This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.
Looks like the filters didn't work, as Bidhan Singh is back causing disruption. I guess I'm going to have to accept it. Wikipedia simply can't stop the guy :( GoodDay (talk) 16:48, 21 January 2019 (UTC)[reply]
You are indeed currently correct, and I cordially refer you at this time to my ANI posts on the topic. Feel free to hassle me further, however. -- zzuuzz(talk)16:49, 24 January 2019 (UTC)[reply]
you won't see that in that form again.. meaning in the form that includes his name ? . Do we already have an LTA page on this ? is he eligible for one ? (I believe he does) --DBigXrayᗙ15:07, 25 January 2019 (UTC)[reply]
Who knows what they'll do next. I'm not persuaded about an LTA page, however it may be beneficial to make some notes at the SPI, especially, but not exclusively, anything before this month. -- zzuuzz(talk)15:11, 25 January 2019 (UTC)[reply]
it is a Dynamic IP of a narcissist WP:LTA vandal, whose self promotional campaign has been checked by edit filters (thanks to Zzuuzz), hence he is resorting to such nonsensical disruptive, edits. For pages that are regularly vandalized, I also seek page protection e.e. diff, diff. Based on what I have seen recently, his IP is dynamic, but he continues on 10-15 disruptive edits, so IMHO it makes sense to block his IP which is why I had reported him at AIV, If admins like Zzuuzz and Oshwah feel that it is not worth blocking then I will save my efforts in future and let him continue his vandalism for the day. --DBigXrayᗙ07:12, 11 February 2019 (UTC)[reply]
Ahh, this huge IP range-hopping tomfoolery again... Yeah, I've been trying to figure out a good way with dealing with this throughout the day today... unfortunately, there's no perfect option. The ranges are incredibly wide, the articles edited are many, and the issues are ongoing. I've blocked the IP above for evasion. I'm interested to see how quickly the edits hop from one IP and range to another... ~Oshwah~(talk)(contribs)07:25, 11 February 2019 (UTC)[reply]
@Oshwah: I'll generally insta-block a /64 for a day or so if it's within the last day or so (with good reason, although not entirely effective). There's at least two common ranges which are something like 2405:204:C000::/39 and 2405:205:A000::/39. And we're filtering with 58 and 478. It's a tricky one to nail down. I'm hoping this is just a final spurt before they get bored. -- zzuuzz(talk)08:47, 11 February 2019 (UTC)[reply]
Zzuuzz - Thanks for the information. Yup, that's what I found when I looked into it and did some digging on the IP ranges involved; they're two very wide ranges that are both from the same ISP and geolocation, and (as you said) a tough situation to crack down on that doesn't have a silver bullet solution. I hope so, too... we'll find out one way or another. ;-) Thanks again for the input. Cheers - ~Oshwah~(talk)(contribs)08:53, 11 February 2019 (UTC)[reply]
Hi. An user with username Chow Mridu paban is involved in POV pushing and adding unsourced/manipulated content(unrelated reference links) in Magh Bihu even after repeated reverts. User trying to remove his name from this list. Kindly take action soon.157.47.190.33 (talk) 13:35, 23 January 2019 (UTC)[reply]
I, the IP, hereby give you the Checkuser Barnstar; for your due diligence and tiring works (including behind the scenes) in Sockpuppet investigations, courage to come up and block frivolous yet dangerous proxies, besides, management of time not withstanding the overall service you have provided to Wikipedia. Thnx very much zzuuzz you are really great!!!182.58.172.35 (talk)
I think the time has come to put random additions of the word "pubg" [2] to be added in edit filter list against vandalism. your thoughts ? (refer PUBG)
Hi, I'm CaptainDanger25, I'm the user that reported the Sim12 accounts. The user you blocked Benedictfoos2 hacked my account just right now. He changed the password under MediaWiki and now I can't log back in. He was a user I had issues with years ago. I was wondering if you try to get it back under my control. Thanks! --2605:6000:A507:A300:59AA:B37C:7C87:D6EC (talk) 03:38, 10 February 2019 (UTC)[reply]
I'll generally reserve blacklisting for sites which are repeatedly spammed. Not sure that's the case here. Also, different MO to the rest of today's spammers. -- zzuuzz(talk)19:54, 17 February 2019 (UTC)[reply]
You could compare it to Special:Contributions/Hick Hick. I got the exact same vibes when this account showed up last summer, and kept an eye on it for a while, but then it stopped editing, only to resurface several months later, and get CU-blocked by Ponyo. - Tom | Thomas.W talk19:39, 24 February 2019 (UTC)[reply]
Hi zzuuzz, I'd like to request rollback privileges. Initially thought I could manage without it, but have recently dealt with two instances that made me reconsider.
1) The first is described on this talk page thread I started today. An IP user made 3 consecutive edits, and in the first edit (Edit #1), they inserted (what I suspect was intentionally) incorrect info. In order to revert Edit #1, I had to revert Edits #2 and 3, which they quickly reverted before I could revert Edit #1. Rollback would've allowed me to just directly roll back all 3.
2) The second was clearly vandalism, in 2 parts. Edit #1 inserted vandalism in one part of the article; Edit #2 moved the reworded vandalism to a different spot in the article. When I reverted Edit #2, it rolled back to Edit #1, which ALSO contained the vandalism, and made it look like I was the one who added it. I quickly undid Edit #1, but the rollback tool would've prevented this problem.
In any case, if granted the rollback privilege, I will definitely use it carefully and sparingly per the rollback guidelines; I also noticed there were confirmation scripts available, as well as a way to add edit summaries--both would be quite useful.
Hi zzuuzz, forgot to leave a message here yesterday--I ended up enabling TWINKLE, and it's the better option for me, so thanks a lot for the suggestion. I posted a reply to your post anyway, in case you had time to read it. It is a bit long (didn't have enough time to trim it down more), but I hope it contains satisfactory answers to your questions/concerns. Thanks again for your time and help! Big universe (talk) 03:20, 20 March 2019 (UTC)[reply]
Concern for granting permission
Hello sir, I'm a active user of Wikipedia. And I have requested for permission for helping Wikipedia for a safer place and help fellow Wikipedian's. If you feel I need more practice though, I'll be happy to gain more experience. So, I would like to grab your attention. Im extremely sorry if I words are rude towards you sir. Thank you for taking the time to review my case, and have a nice day! AR.Dmg (talk) 12:22, 23 March 2019 (UTC)[reply]
Hello, Zzuuzz. Please check your email; you've got mail! It may take a few minutes from the time the email is sent for it to show up in your inbox. You can remove this notice at any time by removing the {{You've got mail}} or {{ygm}} template.
