Jump to content

Wikipedia:WikiProject on open proxies/Requests/Archives/45

From Wikipedia, the free encyclopedia


Seed4me

{{proxycheckstatus}}

Unblocked nodes of Seed4me VPN, which has been recently abused for logged out socking. MarioGom (talk) 21:57, 13 August 2021 (UTC)

Blocked the lot. GeneralNotability (talk) 13:12, 21 August 2021 (UTC)

IP 104.149.167.26

{{proxycheckstatus}}

104.149.167.26 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Requested unblock. Eka343 (talk) 12:00, 14 August 2021 (UTC)

@Eka343: Where have they requested unblock, Eka343? Noting that this IP is caught up in a global rangeblock 104.149.0.0/16 across all Wikimedia projects. --Malcolmxl5 (talk) 12:57, 14 August 2021 (UTC)
@Malcolmxl5: please ignore this. I helped my friend because he cant make an account on wiki. it turn out That he using VPN all along. LOL Eka343 (talk) 13:35, 14 August 2021 (UTC)
@Eka343: Ah well, he just needs to turn off his VPN. OK, I’ll close this report then. --Malcolmxl5 (talk) 13:39, 14 August 2021 (UTC)

P2Ps in Egypt, Peru?

{{proxycheckstatus}}

Likely Wikipedia:Long-term_abuse/Nate_Speed who is known to use proxies; in any case, the same user jumping IP ranges and making the same disruptive edits and hassling users. P2P proxies? OhNoitsJamie Talk 02:48, 17 August 2021 (UTC)

Yeah, it's Nate. I suppose I should've reported him earlier, but was having too much fun bantering back & forth with him, on my talkpage. PS - I'm rather annoyed, that he didn't continue, with his new IPs, at my talkpage.GoodDay (talk) 02:52, 17 August 2021 (UTC)

P2P checks are tricky because they are snapshots in time; keep in mind that results may have been different if I had checked three days ago, and will be different if I recheck in 24 hours.

  •  Confirmed P2P: 197.49.219.111, 201.240.147.63, 154.182.242.238, 154.160.22.115.
  •  Likely: 156.215.60.25, 156.195.177.57, 196.117.136.124
  •  Possible, leaning  Unlikely: 174.18.8.189.

Judging from the confirmed group, the technical fingerprint is consistent with Nate Speed; generally speaking, his IPs are usually good for 72h proxy-hardblocks. Everything here is already (range-)blocked, closing. --Blablubbs (talk) 14:08, 17 August 2021 (UTC)

154.3.129.0/24

{{proxycheckstatus}}

EndOffice. This is a colocation service whose ranges are subranges of Cogent, and is a common service provider for VPNs. This sugrange is used by Hide My Ass: 154.3.129.84 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan, 154.3.129.54 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan, 154.3.129.75 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan, etc. MarioGom (talk) 11:28, 21 August 2021 (UTC)

  • There is a large number of  Confirmed proxies on this /24 (mostly clustered at the bottom end of the range, but I don't think it's worth trying to figure out what's what here); please hardblock it for two years. --Blablubbs (talk) 10:37, 22 August 2021 (UTC)
 Done --Malcolmxl5 (talk) 19:37, 22 August 2021 (UTC)

206.72.192.0/20

{{proxycheckstatus}}

Reason: Interserver, Inc. A webhosting provider offering hosting, VPS, dedicated servers, and colocation services, Has been blocked almost continuously since February 2013 either locally[1] or globally[2], About to come off a five year global block so I guess another long webhost block will be needed. --Malcolmxl5 (talk) 22:27, 21 August 2021 (UTC)

Might as well. Local block re-upped. — Preceding unsigned comment added by GeneralNotability (talkcontribs) 01:52, 22 August 2021 (UTC)

185.195.233.0/24

{{proxycheckstatus}}

Mullvad VPN. MarioGom (talk) 16:54, 25 August 2021 (UTC)

135.148.148.205

{{proxycheckstatus}}

Reason: OVH is a webhosting provider offering VPS (like the one used by this IP). I haven't listed an IP range as I wasn't sure whether that's appropriate. M.Bitton (talk) 19:45, 29 August 2021 (UTC)

FreeOpenVPN

{{proxycheckstatus}}

Free VPN nodes. MarioGom (talk) 21:07, 29 August 2021 (UTC)

2a01:d0:e76c:0:e516:1426:2c78:89e

{{proxycheckstatus}}

2a01:d0:e76c:0:e516:1426:2c78:89e · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan

Reason: Requested unblock. 2A01:D0:E76C:0:E516:1426:2C78:89E (talk) 20:16, 30 August 2021 (UTC)

