Blacklisting HTTP Trafic iRule "leak" some matching requests to the backend servers

Hi,

Suddenly having the need to add some per-referer filtering capabilities to our setup i created the following iRule, based on our IP blacklist iRules:

when HTTP_REQUEST {
     Check if referer is in blacklist Datagroup
    if { [class match [HTTP::header "Referer"] contains _phx_referer_blacklist] }{
        pool _pool_empty
        persist none
        event disable all
        HTTP::respond 403 content "Unauthorized Access" "Content-Type" "text/html" "Connection" "close"
        TCP::close
        Uncomment the line below to turn on logging.
        log local0. "Blacklisted Referer [HTTP::header "Referer"] for client IP: [IP::client_addr] '[HTTP::method] [HTTP::host][HTTP::uri]' - discarding"
    }
}

The iRule correctly match and discard 90% of the requests like this:

Jan 16 16:35:18 lb1 info tmm[19473]: Rule /Common/_rule_phx_http_referer_blacklist : Blacklisted Referer http://www.a2r-media.com/boost/afficheframe.php for client IP: 158.169.xx.yy 'GET ' - discarding

However some requests does find a way to the backends servers.

130.79.yy.xx - - [16/Jan/2018:16:46:48 +0100] "GET / HTTP/1.1" 200 36229 "; "Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0"

I am a bit puzzled, how could this be possible ...