@InfodudeUK: But you are not commenting on the image - frankly that will be a bit difficult to accomplish - and, with the Brexit image at least, there is already a free alternative available. You might also want to read WP:NFCC in particular. -- zzuuzz(talk)19:19, 30 March 2019 (UTC)[reply]
@Zzuuzz the free alternative is now out of date with Brexit having not happened on March 29th, my revision corrects to April 12th the timeline. — Preceding unsigned comment added by InfodudeUK (talk • contribs) 19:23, 30 March 2019 (UTC)[reply]
@InfodudeUK: You are welcome to write some text, or create a new image, or update the existing image, though obviously nothing too similar to the BBC image. Sorry but we take copyright very seriously around here. There simply not enough justification here to just nick someone else's work (and claim it as your own). You should really read that page. -- zzuuzz(talk)19:27, 30 March 2019 (UTC)[reply]
Thanks for blocking that IP I reported. As you included yourself in Category:Wikipedia_administrators_willing_to_grant_rollback_requests, I just wanted to let you know that WP:PERM/R has been sitting just below the backlog threshold for a couple of days (for reasons entirely unrelated to the fact that I'm on that request list). If you have a moment to consider those requests, it would be much appreciated.
Moving this here since it’s really a different discussion, but thanks for pointing them out. I looked at the OTRS ticket and there was nothing particularly sensitive going on there, and over a decade the ownership of the IPs may have changed/whatever students were in the supposed school are now at the very least no longer there/not in school at all given the passage of time. TonyBallioni (talk) 15:34, 19 April 2019 (UTC)[reply]
Then thanks for reviewing and unblocking them, though I would say that it's the staff and not the students that matter, and whether the same staff is still there and what they might have been promised (wiki policy aside). The staff obviously realised that it's no use stopping particular students and that kids will always be kids and that the spew will always continue. Hopefully their firewall investment has improved in the last decade. -- zzuuzz(talk)15:46, 19 April 2019 (UTC)[reply]
Would it be at all possible if I could ask you to block 140.0.160.175 (talk+·tag·contribs·filter log·WHOIS·RBLs·proxy check·block user·block log·cross-wiki contribs·CheckUser (log))? It is one of several IPs used by an IP-hopping vandal that spams pages with poorly written, usually incorrect, often original research nonsense, or, alternatively, spams pages with inappropriate, nonexistent and or non-existent and inappropriate categories. It has become active again at this particular IP, and the only viable strategy I've found to deal with this vandal is to request that its current IP be blocked for a while so that all of its recent edits can be reverted as per WP:DENY (as searching through its many bad and unconstructive edits for its few good edits is a headache). Thank you for your time in hearing my request.--Mr Fink (talk) 04:17, 29 April 2019 (UTC)[reply]
I'd say a lot of the time you can probably rely on your own usual non-proxy block length algorithm. Most are gone within a few days, so a month won't usually hurt anyone. Three probably won't hurt much either. If they've been blocked before it's probably a different matter - blocked in the last year, maybe block for a year? -- zzuuzz(talk)18:56, 2 May 2019 (UTC)[reply]
Recently, several Wikipedia admin accounts were compromised. The admin accounts were desysopped on an emergency basis. In the past, the Committee often resysopped admin accounts as a matter of course once the admin was back in control of their account. The committee has updated its guidelines. Admins may now be required to undergo a fresh Request for Adminship (RfA) after losing control of their account.
What do I need to do?
Only to follow the instructions in this message.
Check that your password is unique (not reused across sites).
Check that your password is strong (not simple or guessable).
Enable Two-factor authentication (2FA), if you can, to create a second hurdle for attackers.
How can I find out more about two-factor authentication (2FA)?
Administrator account security (Correction to Arbcom 2019 special circular)
ArbCom would like to apologise and correct our previous mass message in light of the response from the community.
Since November 2018, six administrator accounts have been compromised and temporarily desysopped. In an effort to help improve account security, our intention was to remind administrators of existing policies on account security — that they are required to "have strong passwords and follow appropriate personal security practices." We have updated our procedures to ensure that we enforce these policies more strictly in the future. The policies themselves have not changed. In particular, two-factor authentication remains an optional means of adding extra security to your account. The choice not to enable 2FA will not be considered when deciding to restore sysop privileges to administrator accounts that were compromised.
We are sorry for the wording of our previous message, which did not accurately convey this, and deeply regret the tone in which it was delivered.
Zzuuzz, could you kindly ask Mr. Docker not to edit my talk entries? He's made the odd allegation that it is an "unwarranted reference to his wife," when. in fact, it refers to a someone who was editing under that name. I'm done editing here, but it's the principle of the matter, as there is nothing violative that I can think of. Thanks. Mystic Technocrat (talk) 16:07, 5 May 2019 (UTC)[reply]
Hi Z, Rajeshbieee is requesting an unblock. There is a history of sockpuppetry, but with a cursory understanding of his case, I think he might have screwed up early on and may now have a legitimate interest in contributing constructively. He's invoking the Standard Offer and has willingly agreed to a CU colonoscopy here. Would you be willing to do the messy work? Thank you in advance, Cyphoidbomb (talk) 04:49, 6 May 2019 (UTC)[reply]
Zzuuzz, I LOVE looking at your log, but I was more being chatty along the lines of "hey smart people put a stop to this", haha, because I saw y'all's names in the CU logs. You know, I still know way too little about the global thing and don't have much of an inclination to learn. Should I? What these stewards do seems so difficult, and even further removed from article writing... Drmies (talk) 00:13, 10 May 2019 (UTC)[reply]
Hello
I am a new user. I have been undoing vandalism edits and reporting users, but i want to learn more about Wikipedia.
