Revision as of 08:02, 27 February 2013 editYunshui (talk | contribs)Pending changes reviewers69,412 edits →168.94.245.6: new section← Previous edit | Revision as of 08:12, 27 February 2013 edit undoSailsbystars (talk | contribs)Extended confirmed users, Pending changes reviewers, Rollbackers6,835 edits →168.94.245.6: checkedNext edit → | ||
Line 161: | Line 161: | ||
== 168.94.245.6 == | == 168.94.245.6 == | ||
{{proxycheckstatus}} | {{proxycheckstatus|checked}} | ||
{{Proxyip4|168.94.245.6}} | {{Proxyip4|168.94.245.6}} | ||
Line 167: | Line 167: | ||
<!-- NOTE: If the IP address's block reason contains a URL/IP address, please include it. --> | <!-- NOTE: If the IP address's block reason contains a URL/IP address, please include it. --> | ||
Reason: Requested unblock. | Reason: Requested unblock. | ||
:{{proxycheck|unlikely}} Not seeing a proxy or any strong evidence for proxy (not open on standard proxy ports), but I would ping Elen (the blocking admin) before an unblock because the block is a bit irregular (several weeks after most recent activity). ] (]) 08:12, 27 February 2013 (UTC) |
Revision as of 08:12, 27 February 2013
Current Archives |
Index 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 16, 17, 18, 19, 20, 21, 22, 23, 24, 25 26, 27, 28, 29, 30, 31, 32, 33, 34, 35 36, 37, 38, 39, 40, 41, 42, 43, 44, 45 46, 47, 48, 49, 50, 51 |
217.115.10.133
A user has requested a proxy check. A proxy checker will shortly look into the case. 217.115.10.133 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan Blocked same as above, but seems to be a tor exit node (see whois info and https://www.ccc.de/anonymizer/). Tijfo098 (talk) 06:02, 18 October 2012 (UTC)
- Blocked as tor. This is a small part of a wide tor project resolving to anonymizer.ccc.de, anonymizer.hamburg.ccc.de, torXX.anonymizer.ccc.de (where XX is a number from 1 to at least 33), etc., i.e., again, the tip of an iceberg. Materialscientist (talk) 05:54, 20 October 2012 (UTC)
- Indeed. A few random tests:
- tor5.anonymizer.ccc.de -> 80.237.226.75
- tor10.anonymizer.ccc.de -> 62.113.219.3
- tor15.anonymizer.ccc.de -> not registered
- tor20.anonymizer.ccc.de -> 31.172.30.3
- tor25.anonymizer.ccc.de -> not registered
- tor30.anonymizer.ccc.de -> 77.244.254.230
- They belong to various IPSs, but all are rented out to "Chaos Computer Club e.V." Tijfo098 (talk) 06:17, 20 October 2012 (UTC)
- It's a bit more tricky: you can type the url into robtext and get their ranges, but those ranges are shared and the tor takes only a small part. For example, for 217.115.10.133, only 3 nearby IPs (trial-and-error check, not 100% sure) clearly relate to tor33.anonymizer.ccc.de, many others from the range belong to something else. And as usual, such shared ranges often host other semilegal services. Materialscientist (talk) 06:21, 20 October 2012 (UTC)
- The whois info in this case is more helpful: 217.115.10.128 - 217.115.10.143 (a /28 it would seem) are all registered to CCC.de, although this is indeed less than the whole 217.115.0.0/20 Netsign PA Route. So you could issue a more discerning range block to the CCC /28. In the 80.237.226.72 - 80.237.226.79 case it's a /29 that is leased by CCC (out of the whole /17 route). If we go by the 80.237 precedent, the tor node(s) are eventually moved around the range(s) CCC rents. And it looks like the same R&I banned user was the sole editor from both of these. Tijfo098 (talk) 06:59, 20 October 2012 (UTC)
- It's a bit more tricky: you can type the url into robtext and get their ranges, but those ranges are shared and the tor takes only a small part. For example, for 217.115.10.133, only 3 nearby IPs (trial-and-error check, not 100% sure) clearly relate to tor33.anonymizer.ccc.de, many others from the range belong to something else. And as usual, such shared ranges often host other semilegal services. Materialscientist (talk) 06:21, 20 October 2012 (UTC)
- Indeed. A few random tests:
Known CCC.de ranges
Tijfo098 (talk) 07:07, 20 October 2012 (UTC)
- Thanks. /29 contains only 6 IPs. If you check them individually in you'll find that most of them (if not all) are already blocked one way or another, or don't clearly belong to the targeted tor. Materialscientist (talk) 07:17, 20 October 2012 (UTC)
- Which ones do not? Tijfo098 (talk) 07:21, 20 October 2012 (UTC)
- I judge that by robtex, which shows a different server for some nearby IPs in the range. Those tors usually take about 4 IPs/range, but ranges are many. Off course, we can always rangeblock a wider range if it is inactive, but then we might get justified unblock requests. Materialscientist (talk) 07:32, 20 October 2012 (UTC)