Well, that’s you isn’t it? And you’re obviously not blocked. But given it’s a "NetAssist free IPv6 tunnel broker", perhaps it should be. --Malcolmxl5 (talk) 20:43, 30 August 2021 (UTC)
The NetAssist is the internet-provider and these addresses refer to the addresses of the end users. Besides, a "IPv6 tunnel" is not a VPN or a proxy. It does not provide additional anonymity. Given the priority of IPv6 over IPv4 in typical settings, the blocking looks strange Dobergroup (talk) 21:14, 30 August 2021 (UTC)
What blocking? This address is not blocked. --Malcolmxl5 (talk) 21:19, 30 August 2021 (UTC)

== ‪2A01:D0:0:0:0:0:0:0/32‬ ==

{{proxycheckstatus}}

2A01:D0:0:0:0:0:0:0/32‬ · contribs · block · log · stalk · Robtex · whois · Google

Reason: Requested unblock. 2A01:D0:E76C:0:E516:1426:2C78:89E (talk) 20:21, 30 August 2021 (UTC)

As above, that range is not blocked. Why are you requesting unblock? --Malcolmxl5 (talk) 21:02, 30 August 2021 (UTC)

139.28.179.0/24

{{proxycheckstatus}}

Reason: IP in range used by M247, I noticed that ranges by this service have been blocked previously. Currently used by a very active sock to evade their latest block. Range is (at least) Special:Contributions/139.28.179.0/24. Ravensfire (talk) 14:24, 8 September 2021 (UTC)

M247

{{proxycheckstatus}}

M247 ranges, not caught by ASNBlock so far. For those unfamiliar, M247 is the top colocation service used by VPNs, most ranges are locally and globally blocked. MarioGom (talk) 13:45, 9 September 2021 (UTC)

All  Confirmed. Pink clock Awaiting administrative action: Please hardblock all the listed ranges for two years. I recommend blocking 37.120.244.0/22 · contribs · block · log · stalk · Robtex · whois · Google instead of individual blocks for 37.120.245.0/24, 37.120.246.0/24 and 37.120.247.0/24. Thanks. --Blablubbs (talk) 10:08, 11 September 2021 (UTC)
Now done. Closing. --Blablubbs (talk) 13:36, 11 September 2021 (UTC)

Astrill

{{proxycheckstatus}}

Some Astrill VPN ranges and addresses. Veloxee Corp is Astrill's company. MarioGom (talk) 21:19, 9 September 2021 (UTC)

37.111.128.0/24

{{proxycheckstatus}}

Reason: turned up in a check on a user that was using it abusively, and I noticed they were hopping between IPs on this range in a daily basis. Additional CU showed a lot of suspicious but probably unrelated accounts and several IPs in the range have been blocked by ST47ProxyBot as P2P proxies recently. – Joe (talk) 05:49, 10 September 2021 (UTC)

Not really a good candidate for a rangeblock. This is a very crowded residential range. Assignment within the range is probably very dynamic, and dozens or even hundreds of users may use each IP simultaneously or in a short period of time. A block of the /24 is likely to incur in considerable collateral damage. As for P2P proxy presence, ~6 out of 256 IPs simultaneously flagged as P2P proxy is not too much in a crowded residential range. MarioGom (talk) 20:41, 10 September 2021 (UTC)
I see the /24 has been blocked twice before and the /18 twice before. The /24 had a one year block in 2017 for long term abuse, checkusers have stamped on the /24 and /18 in 2017 and 2019, and the /18 was blocked for three days for disruptive editing just a couple of weeks ago. This seems a problematic range that could well be blocked just to stop the disruptive editing coming from it. --Malcolmxl5 (talk) 23:30, 10 September 2021 (UTC)
@Joe Roe, Malcolmxl5: Mario hits the nail on the head regarding the proxy side of this. The P2P density is not high enough to justify blocking, especially considering that the IPs are very likely shared, and that individual users will probably float across different ranges in relatively short periods of time. The pattern of IP-hopping described in the report makes me think that this user is not on proxy and that Telenor Pakistan's assignment is to blame instead (this appears to be a mobile range, so rapid reassignment is not unexpected). Joe: I can't say much more publicly (there are some noses to protect here), but I'd be happy to email you if you want a more detailed explanation. No objections to a rangeblock if there's disruption coming from the range of course, it just can't be a proxyblock. Closing, though I'm happy to reopen if there's something I missed or misunderstood. --Blablubbs (talk) 10:05, 11 September 2021 (UTC)
Thanks all, that makes sense as far the CU data goes, especially if it's a mobile range. I don't think the disruption that is there is consistent enough for a rangeblock at this time. – Joe (talk) 10:10, 11 September 2021 (UTC)

