Jump to content

Wikipedia:WikiProject on open proxies/Archives/Closed/2011/June

From Wikipedia, the free encyclopedia


96.232.12.109

96.232.12.109 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

I have a hunch that a user who was recently blocked for sockpuppetry is using an open proxy to mask his IP. The edits themselves don't appear to be problematic, but if it's being used to evade a block, then that is a problem. Arbor8 (talk) 15:19, 25 April 2011 (UTC)

Doesn't look like a proxy to me. Looks liked a mobile phone provider. Will close in 24 hours.Sailsbystars (talk) 18:47, 25 April 2011 (UTC)
I have to disagree with that assesment. Might of been different when you looked at it, but I see a closed FTP port and a closed PPTP port. PPTP is commonly involved with VPNs. 21/1723 to be exact. @Arbor8 basically this means that the IP could be used to evade. -- DQ (t) (e) 01:04, 26 April 2011 (UTC)
Not necessarily an open proxy though. PPTP could mean block evasion yes, but unlikely to be of the open proxy type. More likely using a work computer for some edits and a home computer for others. Not sure if it's Verizon wireless or verizon DSL/whatever they call it these days. FYI, I didn't have access to port scanning at the time, nor have I looked extensively at the behavioral evidence. However, the IP is in very few blacklists (or lists of any sort) and looks to be fairly dynamic. There's nothing precluding a modem reset or work vs. home. So to reiterate, block evasion possibly, open proxy unlikely. A few week evasion block maybe. A few year proxy block, don't think so. Sailsbystars (talk) 01:36, 26 April 2011 (UTC)
I'm inclined to agree with that. It looks fairly dynamic, with few indications of being open and none subject to confirmation. We should probably leave it hanging around a short while in case it continues or changes. I would note I've seen apparently similar edits from a few HTTP proxies, eg 190.7.62.59 (talk · contribs · block log) and 124.193.109.17 (talk · contribs · block log). Who is this user anyway? -- zzuuzz (talk) 06:53, 26 April 2011 (UTC)
The user I think this might be has been known by many names over the years: Corbridge, InaMaka, Getaway, JobsElihu and Keetoowah are the major ones. The sockpuppet investigation is here. The anon IPs he's used suggest he lives in Texas, so I doubt it's a work vs. home issue (that would be quite the commute). And I'm not totally convinced this IP and Corbridge/InaMaka/Getaway et al ARE the same person, but I do think it's certainly possible.
It's also worth noting that in this exchange, InaMaka notes that "However, Sodapaps could be using an IP proxy server ... as you should know, the IP addresses can be masked with a proxy server." Anyway, thanks all for checking it out. Arbor8 (talk) 14:31, 26 April 2011 (UTC)
{{notaproxy}}, if it was ever open it's not open now. -- zzuuzz (talk) 19:58, 2 June 2011 (UTC)

117.206.54.237

117.206.54.237 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Recent edit to Rochville University was vandalism of a pattern that is often associated with paid contributors and self-interested parties. Whois returns no record for the IP. --Orlady (talk) 14:17, 15 May 2011 (UTC) But some whois servers do return data. --Orlady (talk) 14:19, 15 May 2011 (UTC)

Google indicates that the IP is a mail server, and recent sent messages suggest a spambot. Regards, MacMedtalkstalk 17:06, 15 May 2011 (UTC)
Those are fairly typical results for a shared IP address from that part of the world. I'm suspecting this is just an Indian client of the aforementioned institution, using their normal broadband. -- zzuuzz (talk) 17:13, 15 May 2011 (UTC)
{{notaproxy}}, per my comment above. -- zzuuzz (talk) 19:57, 2 June 2011 (UTC)

169.244.136.193

169.244.136.193 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Suspicious edits, in this edit, which was also disruptive for other reasons, the edit also randomly inserted "Proxy-Connection: keep-alive" and "Cache-Control: max-age=0" into the article, which is the cause for my suspicion that it is a proxy of some sort. Monty845 16:57, 1 June 2011 (UTC)

{{notaproxy}}, a misconfigured school proxy, but not an open proxy. -- zzuuzz (talk) 19:53, 2 June 2011 (UTC)
122.169.141.24 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: SPI case

  • Specifically only noting one, but would like a second opinion on all listed at SPI for what people see, esp. since it's odd with these IPs. I have info on ports for that range if anyone would like to contact me privately. -- DQ (t) (e) 02:57, 18 April 2011 (UTC)
Don't have time to look in too much detail right now, but I agree the wiki-behavoir is fairly proxy-like (although meat puppetry coordinated via IM or some such could also be a plausible, albeit far less common scenario). I would be surprised to find a proxy on a mobile account for various practical reasons. Nonetheless, at least one of the mobile ips listed was opened on 80... which isn't what you expect from any mobile device except maybe for relatively rare choices such as "MiFi" type routers. Sailsbystars (talk) 03:37, 18 April 2011 (UTC)
Weird, when I checked earlier tonight, no 80 was open on my end for the mobile IPs. Will check in the morning again. -- DQ (t) (e) 04:10, 18 April 2011 (UTC)
Just checked the IP, it seems to be behaving right now...no open ports. -- DQ (t) (e) 11:52, 19 April 2011 (UTC)
I just did a quick check and nothing was there. Since it's a cell range it's almost certainly changed IP by this point anyway.... Maybe it was someone with more sim cards then sense? Anyway, we can probably close this one as notaproxy at this point... Sailsbystars (talk) 00:33, 5 June 2011 (UTC)
{{notaproxy}}, chuck it out the window then :P -- DQ (t) (e) 22:51, 6 June 2011 (UTC)

80.58.205.43

80.58.205.43 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Suspicious edits and expired Blocked proxy.  —SMALLJIM  15:21, 12 June 2011 (UTC)

Nope, it went offline approximately at 02/04/2010 20:15:14. No current open ports either. -- DQ (t) (e) 20:36, 14 June 2011 (UTC)
{{notaproxy}} Concur. Closing.... Sailsbystars (talk) 22:28, 19 June 2011 (UTC)