don't mind blocking those people. This is not a
bug in MediaWiki, it is either a configuration problem on your wiki (i.e. the
fact that you have SORBS enabled), or a problem with the SORBS delisting policy,
depending on the way you look at it. Please address complaints about SORBS
itself to http://www.sorbs.net/ .

carlb613 wrote:

SORBS lookup directly on the http://www.sorbs.net website claims that this
address is not an open proxy.

I don't get a match using the MW code either:

$ php maintenance/eval.php

return $wgEnableSorbs;

bool(true)

return $wgSorbsUrl;

http.dnsbl.sorbs.net

return $wgUser->inSorbsBlacklist( '66.102.73.140' );

bool(false)

Can you confirm?

Also try the lookup manually:

$ host 140.73.102.66.http.dnsbl.sorbs.net
Host 140.73.102.66.http.dnsbl.sorbs.net not found: 3(NXDOMAIN)

Previous versions of MW did the lookup with a hardcoded "http.dnsbl.sorbs.net.",
so also try with the extra . at the end:

$ host 140.73.102.66.http.dnsbl.sorbs.net.
Host 140.73.102.66.http.dnsbl.sorbs.net not found: 3(NXDOMAIN)

carlb613 wrote:

$ php maintenance/eval.php
PHP Warning: posix_isatty(): cannot seek on a pipe in
/var/www/html/fr/install-utils.inc on line 66

return $wgEnableSorbs

bool(true)

return $wgSorbsUrl

http.dnsbl.sorbs.net

return $wgUser->inSorbsBlacklist('66.102.73.140')

bool(true)

$ host 140.73.102.66.http.dnsbl.sorbs.net
Host 140.73.102.66.http.dnsbl.sorbs.net not found: 3(NXDOMAIN)
$ host 140.73.102.66.http.dnsbl.sorbs.net.
Host 140.73.102.66.http.dnsbl.sorbs.net not found: 3(NXDOMAIN)

(version is MediaWiki: 1.9alpha, PHP: 5.1.6 (apache2handler), MySQL: 5.0.22)

carlb613 wrote:

I'm looking at "includes/User.php" line 898 of 2519:

$ipList = gethostbynamel( $host );

on call, $host was '140.73.102.66.http.dnsbl.sorbs.net'
on return, $ipList[0] becomes '209.139.209.130' - which is the address of the
wiki server.

$ php maintenance/eval.php

return gethostbynamel('73.65.102.66.http.dnsbl.sorbs.net')

array(1) {

[0]=>
string(15) "209.139.209.130"

}

carlb613 wrote:

$ php maintenance/eval.php
PHP Warning: posix_isatty(): cannot seek on a pipe in
/var/www/html/fr/install-utils.inc on line 66

return gethostbynamel('140.73.102.66.http.dnsbl.sorbs.net')

array(1) {

[0]=>
string(15) "209.139.209.130"

}

Sounds like you've got a weirdly broken local DNS or something. Check
/etc/resolv.conf and /etc/hosts...?

Also check if adding the . on the end changes the result.

carlb613 wrote:

Ah, so the trailing . on .sorbs.net. is necessary, according to
http://ca.php.net/gethostbynamel

"User Contributed Notes - gethostbynamel - info at methfessel-computers.de -
29-Sep-2006 06:27
The solution is simple. Just add a . (point) to the end of the URL for correct
name resolving.
Without this point PHP thinks it's a subdomain of your local domain and so
returns the "local-IP"."

return gethostbynamel('140.73.102.66.http.dnsbl.sorbs.net.')

bool(false)

Therefore, in "includes/DefaultSettings.php" line 2075 of 2343, just change from:

$wgSorbsUrl = 'http.dnsbl.sorbs.net';

back to:

$wgSorbsUrl = 'http.dnsbl.sorbs.net.';

and all is well.

Ah I see, looks like your local domain has a wildcard of some sort, so the
negative lookups fall back to the localdomain and always come up with a positive
result. :)

Fixed in r18616.