I'm trying to figure out why a rule failed.

Background: I've had this pair in my htaccess for ages to deal with my robotic Ukrainian friends. They've got some favorite IPs; I put in the forged referers as a fallback.

RewriteCond %{HTTP_REFERER} www\.trafficfaker\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} \.(ua|su|mobi)/ [NC]
RewriteRule . - [F]

RewriteCond %{HTTP_REFERER} \.ru/ [NC]
RewriteCond %{HTTP_REFERER} !(google|yandex)\.ru [NC]
RewriteRule . - [F]

This has always worked as intended: lock out anyone who claims to have been referred by sites in the Ukraine or Soviet Union (a tld that I have never seen except in forged referers), and same for Russia unless they're coming in via an authorized search engine. The seemingly benign "\.mobi" is because I've never met it in real life, only as part of the Ukrainians' repertoire. And trafficfaker got thrown into the same rule just for convenience. ("Don't like your face" principle. I have never figured out what they're supposed to do.)

So how did someone giving images.yandex.ua/yandsearch as referer get in? Am I overlooking something embarrassingly obvious?

I've discarded Explanation A: that .htaccess read my mind and figured out that I would not have excluded yandex.ua if I had known such an entity existed. In case anyone wondered, the search string-- in Cyrillic-- was for something like "rats in art", and led to a couple of appropriate jpgs.

Postscript:
The .htaccess has now relocated .ua to the second rule, which says

RewriteCond %{HTTP_REFERER} \.(ru|ua)/ [NC]
RewriteCond %{HTTP_REFERER} !(google|yandex)\.(ru|ua)/ [NC]

I wanted to put %1 at the end of the second Cond, but couldn't find any hard evidence that you're allowed to :(