- It looks to me like the only controversy here is over the 217.115.10.135 - 217.115.10.142 range (because you blocked the lower IPs of the last /28 I listed above) The 135-142 range is listed as allocated to CCC.de in whois, but none of those IPs respond to ping (unlike the lower IPs), so it looks like there's simply no hardware behind them, just yet. Tijfo098 (talk) 08:11, 20 October 2012 (UTC)
- I judge that by robtex, which shows a different server for some nearby IPs in the range. Those tors usually take about 4 IPs/range, but ranges are many. Off course, we can always rangeblock a wider range if it is inactive, but then we might get justified unblock requests. Materialscientist (talk) 07:32, 20 October 2012 (UTC)
- Which ones do not? Tijfo098 (talk) 07:21, 20 October 2012 (UTC)
201.130.178.219
A user has requested a proxy check. A proxy checker will shortly look into the case. 201.130.178.219 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan Voted at ANI with no other contribs in 5 years. IP is listed in quite a few black lists. Possibly a compromised computer. Tijfo098 (talk) 23:18, 27 October 2012 (UTC)
Hitting it on port 80 turned up a Nomadix AG 3100 hotspot hardware, so that may be all there is to it. Tijfo098 (talk) 23:20, 27 October 2012 (UTC)
- There are no registered editors on that range, but this is obviously a sock. I would have thought that makes it more likely there's something hinky with the IP. --Elen of the Roads (talk) 00:08, 3 November 2012 (UTC)
202.94.66.28
A user has requested a proxy check. A proxy checker will shortly look into the case. 202.94.66.28 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Requested unblock via UTRS #4642. --Jezebel'sPonyo 18:16, 7 November 2012 (UTC)
- I've checked the blocking handle 49.236.215.58:8080, and it leads to another IP (which I've blocked). It was a zombie proxy (infected/miconfigured PC) recently. I can't tell for sure about now. Materialscientist (talk) 22:41, 7 November 2012 (UTC)
- Should I decline the unblock request as a precaution?--Jezebel'sPonyo 18:47, 8 November 2012 (UTC)
- Checked today, block was for 8080 but now 3128 operational but not open proxy and resolves to proxy0.classic.com.np. I don't see anything in Wayback for the parent company and there is a lot of info missing on their website. Dennis Brown - 2¢ © Join WER 13:38, 22 December 2012 (UTC)
- Should I decline the unblock request as a precaution?--Jezebel'sPonyo 18:47, 8 November 2012 (UTC)
Talk:Irgun
A user has requested a proxy check. A proxy checker will shortly look into the case. 95.142.164.78 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan - currently blocked as an open proxy 24.205.56.131 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan 142.165.235.51 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan 173.62.39.33 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan 189.4.11.131 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan 174.92.139.121 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan - currently blocked as an open proxy
Unregistered user using Misplaced Pages for personal attacks and political propaganda. Two of the addresses used have been blocked as open proxies. - Mike Rosoft (talk) 06:36, 9 November 2012 (UTC)
- A quick check didn't find anything unusual for the unblocked IPs. The last IP also looked clean. The first is an obvious open proxy. Dennis Brown - 2¢ © Join WER 14:35, 12 December 2012 (UTC)
67.142.168.22 et al
A user has requested a proxy check. A proxy checker will shortly look into the case. 67.142.168.22 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan 67.142.168.23 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan 67.142.168.25 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan 67.142.168.27 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
All 3 4 IPs' geolocation data says "Confirmed proxy server". This, combined with several suspicious edits seem to suggest that something else is in play here.—Ryulong (琉竜) 20:42, 9 November 2012 (UTC)
- The range 67.142.168.16/28 has been blocked by User:Coren - "Webhost/server farm hosting proxies". - Mike Rosoft (talk) 20:57, 24 November 2012 (UTC)
- Being a confirmed proxy server isn't a problem by itself. This is a very odd range to have for farming, owned by DirecPC. Dennis Brown - 2¢ © Join WER 14:43, 12 December 2012 (UTC)
207.179.9.4
A user has requested a proxy check. A proxy checker will shortly look into the case. 207.179.9.4 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Requested unblock. Request for unblock on talk page - "Please unblock our IP, issues with open proxy have been resolved" Ronhjones 00:25, 11 December 2012 (UTC)
- This IP is blocked as /19 range, indefinitely. It belongs to virtela.net, which specializes in cloud and VPN services; thus while indefblocks are almost never warranted, I would hesitate to unblock - even if this particular IP is currently clean for proxies, we can never be sure about the future and about the range.