8.214.0.0/24

{{proxycheckstatus}}

Reason: After inspection, the batch of server hosting services belonging to Alibaba. The IP segment is being used by a Wikipedia mirror. There may be a larger IP segment that also belongs to Alibaba.--Here's 28 and did I make a mess? 06:36, 10 September 2021 (UTC)

G-Core Labs (I)

{{proxycheckstatus}}

G-Core Labs, common VPN colocation. Everything that isprangefinder finds is blocked, but there are some missing. Here's a first batch. The /16 is full of coloblocks and proxyblocks (stalktoy: 5.188.0.0/16), but the assignments are fragmented, so the /16 cannot be blocked directly. MarioGom (talk) 17:09, 15 September 2021 (UTC)

185.14.45.24

{{proxycheckstatus}}

Reason: Owned by G-Core Labs S.A. Hostname (vps.supervpn360.com) indicates that this is used by a VPN. Malcolmxl5 (talk) 11:52, 16 September 2021 (UTC)

SuperVPN 360

{{proxycheckstatus}}

Individual IP list

Some unblocked nodes for SuperVPN 360. Found with shodan, verified with spur. MarioGom (talk) 09:13, 18 September 2021 (UTC)

Ranges, all G-Core:

--MarioGom (talk) 09:27, 18 September 2021 (UTC)

149.19.32.0/19

{{proxycheckstatus}}

Reason: IP range has a lot of vandalism and disruption coming from it. IP range appears to be registered to a cloud-computing security company with proxy/webhosting services. If this range is not blockable as a webhosting range, it may still need to be blocked for all the continuous disruption. 2601:1C0:4401:24A0:4909:31C8:B003:385D (talk) 19:31, 21 September 2021 (UTC)

193.58.179.144

{{proxycheckstatus}}

Reason: BitWeb LLC seems to not be blocked for some reason. Vandalism at Special:Contributions/193.58.179.144. ASN 57271. Their IP ranges should probably be blocked? ProcrastinatingReader (talk) 11:32, 25 September 2021 (UTC)

139.255.70.162

{{proxycheckstatus}}

Reason: Indonesia's open proxy. [4]。In editing Wikipedia:Sandbox (see diff), he claimed that some Wikipedians in Japan (incl. reporter) are ja:LTA:PAL. This editing behavior is characteristic in ja:LTA:MSHARED. Motodai (talk) 05:02, 26 September 2021 (UTC)

101.99.64.0/19

{{proxycheckstatus}}

Reason: Proxy block is expired, zhwiki has been range blocked.--Here's 28 and did I make a mess? 05:48, 26 September 2021 (UTC)

102.23.96.7

{{proxycheckstatus}}

Reason: Confirmed VPN/open proxy by several proxy checking websites. 2601:1C0:4401:24A0:4D33:A476:86EB:73C5 (talk) 19:35, 29 September 2021 (UTC)

102.23.96.0/22 · contribs · block · log · stalk · Robtex · whois · Google is Opera VPN, blocked. Don't have time to look further than that right now, so I'll leave this open. --Blablubbs (talk) 20:01, 29 September 2021 (UTC)
Also found,  Confirmed, and blocked:
Closing. Thanks for reporting. --Blablubbs (talk) 10:50, 30 September 2021 (UTC)

45.144.113.0/24

{{proxycheckstatus}}

Reason: Confirmed NordVPN service. See WHOIS and db-ip. 2601:1C0:4401:24A0:6CA7:E631:AEE2:5C3E (talk) 19:21, 30 September 2021 (UTC)

163.120.64.0/19

{{proxycheckstatus}}

Reason: IP range registered to iBoss VPN/cloud network. 2601:1C0:4401:24A0:8C9F:F938:CA59:D8FF (talk) 20:09, 1 October 2021 (UTC)

  • iBoss isn't really a conventional webhost, but some sort of cloud security proxy provider, frequently used by schools and the like – if memory serves me right, they send valid XFF. There are a lot of bad edits coming from this range, so I'll give it a soft coloblock. Closing. --Blablubbs (talk) 11:04, 4 October 2021 (UTC)

209.160.96.0/22

{{proxycheckstatus}}

Reason: Webhosting range with dedicated servers. 2601:1C0:4401:24A0:8C9F:F938:CA59:D8FF (talk) 20:30, 1 October 2021 (UTC)

 Confirmed, blocked. Thanks, IP. I'll see if I can find anything else in a bit. --Blablubbs (talk) 21:01, 1 October 2021 (UTC)
Also found on the same ASN, plus some additional VPN endpoints:
Blocked, closing. Thanks again. --Blablubbs (talk) 21:32, 1 October 2021 (UTC)