Do you know if there is an article about Wikipedia policy?
After some peace and quiet, the Indian university cellphone spammer dropped another one: 9540098653 [5]. Maybe you can add to filter as opportunity arises. Cheers --Elmidae (talk · contribs) 16:47, 11 May 2019 (UTC)[reply]
I think we're mostly up to date, as there are some variations of that number in the filter. The spammer is hitting what I'll dub the 'useless nonsense limit', where they have to mangle stuff so much to avoid the filter that it becomes useless nonsense. Have some PC instead, this time. -- zzuuzz(talk)18:16, 4 June 2019 (UTC)[reply]
Hi. Onurkd is a new account that is showing good abilities to make edits that require experience such as uploading pics and very good skills with reference templates. Seraphim System and her confirmed socks had a habit of typing their edit summaries before the auto-generated text ([12][13][14][15][16][17]). The same thing is being done by Onurkd. Onurkd till now has edited only articles of the main topic edited by Seraphim System and her socks (Ottoman and Turkish history). Can you check the accounts to see whether they are linked or not? Ktrimi991 (talk) 17:19, 16 May 2019 (UTC)[reply]
Userpage of Malayalammojo contains suspicious descriptions. New account, but sounds like not a beginner user, especially the last sentence seems like the user was involved in arguments before and got blocked. Is the user calling the administrators an *******? 2405:204:D38A:CA0B:7D0F:C514:A118:5A35 (talk) 14:12, 22 May 2019 (UTC)[reply]
On several Wikia sites, I've noticed several disgusting attack pages directed towards you (such as [18] & [19]). Should we take these as potentially serious threats or just abominable trolling? Are these necessary to report, in your opinion? I am curious to know who's behind this trolling. 12.217.229.162 (talk) 16:31, 25 May 2019 (UTC)[reply]
Hello, yes there's a few of those, and TBH it's nothing particularly new. This time (as usual) it's a troll in America who is banned here for doing vandalism and making threats. I take it about as seriously as a flying turd. I've never figured out the correct place to report abuse there. Maybe you or someone else would know? -- zzuuzz(talk)16:41, 25 May 2019 (UTC)[reply]
Check user
This one was blocked (for persistent unsourced editing) before I could file an SPI that come under this group. This is likely a follow up sock after Vaishakh bahu bali. Vandalising the financials in selected pages and the same "Tags: Mobile edit, Mobile web edit, Visual edit". Could you please perform a check to confirm it is the same guy. So this account can also be used as a reference in identifying the behaviour in future cases. Continental Rift (talk) 19:14, 29 May 2019 (UTC)[reply]
Hi zzuuzz, I haven’t looked since the initial check, but Bsadowski1 pinged me in -checkuser IRC about them because of other issues. I’m assuming you found more accounts on different ranges than I checked, but we were both curious as to who the original master was. Courtesy ping to Ruslik0 since he seems to be running point on meta. Probably relevant since they apparently want to run for +sysop again immediately... TonyBallioni (talk) 22:36, 2 June 2019 (UTC)[reply]
@TonyBallioni: Yup, I would say note the checks I did - several accounts (most locked and some noted elsewhere), and a good rummage around various xwiki logs and deleted edits. And I CU-blocked VoltageP. But I don't know any such sockmaster. There were a few blocks on simplewiki, IIRC, but the answer probably lies somewhere between rowiki and wikidata. -- zzuuzz(talk)23:44, 2 June 2019 (UTC)[reply]
@TonyBallioni: After looking over the accounts (and what you said above about the LTA wanting to "run for +sysop again immediately"), my conclusion is that this is Wonderfool, who is probably better known as Robdurbar here on en.wiki. This guy managed to trick the en.wiktionary admins into granting him adminship 5 times on that site. From what I can tell, he's been doing this for years, and when he's not trolling & making a mess on the admin-related pages here, it seems that he's trying to build up trust via a "good hand" sock to make another run at adminship again (one of his socks on en.wiktionary even claimed that someday, he would "find a way back in"). This person appears to be very familiar with CheckUsers and sysops in general, and he even claims to be an ex-SPI Clerk. (Though from his activities, he may have been a CU, though I can't really tell.) He's still making a mess cross-wiki, mostly here and on en.wiktionary. He never seems to stop for long. LightandDark2000 🌀 (talk) 06:19, 4 June 2019 (UTC)[reply]
Hello. The reason this article was set for WP:PC was so that anonymous users would not change the WP:BIOLEAD counter to the discussion on the talk page. This edit should not have been approved, but it made it into accepted when you approved the subsequent edit. --SVTCobra (talk) 11:39, 6 June 2019 (UTC)[reply]
Hello. I'll consider that going forward, however, whether the edit should remain (which it currently does) is a different question to whether the pending edit should have been approved. If you don't like it (and I can see why you might not) then simply undo it. In terms of PC approval it did not violate any policies and you could even say that the consensus, and history, about this particular change is weak at best. PC is not a good tool for content disputes of this sort. Attempting to hold a lede in stasis with PC is almost certainly going to fail. -- zzuuzz(talk)15:14, 6 June 2019 (UTC)[reply]
RevDel Content
On WP:ANI, you Revision Deleted one of my edits as "purely disruptive material". I do not believe my edits were disruptive in any way whatsoever. Would you mind explaining the deletion?
Grossly insulting, degrading, or offensive material that has little or no encyclopedic or project value and/or violates our biographies of living people policy. This includes slurs, smears, and grossly offensive material of little or no encyclopedic value, but not mere factual statements, and not "ordinary" incivility, personal attacks or conduct accusations.