- I'm also not sure how to understand the comment "issues with open proxy have been resolved" - who said there was a proxy on this IP? These IPs are likely managed separately, thus resolved where? Materialscientist (talk) 00:46, 11 December 2012 (UTC)
- My experience with these types of ranges have been mainly the piles of COI editors, with legitimate uses being rare. I would agree with the hesitation. Dennis Brown - 2¢ © Join WER 14:17, 12 December 2012 (UTC)
- This IP is IMO the office IP for extremenetworks, not an open or cloud proxy, and if this can be shown to be the case - best by email - would normally be afforded a softblock. -- zzuuzz 23:03, 13 December 2012 (UTC)
- My experience with these types of ranges have been mainly the piles of COI editors, with legitimate uses being rare. I would agree with the hesitation. Dennis Brown - 2¢ © Join WER 14:17, 12 December 2012 (UTC)
203.174.79.131
A user has requested a proxy check. A proxy checker will shortly look into the case. 203.174.79.131 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan I got one of those "somebody tried to get your password" media wiki emails, and it said this IP was the source of the request Trying, however incompetently, to hack an admin account seems pretty abusive to me, the geolocation says this is a confirmed proxy server in Japan. Beeblebrox (talk) 16:57, 31 January 2013 (UTC)
- Inconclusive Something is very fishy with this IP. It comes from an electric power company in Japan.... it's clearly some sort of gateway server, but it's not obviously open. Sailsbystars (talk) 05:22, 5 February 2013 (UTC)
111.161.30.218
A user has requested a proxy check. A proxy checker will shortly look into the case. 111.161.30.218 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Appears to be an open proxy from China. The sole edit is to troll around WP:ARBR&I in a creepy and disruptive way that is typical of the banned user Echigo mole, who has used anonymising proxies in the past. Mathsci (talk) 03:27, 17 February 2013 (UTC)
- I also found this identification as a proxy on the web. Mathsci (talk) 07:56, 17 February 2013 (UTC)
- I did discover that the IP 111.161.30.230 is a proxy on port 80/tcp. I scanned the ports with nmap having found it on this list. Mathsci (talk) 09:54, 18 February 2013 (UTC)
- Thanks. It exits on 113.25.65.103, which I've blocked. You'll find 111.161.30.230 as a proxy on Google but hardly 113.25.65.103. This is a usual problem with tunnel proxies, i.e. 111.161.30.218 might be one (exit port), but without knowing the entry it is hard to tell for sure. Materialscientist (talk) 10:06, 18 February 2013 (UTC)
- I did discover that the IP 111.161.30.230 is a proxy on port 80/tcp. I scanned the ports with nmap having found it on this list. Mathsci (talk) 09:54, 18 February 2013 (UTC)
- I also found this identification as a proxy on the web. Mathsci (talk) 07:56, 17 February 2013 (UTC)
- Inconclusive There's some evidence on the internets that this IP was in fact a proxy. However, right now it's coming back that the IP address is down. So I'll check again to see if the host is up later. n.b. to myself this is coming from a pretty darn quiet range, and the edits that exist are looking like a non-proxy-hosting range... Sailsbystars (talk) 07:02, 17 February 2013 (UTC)
- Well, it's still down to me but it's obviously still getting used and FP@S has blocked it... it's certainly passes the WP:DUCK test, but the exact mechanism is elusive (possibly an exit server of some source). If it comes back after FP's block expires, it's probably worth blocking for a month or two, but no longer because it appears to be a fairly dynamic range. Sailsbystars (talk) 18:14, 17 February 2013 (UTC)
- Given the rate that this is spewing spam, I think we can safely declare it a proxy and put it away for a year even if we can't figure out the tunnel entrance. Given the additional proxies on the range above, we might want to rangeblock 111.161.30.0/24 as well, as the collateral damage is minimal but the potential for disruption is high. Sailsbystars (talk) 23:01, 18 February 2013 (UTC)