2A06:2EC0:0:0:0:0:0:0/32

{{proxycheckstatus}}

Reason: IP range registered to webhosting service. Recently used for disruption. 2601:1C0:4401:24A0:7596:24C8:3939:92AC (talk) 17:47, 11 October 2021 (UTC)

93.191.152.0/21

{{proxycheckstatus}}

Reason: IP range registered to webhosting service. Recently used for disruption. 2601:1C0:4401:24A0:7596:24C8:3939:92AC (talk) 17:57, 11 October 2021 (UTC)

240d:c010:30::/48

{{proxycheckstatus}}

Reason: This IP segment is considered to be a proxy in zhwiki and is banned, so I should be treated the same in local.--Here's 28 and did I make a mess? 02:07, 10 October 2021 (UTC)

@Blablubbs:--Here's 28 and did I make a mess? 12:27, 14 October 2021 (UTC)
 Confirmed webhost range. Blocked, closing. Thanks for reporting. --Blablubbs (talk) 08:12, 26 October 2021 (UTC)

66.94.96.0/19

{{proxycheckstatus}}

Reason: Dedicated server with recent disruption. 2601:1C0:4401:24A0:11FF:65FF:8E86:342A (talk) 05:58, 12 October 2021 (UTC)

134.195.196.0/22

{{proxycheckstatus}}

Reason: Dedicated server with recent disruption. 2601:1C0:4401:24A0:11FF:65FF:8E86:342A (talk) 05:59, 12 October 2021 (UTC)

Vangate VPNs

{{proxycheckstatus}}

Reason: Vpngate VPNs per Spur. Malcolmxl5 (talk) 14:26, 20 October 2021 (UTC)

  • They're all exceedingly  Likely, so I've hardblocked all the individual IPs for 6 months. Not more I can do here, unfortunately. Closing, thanks for reporting. --Blablubbs (talk) 10:56, 22 October 2021 (UTC)

PLDT call-back proxies associated with sockfarm

{{proxycheckstatus}}

Reason: Suspicious edits, coincident with beauty pageant sockfarm [5][6][7], & IPQualityScore reports 100% fraud score & spur findings on each are "call-back proxy network". ☆ Bri (talk) 04:06, 21 October 2021 (UTC)

  • Fairly  Unlikely in the sense that while there are services running, they aren't the type that is likely to be used for socking, and the user in question is probably just a residential customer on an infected range. Closing without action. --Blablubbs (talk) 11:01, 22 October 2021 (UTC)

204.74.208.0/20

{{proxycheckstatus}}

Reason: Take 2 Hosting. Blocked twice before as proxy/webhost[8], for five and three years. Last block expired in January. Malcolmxl5 (talk) 10:43, 26 October 2021 (UTC)

@Malcolmxl5:  Confirmed the full /20 via whois; looks good to block. —‍Mdaniels5757 (talk • contribs) 15:25, 26 October 2021 (UTC)

Unblock 89.38.160.43

{{proxycheckstatus}}

89.38.160.43 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: whois says Fiber to the Home/Business Network. Likely not an open proxy anymore? Can you review and unblock? I already removed the gblock. Martin Urbanec (talk) 11:29, 26 October 2021 (UTC)

@Martin Urbanec:  Possible IP is an open proxy. There is an open port (1723) that is used for VPN access. It requires a username and password for access. Admin: please decide appropriate action. —‍Mdaniels5757 (talk • contribs) 15:32, 26 October 2021 (UTC)
Username and password makes it a closed (for authenticated-only users) proxy, unless anyone can obtain a valid combination. Or am I missing something? Martin Urbanec (talk) 16:18, 26 October 2021 (UTC)
It's not uncommon for carrier grade routers to have 1723 open – and I also think Martin Urbanec' reasoning here is sound. This looks like it's collateral from an ASN block, since the /22 is registered to NFOrce, and that specific /24 is assigned to a home broadband provider; blocking the entire range would arguably be too wide anyway. I'm inclined to unblock; ping @ST47 as the blocking admin: Would you be okay with me lifting the block on the /24? --Blablubbs (talk) 19:04, 26 October 2021 (UTC)
Go ahead if you wish to unblock it. ST47 (talk) 20:02, 26 October 2021 (UTC)
Thanks. Unblocked the /22 and reblocked everything but that specific /24. Closing. --Blablubbs (talk) 10:41, 27 October 2021 (UTC)

220.86.0.33

{{proxycheckstatus}}

Reason: See below. —‍Mdaniels5757 (talk • contribs) 16:07, 26 October 2021 (UTC)

