IP address check will produce a lot of false positives

[websupporter]

With the GDPR coming, a lot of people will delete the IP address automatically, leaving an empty string or 127.0.0.1 or something similar. If this happens before our IP comparison, it will produce a lot of false positives. If it happens after our IP comparison, the comparison is useless.

We should consider to refactor this check.

This is, what I see right now:

1. Get rid of the check completely
2. Decouple email/IP/website-check, which is currently done in one step and give the user the ability to remove only the IP check

We should do this quite soon.

[stklcode]

Are there any real world numbers on the percentage of Spam blocked by IP checks?
I just got numbers for login attempts where single IP checks are far less useful than subnet comparisons, as many botnets operate on some kind of round-robin rotation.

Generally, version 2, separating the steps technically, might be a good idea, even if the IP filter is dropped.

If the filter stays, I'd like to put one more suggestion into discussion, that is add a filter to automatilly skip the check, even if enabled, on such "addresses". Could match empty strings and local addresses (loopback and server's IP(s)) by default. This also fixes potential pre-existing issues with intransparent or just badly configured reverse proxies.

[Zodiac1978]

There are at least two occurrences to check:

• IP check itself (hostname to IP/IP to hostname check). This is not recommended to use because of load balancers, etc.

• IP comparison in local spam database. This could be skipped if the IP is empty (maybe already the case) or if the IP is 127.0.0.1.

[websupporter]

I think the cleanest way forward here would be remove the IP-check for the local database, but leave the others in place.

[websupporter]

related: https://core.trac.wordpress.org/ticket/43588

[Zodiac1978]

Am I missing something or is the IP-check not removed? @websupporter

[websupporter]

@Zodiac1978, after some legal consultation by @krafit, we came to the conclusion, we can save a hash of the IP and check the IP of the currently incoming comment with the hashes, we have saved in the database.

[Zodiac1978]

@websupporter This is not a legal question. It is about: What happens if every IP is changed to 127:0:0:1 or an empty value. Does it break our checks?

[websupporter]

No @Zodiac1978. We save it by our own. What I mean, we have WP plugins out there, which alter the IP address when the comment is saved. So we shouldn't rely on the saved data in wp_comments no longer. Instead, we are building our own database with hashes, which we directly generate while saving the comment.

What we rely on is $_SERVER['REMOTE_ADDR'] to be populated.