Hello EggRoll97. Actually, no. I've only revdel'd one ANI revision recently, just after 4pm on 29 May, so let's go into that. The edit was by 182.19.154.231, which was being used by one of our regular LTAs - Jaredgk2008. I assume it was disruptively offensive as per usual. I assume that, because actually I can no longer see what it said. You can probably guess this from the page history and logs: I only deleted one single revision, whereas it fell in the middle of a series of about 1,500 edits between 21 May and 30 May were all since oversighted. I won't speculate about the reasons - oversight don't normally do something like that without good reason, but I can probably point in the direction of some places to query it if you have reason to doubt. The main point I'd like you to take away about this stuff when it happens: if a revision has been deleted then it was deleted because the page contained something deletable. It doesn't mean that you added it. -- zzuuzz(talk)18:45, 19 June 2019 (UTC)[reply]
What you are saying is that I was wrong to fight vandalism that was happening realtime while I was addressing it. You are ignoring my view of the incidents and defending someone who was deliberately breaching BLP. Perhaps you would prefer me to ignore vandals in future? After all, I would much rather write articles than be a policeman. Why do I bother? No Great Shaker (talk) 00:09, 3 July 2019 (UTC)[reply]
Not in the slightest. I'm just saying, only say "they edited after warning", after they've edited after a warning. From my point of view, and probably theirs, you asked them to stop and they stopped, which is what we're after. -- zzuuzz(talk)00:14, 3 July 2019 (UTC)[reply]
Hii, This user is hard blocked by ArbCom (by you) 2 months ago, Can you remove their special user rights? Thanks! -- CptViraj (📧) 14:21, 3 July 2019 (UTC)[reply]
OK, done. For the record, although I am not on Arbcom, I do happen to be familiar with the particular circumstances behind this block. Also for the record, per WP:INDEFRIGHTS in general such rights are not permanent but there is often no hurry to remove them. Saying that, this one won't be needing those again. -- zzuuzz(talk)15:40, 3 July 2019 (UTC)[reply]
re [20]: honestly, I can't quite figure out now what happened there. Obviously, the current Jampal abhrishek (talk·contribs) is Wikinger, as was the Jampal abhrishrek (talk·contribs) I got locked in January. At that time, I must have been seeing a different legitimate user under the "Jampal abhrishek" name somewhere, but I'm damned if I know how Wikinger now got hold of that account name too. Either I misspelled it at the time and the legitimate user is somewhere under yet a third similar spelling, or the legitimate user got renamed and Wikinger subsequently hijacked the name? Fut.Perf.☼08:48, 4 July 2019 (UTC)[reply]
Hi Zzuuzz. Recently an editor filed a report at WP:AN3 from a London-based IP. (This was their only Wikipedia edit, and they were not a party to the dispute they were reporting). Ipqualityscore.com says it is a VPN, but only gives a score of '65 - suspicious'.
Would this justify any action? One rule that occurs to me is that socks should not participate in Wikipedia space. ("Undisclosed alternative accounts are not to be used in discussions internal to the project.") I am not aware of any general rule about editing from a VPN. Thanks, EdJohnston (talk) 15:40, 5 July 2019 (UTC)[reply]
Hi Ed. I'm not sure about a 65. VPNs are generally quite difficult to verify, but I'd also consider that IP suspicious. I've been away for a little while and I'm still catching up, but what I do know is that there's some sockpuppetry and trouble-making going on generally in that topic area, for example Newshunter14(talk·contribs·block log) is technically likely/indistinguishable from the user you mentioned - whatever they were doing is probably related. So be suspicious and take things with a pinch of salt is what I'd say. -- zzuuzz(talk)16:02, 5 July 2019 (UTC)[reply]
Also a slight chance of a joe-job. A while back, we had someone who was imitating the account names of people who were at WP:AN3 and then pretending to continue a war in which they were involved. (e.g. if XX12 is named in a report, they start to edit the article with the newly-created XX14, hoping to put a charge of socking on XX12). The IP and Newshunter14 might both be the identities of a joe-jobber trying to get Newshunter12 blocked. EdJohnston (talk) 19:07, 5 July 2019 (UTC)[reply]
Yup, that was my initial thought (also have a look at Newshunter12's recent user talk edits). There's a few of those joe-jobbers, but I'm not currently sure about the pattern. It might be a local problem, but I don't yet have the full background story. That topic area though - for some reason there's always problems of one sort or another lurking around. -- zzuuzz(talk)19:55, 5 July 2019 (UTC)[reply]
I got a note on my talkpage about this. For whatever reason Newshunter12 (and to a lesser extent me and @Randykitty:) got a few ridiculous death threats 6 months ago, and it resurfaced a few weeks ago; see here for a quick refresher. There has historically been a problem with IPs promoting the GRG and trying to model our articles after their pages. Whoever this is clearly wants to get Newshunter12 in some sort of hot water, most likely because he's been at the forefront of a multi-year effort trying to remove gigantic reams of longevity trivia. The Blade of the Northern Lights (話して下さい) 00:10, 6 July 2019 (UTC)[reply]
Possible sock- or meatpuppets?
Hi, these two users, Jooch A Schmidt and WillColemans, registered and made their first edits at around the same time, and they seem to edit at very similar times of day (plus very similar editing interests). Also, WillColemans created Jooch's talk page with a barnstar. Could they be sock- or meatpuppets? JACKINTHEBOX • TALK19:28, 9 July 2019 (UTC)[reply]
MEATPUPPETS OR SOCK- YOU ASK? WELL LET ME TELL YOU, INTERNET POLICEMEN, WE ARE NEITHER. WE ARE PEOPLE BEHIND THIS KEYBOARD, BARN STARS OF TRUTH. JUSTICE.
YOU MAY KILL BLOCK ONE COLEMAN BUT THREE WILL RISE TO REPLACE ME.