Vpngate VPNs

{{proxycheckstatus}}

Reason: Vpngate VPNs per Spur. Malcolmxl5 (talk) 20:55, 26 October 2021 (UTC)

wikimirror.org

{{proxycheckstatus}}

Reason: The information for both IP addresses is wikimirror.org , and this domain name has appeared on the page on zhwiki mirror fork list.--Here's 28 and did I make a mess? 13:38, 30 October 2021 (UTC)

119.160.58.0/23

{{proxycheckstatus}}

Reason: Multiple IPs on this range are already blocked via ST47ProxyBot. IPs on this range have vandalized multiple pages as well as hijacked redirects. Owner is Mobilink Infinity WiMAX. Jalen Folf (talk) 18:05, 6 November 2021 (UTC)

67.202.78.4

{{proxycheckstatus}}

Reason: Steadfast, a Chicago based company providing webhosting services. Flagged by db-ip, proxycheck.io, getipintel, IPQS and IPHub. Multiple local and global blocks in logs at /18.[9][10] Malcolmxl5 (talk) 21:36, 8 November 2021 (UTC)

148.59.127.0/24

{{proxycheckstatus}}

Reason: Registered to VirtualShield LLC (a VPN service). 2601:1C0:4401:24A0:C0D7:275F:595C:9A8A (talk) 20:32, 10 November 2021 (UTC)

216.24.45.0/24

{{proxycheckstatus}}

Reason: Amazon AWS Cloud. 2601:1C0:4401:24A0:F421:B01C:5D8:AEFB (talk) 18:00, 3 November 2021 (UTC)

For this and the below report, I'm inclined to say no; the ranges in question appear to belong to a cloud security provider (Menlo Security), and while it's anonymizing I wouldn't call it "open" since only corporate customers are routing traffic through it. GeneralNotability (talk) 20:08, 10 November 2021 (UTC)

168.245.155.0/24

{{proxycheckstatus}}

Reason: Amazon AWS Cloud. 2601:1C0:4401:24A0:F421:B01C:5D8:AEFB (talk) 18:59, 3 November 2021 (UTC)

2A0A:C802:4:0:0:0:0:0/48

{{proxycheckstatus}}

Reason: IP range belongs to webhosting/cloud service. Recently used for abuse. 2601:1C0:4401:24A0:C0D7:275F:595C:9A8A (talk) 18:18, 10 November 2021 (UTC)

Abuse?! sheesh, nothing abusive in the range at as far as I can see, but then again it's probably mostly me. Let's try a little WP:AGF, and maybe remember WP:NPA. Of course I have no idea what's going on with the logged-in edits but then again neither do you so...
I can't answer the technical questions here, not my area, however it is a free application that is anonymising so I suspect it's blockable. I also suspect that english monoglots are unlikely to be able to find this application or use it so it's unlikely to be a big risk. It may also be unavailable in some parts of the world where the editor base is concentrated, but that's mostly speculative based on some not at all recent travel experience with different apps.
Sorry to bother you Blablubbs, I told myself I wasn't going to create makework for anyone by spontaneously reporting every random IP I was assigned, but since we're here it might be best if you took a look. If this does become a recurring issue I am of course open to any suggestions you have to make things less awkward. For obvious reasons I won't be responding directly to this thread if the range is blockable, but you can be assured that I'll see your response. Regards, 2A0A:C802:4:1:0:0:0:34 (talk) 19:49, 10 November 2021 (UTC)
Upon review there was something weird going on the 20th of June, but I wouldn't necessarily call that recent, and it hasn't been repeated but it is a tad concerning, I don't think that increases the urgency here but I could see how someone could reasonably disagree. Regards, 2A0A:C802:4:1:0:0:0:34 (talk) 19:57, 10 November 2021 (UTC)
I believe you can request a block exemption so that you won't be affected by the block (see: Wikipedia:IP block exemption), although you will have to create an account first. 2601:1C0:4401:24A0:C0D7:275F:595C:9A8A (talk) 20:30, 10 November 2021 (UTC)
  • Gah, I had typed out a response to this but apparently forgot to post it. Tldr: It's a  Confirmed webhost and I blocked, along with some others, and whether the edits are constructive or not didn't play into that determination; I have no way of knowing what might happen with these ranges in the future, or what is currently happening on them through registered accounts. Closing. --Blablubbs (talk)
@2601:1C0:4401:24A0::/64 not happening, see meatball:LoginsAreEvil; I note you never did strike that last sentence, oh well. Regards, 62.78.92.89 (talk) 05:32, 13 November 2021 (UTC)