- I've blocked 111.161.30.218 per the off-wiki spambot activity, but not the range - it's just me, I don't mind anyone blocking it. Materialscientist (talk) 13:06, 26 February 2013 (UTC)
- Given the rate that this is spewing spam, I think we can safely declare it a proxy and put it away for a year even if we can't figure out the tunnel entrance. Given the additional proxies on the range above, we might want to rangeblock 111.161.30.0/24 as well, as the collateral damage is minimal but the potential for disruption is high. Sailsbystars (talk) 23:01, 18 February 2013 (UTC)
216.191.214.90
A user has requested a proxy check. A proxy checker will shortly look into the case. 216.191.214.90 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Possible proxy, harassing a user. Could you check it out please? I have blocked 48 hr for personal attacks. Thank you. - Dianna (talk) 23:20, 24 February 2013 (UTC)
- Hardly. Only one open port, and not proxy-like. Allstream Corp., clean blacklist. We can never be 100% sure that an IP was not an open proxy when you blocked it though. Materialscientist (talk) 10:00, 25 February 2013 (UTC)
- Thanks for your help. -- Dianna (talk) 15:23, 25 February 2013 (UTC)
206.47.78.150
A user has requested a proxy check. A proxy checker will shortly look into the case. 206.47.78.150 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: This IP has been blocked in the past as a proxy (it seems the entry point could be 206.47.78.149:80). The IP is being used at present for trolling on an arbcom case page. Mathsci (talk) 23:20, 25 February 2013 (UTC)
- Unlikely IP is an open proxyHost not up/all ports closed, looks like a cell network. In fact it comes from the same provider as 204.101.237.139, which was also trolling the same arbcom pages. I think you have a good case for sockpuppetry/avoiding scrutiny, but it doesn't look like proxies. Probably too much range for an anon rangeblock... Sailsbystars (talk) 01:11, 26 February 2013 (UTC)
- Oh, and PS, Open proxy isn't necessarily grounds for an instant revert. I asked about it a while ago and there was no consensus (although also not a terribly large amount of input). Sailsbystars (talk) 01:22, 26 February 2013 (UTC)
- I reverted. But on the evidence talk page this user, using the 2nd IP, was already asked by a clerk to use their main registered account. Their contribution was later hatted by AGK. Mathsci (talk) 01:30, 26 February 2013 (UTC)
194.146.198.70
– This proxy check request is closed and will soon be archived by a bot. 194.146.198.70 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
This IP appears to be an open proxy. GabeMc 00:46, 27 February 2013 (UTC)
- Blocked as tor. Materialscientist (talk) 01:00, 27 February 2013 (UTC)
209.226.201.228
A user has requested a proxy check. A proxy checker will shortly look into the case. 209.226.201.228 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
This IP appears to be an open proxy. GabeMc 01:12, 27 February 2013 (UTC)
- I see no evidence of an open proxy. Toronto Airport PC - more likely a public terminal. Materialscientist (talk) 01:17, 27 February 2013 (UTC)
168.94.245.6
A user has requested a proxy check. A proxy checker will shortly look into the case. 168.94.245.6 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Unblock request on talkpage claims that this IP is not a proxy. Yunshui 雲水 08:02, 27 February 2013 (UTC) Reason: Requested unblock.
- Unlikely IP is an open proxy Not seeing a proxy or any strong evidence for proxy (not open on standard proxy ports), but I would ping Elen (the blocking admin) before an unblock because the block is a bit irregular (several weeks after most recent activity). Sailsbystars (talk) 08:12, 27 February 2013 (UTC)