Truth justice, eh? I'm sure that will go a long way. Have you considered contributing something constructive towards the encyclopaedia? -- zzuuzz(talk)21:05, 9 July 2019 (UTC)[reply]
Many thanks for blocking; it's of course your decision which I'll respect, but I thought I'd just beg to extend it a bit longer. —PaleoNeonate – 20:52, 9 July 2019 (UTC)[reply]
Actually the 172.56 and 172.58 ranges are both very well known to most admins. Fortunately, they are segmented, to some extent, into even smaller blockable ranges like those I've blocked. -- zzuuzz(talk)21:09, 9 July 2019 (UTC)[reply]
Thank you very much for this information and for all your efforts to combat this issue. I am also grateful you removed the latest vandalism from my talk page. Hopefully this person will find something better to do with their time then harrying me on Wikipedia. Newshunter12 (talk) 02:34, 10 July 2019 (UTC)[reply]
I just wanted to let you know that the same individual vandalized my talk page again, but the comment was removed and the editor blocked for one month by Ponyo. Newshunter12 (talk) 01:05, 11 July 2019 (UTC)[reply]
Hi Luk. I feel your pain. I think I can speed it up - see what you think. Also, I think last time I looked we were dealing with some specific (quite large) IP ranges. Do you happen to have them? Going by the results so far it's going to be a busy filter otherwise. -- zzuuzz(talk)15:41, 12 July 2019 (UTC)[reply]
Hey! I see you have blocked 71.56.23.5 for 6 months. According to What'sMyIPAdress, that IP is likely a dynamic IP. As such, this IP may be shared by a lot of users. Because this is a long term block, I suggest it can be useful to contact the organisation to whom the IP is registered (Comcast Cable). They have an email address registered in their IP registration: abusecomcast.net. That way, they can take action that would make this block of a dynamic IP unnecessary, preventing possibly many people from losing their ability to edit Wikipedia. Thanks, MrClog (talk) 00:22, 20 July 2019 (UTC)[reply]
While the IP is technically dynamic, it has very clearly been assigned to the same disruptive user for months. This IP address is almost certainly not shared with anybody outside the vandal's home network. Reaper Eternal (talk) 00:30, 20 July 2019 (UTC)[reply]
@Reaper Eternal: True, and it is probably a sticky dynamic IP. Would it be worth it tagging the IP's talk page with {{Dynamic IP}} in case the vandal's network modem is turned off long enough (for whatever reason) for their lease to end? --MrClog (talk) 00:39, 20 July 2019 (UTC)[reply]
What the Reaper said. Actually the vandal has also been using other IP addresses in the meantime, so make of that what you will. I personally see no need to add any tags. If you've ever seen any abuse complaint actually have any effect (or even get a reply), then you're probably in a minority. -- zzuuzz(talk)00:58, 20 July 2019 (UTC)[reply]
Proxy sock
Hi zzuuzz, could you maybe take a look at 198.57.27.196? It appears to be blocked User:Shingling334 (though I think not exclusively) on a GlobalTeleHost server proxy. I've already listed it (and several others of his) at WP:OP, but there's a backlog there. This one has been active for a while. Thanks... --IamNotU (talk) 01:03, 20 July 2019 (UTC)[reply]
Verified users
Hey, could you add me to the verified user list of WikiProject on open proxies? About that hotel IP thingy: I looked through my results again and couldn't find it for whatever reason. not even when searching for both the IP and "hotel". --MrClog (talk) 12:07, 21 July 2019 (UTC)[reply]
Hi. I'd be happy to help you along the path, but I'm a bit of a stickler for seeing some evidence and throwing some challenges, so for a start I'd like to see you edit with the latest proxy I blocked, and make an edit identical to this one I did a few minutes ago, using the same address. -- zzuuzz(talk)12:35, 21 July 2019 (UTC)[reply]
Can you check that it is still open? It seems to be a HTTP proxy, but the only port nmap found, 113, is closed. Or did I miss something? Thanks, MrClog (talk) 13:18, 21 July 2019 (UTC)[reply]
It's definitely open. Hint: Don't use nmap, you won't need it. You will almost never need nmap. And if necessary, have another read of the previously linked guide. I'll add, to save you any hassle, that you won't need to download or install any software to use it. -- zzuuzz(talk)13:43, 21 July 2019 (UTC)[reply]
I have tried all the usual things: Google results, rDNS, WHOIS, etc. Doesn't seem to be a web proxy, and I tried the various port numbers on the internet, but none worked. Am I missing something obvious here? --MrClog (talk) 13:58, 21 July 2019 (UTC)[reply]
Of course you are. No to be fair it's a fairly decent test of a fairly typical proxy one might encounter and the thinking required, and it's not too obvious for that reason. But it's not too hard. So let's start with the starting point, is port 80 open? Your nmap results seem to suggest not, but how about this? From there you should be coasting. -- zzuuzz(talk)14:10, 21 July 2019 (UTC)[reply]
Oh, Microsoft Edge's 'friendly' error messages. You can Google that. I don't use it myself and I doubt any other browser would hide the real message. I guess that another browser might be a requirement (though telnet should get you the right error). Does anything happen to the URL? -- zzuuzz(talk)14:30, 21 July 2019 (UTC)[reply]
I used Browserling to simulate Google Crome in Windows 7 and I did get a response there, which showed the following domain: www1.sitemix.jp. Can't access that website. --MrClog (talk) 15:40, 21 July 2019 (UTC)[reply]
OK, that's one way to do it. You're on the right path. Hint: What can you find out about this "sitemix.jp" in relation to this quest? -- zzuuzz(talk)15:47, 21 July 2019 (UTC)[reply]
@Zzuuzz: I placed a messsage with the proxy. For whatever reason, both Edge and Firefox refused to load the website from which I could access the proxy. Used Browserling again. --MrClog (talk) 16:40, 21 July 2019 (UTC)[reply]
Good stuff, so we sort of got there eventually as a team. I think maybe you should have a think about this exercise. For example, why the nmap results? And how to overcome the port 80 issue you experienced. And why couldn't you use the proxy? And I will leave you an optional exercise: Telnet the IP at port 80, and issue a simple GET / HTTP request. When you've had some time to consider the results, and you're ready for round 2, or if I can help further, just say. -- zzuuzz(talk)16:42, 21 July 2019 (UTC)[reply]
I used the open <IP> 80 command in telnet, it wasn't able to connect. The GET/HTTP request did respond (status code 200), which indicates the website was active (it responded to a GET request). I'm not sure, but the fact that the telenet thingy didn't work might indicate that my laptop can't access open proxies for whatever reasons, while the domain did respond to a GET/HTTP request.
Regarding why I had to use Browserling: I don't think it has to do with my firewall, because my firewall is set to notify me if it blocks a certain domain. I'm not sure what is the reason, but I don't think it's an issue, because now that I know it, I can use Browserling in the future.
