[wp-hackers] WordPress Checking Own Pingbacks - Intended Behavior?

[Dougal Campbell]

Viper007Bond wrote:
> I disagree. This is an Akismet issue.
>
> Your solution would be to avoid filtering local pingback/trackbacks. This is
> bad and would break some plugins and would provide no way to filter them at
> all.
>
> Akismet needs to be smart enough to ignore ****backs from a local source.
>   

On the one hand, we *can* look at the source URL provided in a *back,
compare it to our local blog URL and see if the hostnames match. But on
the other hand, this does not guarantee that the ping actually came from
an internal post. There's nothing to stop a Bad Guy from flooding your
blog with faked pings that claim to be from your own posts.

If you whitelist pings that appear to be from your own blog without
doing other checks (outside of the pingback/trackback specifications),
you'll open yourself up for a sort of DoS attack. Really, the only way
to know if a ping is really local is if you can determine the IP number
your host uses for outgoing traffic. Which is not necessarily the same
IP that DNS gives for your blog's hostname. And there's no consistent
way to determine it in an automated fashion, due to the vast differences
in operating systems and hosting setups in use out in the wild.

Even if you set up some sort of self-ping verification process to try to
capture the IP, in many hosting setups there's no guarantee that the IP
wouldn't change at a future time. In fact, there may be a different
outgoing IP number on a request-by-request basis (multi-homed networks).

If you want to try to define what a "local" ping is, I think it needs to
be done in a separate plugin that can examine it before Akismet does,
and bypass Akismet as needed. The problem is that this theoretical
plugin isn't necessarily going to be generic enough to cover all
possible hosting scenarios.

-- 
Dougal Campbell <dougal at gunters.org>
http://dougal.gunters.org/