Obfuscate profile links

[jonoaldersonwp]

Changing the way in which profile links output is part of broader approach to 'solving' spam profiles on wordpress.org. See ​https://www.jonoalderson.com/wordpress/wordpress-org-toxic-profile-spam/ for long-form research and rationale.

This part of the solution requires us to:

• Alter the destination of the link URL, to obfuscate the destination and pass it through an internal redirection system. Specifically, an example profile link to ​https://www.example.com/example-spam-link/ should be transformed to ​https://profiles.wordpress.org/out/abc123, where abc123 is a hashed (and salted with a secret) key representing the profile URL. Requests to that URL should execute a 301 redirect to the actual profile URL.
• Add a disallow rule to the ​https://profiles.wordpress.com/robots.txt file, which blocks the /out/ folder.

[Ipstenu]

Would it be feasible to only disallow profiles that are blocked or flagged? We have the ability to mark an account as blocked, and logically that's the most common spammy profile we'll see.

Your example of profiles.wordpress.org/phathaiophunhuan/ is a banned account, so logically that should show ... nothing?

[jonoaldersonwp]

No, crawl prevention can only be handled via robots.txt, and it'd be impractical (and technically challenging) to adapt that dynamically based on bad profiles. I'm also not if/how sure this would be advantageous for us.

RE: banned accounts; as per my post, I expected some of the examples I highlighted to have been 'fixed' since I discovered them. See also, #4632

[dd32]

I personally disagree with using something like /out/ as a redirect, however acknowledge that it's a easy way to deal with the years of spam links that we've accumulated that we're otherwise unable to detect.

As part of the other profiles changes, I've hidden the URL for banned accounts which helps a little bit.

Would using https://profiles.wordpress.org/out-redirect/$user suffice here though? AFAICT it doesn't need to be signed, or otherwise secret as long as it's within a directory that's not-a-user (such as the user 'out') and that can be blocked in the robots.txt?

[jonoaldersonwp]

Yep! :)

That example is fine - we're good as long as we're:

• Obfuscating the URL so that automated spam tools can't (as easily) detect that their link is on the page.
• Using a structure which we can disallow search engines from following in the robots.txt file

We could even simplify to something like /?redirect_profile_link.php?user=$user, if that's preferable.

[dd32]

Fixed in r15376-dotorg.

[dd32]

$ curl -s https://profiles.wordpress.org/dd32/ | grep 'dd32.id.au'
Website: <strong><a href="https://profiles.wordpress.org/website-redirect/dd32" title="https://dd32.id.au/" rel="nofollow">dd32.id.au</a></strong>

$ curl -Is --referer https://profiles.wordpress.org/dd32/ https://profiles.wordpress.org/website-redirect/dd32 | grep location
location: https://dd32.id.au/

$ curl https://profiles.wordpress.org/robots.txt
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /website-redirect/

[jonoaldersonwp]

Could you remove the title attribute from the link, too, please?