Regarding the nmap result, I believe it didn't show port 80 because the web server was ran by the server behind the www1.sitemix.jp domain, not the local machine. If any answers are wrong, please tell. If not, then I should be ready for round 2. --MrClog (talk) 20:38, 21 July 2019 (UTC)[reply]
If you can connect to the IP it's probably not a firewall issue, unless you have some sort of content filtering which wouldn't be helpful, and nmap would have no reason not to say it's not open on 80. So, to be clear the telnet session should go something like this: telnet <IP> 80 (you can also open telnet and issue the open command as you did); the server responds with some stuff including Connected to <IP>. Then you issue the command GET / HTTP/1.0 with two line breaks. The server responds with the content and you're on your way. This will probably need figuring out. And Firefox works for me, as they say. I doubt it would be a geolocation issue causing this difference. OK, let's try something less interesting. 205.204.67.189. Go. Make as many informations as you think is appropriate. -- zzuuzz(talk)22:19, 21 July 2019 (UTC)[reply]
I go to WHOIS and find out that the IP is registered to eStruxture Data Centers Inc., a company that has 5 datacenters in Canada (found this on their website). Through Google Maps I found out that center MTL-1 matches the address to which the IP is registered. Because colocation services anonymise their users, it should be blocked. --MrClog (talk) 22:31, 21 July 2019 (UTC)[reply]
Not so fast. I'd refer your colo comments to the comments on Ninja's talk page. But that bit is easy - you can tell all that from the block log. I want proof, I want the access point. -- zzuuzz(talk)22:36, 21 July 2019 (UTC)[reply]
I first tried HTTP (via Browserling), no response. I then Googled the IP, but wasn't able to find a host or a port number. Nmap didn't find anything either. Unlikely that it is an open proxy. Based on the information I did find, it seems to be a regular dynamic IP from Beltelecom (Belarus). --MrClog (talk) 23:27, 21 July 2019 (UTC)[reply]
I am heading to bed now, will look at that one tomorrow if you don't mind. Should I close the 178.120.6.7 request (assuming I was correct) before I go? --MrClog (talk) 23:55, 21 July 2019 (UTC)[reply]
Regarding 153.232.251.74: HTTP didn't work. Through Google, I found that this IP was mentioned on a web page which has "proxy" in the URL. When opening the URL, I get a 503 error. I wasn't able to find any ports. Based on this, it seems to be a possible former open proxy, though Unlikely to be an open proxy now. --MrClog (talk) 07:52, 22 July 2019 (UTC)[reply]
I tend to think it's almost certainly OpenVPN. Ipqualityscore, although not always reliable, lists it as a high risk VPN. Do you have access to the "IPcheck" tool used in the WP:OP proxy templates? I can probably go a bit further. To a seasoned eye, those edits just look suspicious. The first edit, to undo another IP editor, suggests one should look at this IP, which is certainly not in Japan. That IP also uses the same reference elsewhere. Looking through the wider /64 you can see similar edits, some of which have been undone or questioned. Going back to the original IP and article history, you'd even have to wonder if this is a sock of User:Gala19000. And there's another clue here. I'd call this one likely. -- zzuuzz(talk)08:20, 22 July 2019 (UTC)[reply]
Regarding 122.155.174.66: HTTP comes up with an error page with a NordVPN logo at the bottom. In addition, when it comes to behaviour, you have never warned the user yet they insult you (they're not new). It seems to be block evasion by someone that really hates you. --MrClog (talk) 11:31, 22 July 2019 (UTC)[reply]
If you HTTP IP 122.155.174.64 (but not with IPs under this value), you get the same page. If you then continue to HTTP IPs while increasing their value, you find out that the range of NordVPN continues until 122.155.174.72. Throw this into ip-range-calc and you get the range 122.155.174.64/28. MrClog (talk) 12:07, 22 July 2019 (UTC)[reply]
I see that's done. On the previous example, correct. In case you're wondering, you're doing OK so far after a dodgy start, but I'd still like to probe your competence further before I can say people can depend on what this person says. So, my talk page has seen some action recently, tell me about some of the IPs, and I'd especially like to hear about 46.45.138.102 which is mentioned below. -- zzuuzz(talk)16:08, 23 July 2019 (UTC)[reply]
Thank you for all the time you spent in this, by the way. Now, regarding 46.45.138.102: HTTP didn't show anything, nor was I able to find any open ports. WHOIS, however, did reveal that this is a datacenter used for colocation hosting by "IstanbulDC" (https://www.istanbuldc.com/), and should as such, be blocked. What was strange is that rDNS showed that the IP was hosted on a domain that ended in a full stop. When you talk about the other IPs, do you mean the ones mentioned below or the ones that have vandalised your talk page? --MrClog (talk) 19:07, 23 July 2019 (UTC)[reply]
Regarding 176.53.112.100(talk·contribs·WHOIS): I was again not able to connect, but this one is also a colocation webhost. The address registered to the IP is not an actual address, but a Turkish sentence that translates to "these IP addresses are rented to other site providers." These IPs are owned by "INTER NET BILGISAYAR LTD STI", whom's site shows they are a colocation webhost. Interestingly, this IP's domain is merely a full stop, and its ISP, just like the other IP, is "SAYFA-NET". — Preceding unsigned comment added by MrClog (talk • contribs)
We'll have a chat about data centers and colos at some point. I know you want to know about 46.45.138.102, and the answer is, 46.45.138.101! That's no coincidence. The whois gives a small range - /29, and just so you know, /28s and /29s are very common for VPNs. -- zzuuzz(talk)20:48, 23 July 2019 (UTC)[reply]
VPNs are under no obligation to announce themselves. Many try very hard to hide it. Some such as PIA are absolute pros at disguising themselves. -- zzuuzz(talk)20:57, 23 July 2019 (UTC)[reply]
I think that's enough of them for now. Let's go global.. what are your thoughts on this (these) block(s)? As many thoughts as you can muster please. Imagine someone is requesting unblock and you've decided to respond to a request for advice. -- zzuuzz(talk)22:04, 24 July 2019 (UTC)[reply]
A look at their contribs shows that only one IP has edited from the range: 176.12.107.132(talk·contribs·WHOIS), so I'm investigating this IP. HTTP doesn't show anything. WHOIS shows that the IP (and the entire /24 range) is registered to a "Custodian DataCentre" (company's site). These data centres function as colocation webhost. I dig a bit deeper and continue looking through Google. I find an interesting link: cq2.retydhdooik.cf/qse, which then redirects me to freenom.link ("Freenom World"), a website from a public DNS resolver. I google the IP combined with "freenom", but can't find anything. Because this is possibly an open proxy from Freenom World, I decide that an nmap is necessary. I cannot find any open ports. The IP is from a colocation webhost and should as such remain locked. It is currently locked as open proxy, which may have to do with Freenom World, but I wasn't able to connect. --MrClog (talk) 22:49, 24 July 2019 (UTC)[reply]
I have looked some more. Again it shows that the DNS is used by Custodian. Nothing new, really. Haven't been able to connect. --MrClog (talk) 23:17, 24 July 2019 (UTC)[reply]
You're about to be overruled :( Take your time. Again, no nmap required, and no software required, and I can say that it's probably very unlikely that you will be able to use the network (with any reasonable or expected effort). -- zzuuzz(talk)23:25, 24 July 2019 (UTC)[reply]
Last attempt: according to abuseat.org, the IP has been infected with Trojan:Win32/Ramnit, a member of the Win32/Ramnit malware family. As such, the access to the IP is no longer limited to customers of CustodianDC, but intruders as well. --MrClog (talk) 23:43, 24 July 2019 (UTC)[reply]
An interesting observation, actually not too surprising, but probably not so relevant in this case. OK, I'll put you out of your misery. There's actually three blocks here. If anyone wants to unblock they will have to address both the local block and the global block. The meta block is part of the global block (for an obscure technical reason), but it doesn't need lifting for our purposes. The global block can be locally disabled, or the stewards can be contacted if necessary. Let's take that one IP you mentioned: 176.12.107.132. Actually, we can look the range: Special:Contributions/176.12.107.0/24. There only a few IPs being used. Curiously, a few edits are to their talk pages. I wonder what they're saying? Oh, now let's look their talk pages. Oh, I also see that some trusted admin has placed a notice on them. Actually there's a big clue in the whois. It's the words "Client" and "Icomera". A little Googling will tell you what Icomera get up to. We can also look a bit closer at the Custodian website, where they mention a few organisations such as the NHS, universities, and local councils. You can see that they provide both colocation (a very loose word if there ever was one) and "Connectivity". Connectivity and "Transit" are not the droids we are looking for. So, a combination of whois, Google, and the contributions tells us that these are Wifi networks on trains. I've actually experienced one of these blocks, and it's fairly annoying. Now what are your thoughts? -- zzuuzz(talk)00:00, 25 July 2019 (UTC)[reply]
What do you mean with my "thoughts" here: as in, should the IP be blocked or as in, try to find the open proxy (which meta says there is)? --MrClog (talk) 00:18, 25 July 2019 (UTC)[reply]
I have done some research. The unblock requests mention Great Northern Railway. According to their Wi-Fi FAQ, they block certain sites, like adult/illegal content and data-intensive sites. Based on this information, I think it is safe to assume that this is enforced with the use of a transparent proxy, so shouldn't be unblocked. Even if they wouldn't be a proxy, it seems to be a public Wi-Fi often abused, so it is still appropriate to block it. --MrClog (talk) 09:21, 25 July 2019 (UTC)[reply]
"use of a transparent proxy, so shouldn't be unblocked". I'm not sure I understand what you're saying here. Most proxies are welcome to edit. Large organisations might run thousands of users through transparent proxies. It's only really the "open or anonymising" ones that are an issue. All the block reasons in this situation are basically wrong, but you're right, there might just be too much disruption to not apply an anonblock. In OP terms, this is not an open proxy - it's not really any different to a mobile phone network. For the next installment, please opine on 104.129.192.0/20. -- zzuuzz(talk)12:34, 25 July 2019 (UTC)[reply]
I see that I wrote a confusing message (it was in the morning and had to head to work), I tried to say indeed that it shouldn't be blocked, because the proxy allows us to identiffy its actual owner (Icomera, instead of just Custodian) and thus does not anonymise its user. A WHOIS shows that the IP is registered to Zscaler, a company that provides colocation hosting with some modern cloud software - very interesting. HTTP the latest IP used (104.129.198.61) brings me to a login page. I can't find any indication it is an open proxy. It is, however, an anonymizing proxy, because we cannot see which company is using the IP (which would be possible if it was a transparent proxy, instead we see Zscaler, the colocation service provider), so it should be blocked. --MrClog (talk) 19:34, 25 July 2019 (UTC)[reply]
If they can be bothered. There are many things mislabelled on Wikipedia. As long as the block is right, that's the most important thing. On the other hand this is the type of thing that wastes volunteers' time at UTRS and OTRS, so I'll just drop a courtesy ping to @Ajraddatz: (TLDR: there is a global block on 176.12.107.0/24 but it's not your average colo or open proxy, it's Wifi on certain trains in the UK; more detail just above). Going back on topic, no I wouldn't block Zscaler unless I had to; see Zscaler. It is used by some of the largest and most secure companies in the world; hard blocks can cause enormous collateral. -- zzuuzz(talk)19:56, 25 July 2019 (UTC)[reply]
Yes. As I mentioned above, colocation is a very loose term, and data centre is similarly vague - as you can see with the trains example. Another example, some schools send all their traffic through filtering software, similar to Zscaler, which might be located at Azure, or AWS, or some other server operator. In those cases users may have no option about how their traffic is routed, and you couldn't say they were deliberately using anonymisation to avoid scrutiny. If they are blocked then they don't get to edit. There's also people using their own servers or VPS because they don't like their ISP and government snooping on everything they're doing. You can usually tell what's going on from the quality of contributions. Really everything comes down to preventing abuse and avoiding collateral. After all, we like people to edit the encyclopaedia. -- zzuuzz(talk)21:31, 25 July 2019 (UTC)[reply]
Yup, the ports seem to change every week, probably a cracked box, or as some would say, a zombie. Continuing, 117.242.147.85. -- zzuuzz(talk)20:26, 27 July 2019 (UTC)[reply]
It should be blocked because it is an open proxy. In addition, if you look at the IP's first edit, it has beeen used by a banned user. Now, the block length. First off, according to abuseat.org, the IP is infected with Trojan:Win32/Matsnu, a Trojan horse. I am not sure what the life of such a zombie proxy is, but I suppose it can take a while before the owner finds the malware. 3 months? Also, FYI: I will be on holiday from tomorrow until Aug. 14, so I will be very inactive here. --MrClog (talk) 12:22, 28 July 2019 (UTC)[reply]
Nice guess. It was previously blocked last November and probably hasn't closed since, so I'm going to make it a year. Drop me a note when you're back if you're still interested and we'll head towards wrapping this up. -- zzuuzz(talk)12:32, 28 July 2019 (UTC)[reply]
I have a question: is there any way in which admins ensure that once the block expires, an admin can check if the proxy is still a proxy? --MrClog (talk) 13:28, 28 July 2019 (UTC)[reply]
That's slightly ambiguous, so I'll answer both. The WP:IPB page recommends that admins make a note of why an IP is an open proxy. It can help unblock requests as well as future blocks. But check all open proxies after their block has expired? No, there's too many and too much work. In theory a proportion of it could be automated (eg by ProcseeBot or Ronaldbot), but it's not. -- zzuuzz(talk)16:27, 28 July 2019 (UTC)[reply]
My IP editor problem
Hello, the IP editor problem we have been dealing with seems to have escalated. In a discussion with me, editor BrownHairedGirl stated here that someone tried to hack into her account in the same manner as in December. Both attempted hackings happened after I brought up the topic of hacking (the first time I had made a hacking joke to BHG, the second time after I started re-litigating the issue again with her in a new AfD by chance for the same article.) I've come to the belief that the London based IP who created Newshunter14 and who has been vandalizing my talk page is behind the hacking attempts on her account.
My reasons are as follows: During the first hacking hoopla, a very similar IP to the one that has been vandalizing my talk page, 172.56.37.136 followed me to EENG's talk page to accuse me of hacking BHG's account. After the new hacking incident, an IP editor basically admitting to being the person who has been vandalizing my talk page followed me to the new AfD and went to her talk page, where they used very similar language (ex. talk of me and my cronies, and how they are the good guy) to the IP user who posted to EENG's page. Further evidence is that it was during a heated exchange with editor TFBCT1 when Newshunter14 appeared and tried to frame me for threatening him, just as both hacking attempts on BHG happened around the time of heated exchanges and the topic of hacking between the two of us, with me looking the obvious culprit just as before. Since this IP abuse issue appears to have reached the real world (the attempted hacking I strongly assume would be criminal conduct), is it possible that this could be investigated on a much deeper level on Wikipedia? Far worse then the talk page annoyance is the fact that someone is by all appearances trying to make me appear guilty of real world criminal conduct. I greatly appreciate any assistance or guidance you are able to provide. Newshunter12 (talk) 05:33, 23 July 2019 (UTC)[reply]
Again just a funny coincidence that you seemed to know about the attempted hacking after it took place and before anyone had said anything about it. Hopefully there is a way to check the IP of the attempted hacker I have a feeling it will belong to Newshunter12. 198.8.81.74 (talk) 06:40, 23 July 2019 (UTC)[reply]
I've blocked the latest IP(s). If it's not all the same person then I'll eat my hat. The best mitigation at this time: awareness of potential trolling problems, and strong passwords. -- zzuuzz(talk)07:16, 23 July 2019 (UTC)[reply]
I cannot thank you enough, Zzuuzz, for your support, hard work and guidance dealing with this issue. I've been wondering for seven months about that event, which spooked me at the time and wondering what really happened, and we were able to get to the bottom of it together. Just knowing what happened is such a relief. I will follow your advice for sure, and I greatly appreciate the long blocks you handed out in response to this abuse. Sincerely, Newshunter12 (talk) 08:17, 23 July 2019 (UTC)[reply]
The evidence points towards Newshunter12 being the person who tried to hack into BHG's account if you don't want to even look into it that's your problem not mine. I'm done here. 176.53.118.93 (talk) 07:40, 23 July 2019 (UTC)[reply]
Well I guess this is never going to be resolved then. You should stop blocking these IP I have thousands and your kind of just screwing over the next person using it by doing this type of blanket ban. Cheers. 176.53.112.102 (talk) 08:00, 23 July 2019 (UTC)[reply]
Thanks for your change. I was trying to think of how to include the AT&T example last night without getting overly technical. I tweaked your change a bit to be slightly less technical, because the essay is really aimed at admins who don't understand how networking works and trying to give them rules of thumb for effective ways to make blocks that will usually be safe. I'm fine with any other tweaks you want to make without asking me, but I also might edit it again to make it more "/64 blocks for dummies" style TonyBallioni (talk) 15:23, 23 July 2019 (UTC)[reply]
That's fine. I think the two important points, already alluded to somewhat but also somewhat trashed by the preceding paragraph, are that there's always exceptions, and always check the contribs anyway. I see they're still there.. -- zzuuzz(talk)15:36, 23 July 2019 (UTC)[reply]
Yeah, speaking as someone who was afraid to make even the simplest range block even 2 years ago, I get that, but I think the problem we're dealing more with now is that admins are afraid to make range blocks they should be making rather than making too many, so I wrote it with that in mind. Most admins are naturally conservative, so if they do make a mistake it's pretty easy to point out and avoid in the future. TonyBallioni (talk) 15:48, 23 July 2019 (UTC)[reply]
Hello, Zzuuzz. Please check your email; you've got mail! Message added 01:03, 26 July 2019 (UTC). It may take a few minutes from the time the email is sent for it to show up in your inbox. You can remove this notice at any time by removing the {{You've got mail}} or {{ygm}} template.
Could you check if you received it; my email software acted a bit strangely, not sure if the email was actually sent. --MrClog (talk) 19:30, 26 July 2019 (UTC)[reply]
Precious
"an occasional bit of forgiveness"
Thank you for welcoming new users and warning vandals, for creating categories such as Category:Wales-related lists and filling them, for help from 2005, for admin and checkuser service, for "an occasional bit of forgiveness" and "+1", - repeating (24 May 2010): you are an awesome Wikipedian!
Moved from WP:AIV
