Wikipedia:WikiProject on open proxies/Requests/Archives/46
This is an archive of past discussions on Wikipedia:WikiProject on open proxies. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current main page. |
104.225.160.0/19
{{proxycheckstatus}}
Reason: Registered to iboss, inc. Softblock needed on this one. Lots of vandalism coming from this IP address as well. 2601:1C0:4401:24A0:8093:DB9C:FC19:972F (talk) 21:18, 10 November 2021 (UTC)
- Softblocked given the vandalism. Closing. --Blablubbs (talk) 20:39, 11 November 2021 (UTC)
105.112.191.250
{{proxycheckstatus}}
- 105.112.191.250 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Flagged by proxycheck.io and spur as an open proxy. Malcolmxl5 (talk) 01:36, 15 November 2021 (UTC)
- Confirmed (HTTP port 3128), blocked for a week. Thanks for reporting, closing. --Blablubbs (talk) 13:14, 15 November 2021 (UTC)
77.66.105.10
{{proxycheckstatus}}
- 77.66.105.10 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Webhost. Owned by Netgroup A/S, hosting and cloud service provider in Denmark. Flagged by db-ip, proxycheck.io, getipintel and IPQS. Previous blocks as colocationwebhost in log[1]. Malcolmxl5 (talk) 12:02, 9 November 2021 (UTC)
- NMAP shows port 443 as open and used with Cisco ASA SSL VPN. ~Oshwah~(talk) (contribs) 06:06, 17 December 2021 (UTC)
- This specific subrange appears to be owned by the Solrød Municipality; while there is indeed some hosting going on that range, I'm not seeing any evidence of ongoing abuse and blocking around subranges would be a pain, so I'll go ahead and close without action. --Blablubbs (talk) 01:06, 18 December 2021 (UTC)
72.140.180.86
{{proxycheckstatus}}
- 72.140.180.86 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: A Toronto-based Rogers IP, flagged by ipcheck as a proxy. This IP has an interest in the same geographic area as Ineedtostopforgetting (talk · contribs). Shodan says that port 7547 is open for the device using this IP. EdJohnston (talk) 17:42, 20 November 2021 (UTC)
- Confirmed, blocked, closing. Thanks for reporting. --Blablubbs (talk) 21:12, 20 November 2021 (UTC)
107.115.16.0/20
{{proxycheckstatus}}
Reason: AT&T has a new proxy server called AT&T VPN Web Browser. This is one of their IP ranges. Lamesdoes (talk) 19:45, 1 December 2021 (UTC)
- @Lamesdoes: Could you provide links to the service you are referring to, and details as to what makes you believe this range belongs to it? Thanks. --Blablubbs (talk) 19:49, 1 December 2021 (UTC)
- @Blablubbs nvm, that IP range is too large. Anyway, since it was only released last month, ISP rangefinder has yet to add this. Lamesdoes (talk) 20:33, 1 December 2021 (UTC)
- Interesting, because I can't find any mention of it whatsoever. Closing. --Blablubbs (talk) 20:34, 1 December 2021 (UTC)
- @Blablubbs nvm, that IP range is too large. Anyway, since it was only released last month, ISP rangefinder has yet to add this. Lamesdoes (talk) 20:33, 1 December 2021 (UTC)
12.217.180.250
{{proxycheckstatus}}
- 12.217.180.250 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: flagged by ipcheck and spur as (possible) proxy. an AT&T ip address making contentious edits on Singapore related articles relating to Singapore politics and judiaciary. – robertsky (talk) 13:38, 14 December 2021 (UTC)
- This IP is using lighttpd, and with port 80 open. This takes you to a Cisco Meraki administration console. ~Oshwah~(talk) (contribs) 09:58, 17 December 2021 (UTC)
- Might have been proxying traffic at some point, but I'm not seeing anything right now that would make me inclined to block. Closing without action. --Blablubbs (talk) 01:02, 18 December 2021 (UTC)
104.249.62.105
{{proxycheckstatus}}
- 104.249.62.105 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
I should be blocked, but am not
This IP address is a VPN service (Surfshark, specifically, their Bend, Oregon, USA server). It should therefore be blocked per WP:PROXY.
I'm actually User:NateNate60, just signed out for the purposes of making this post. 104.249.62.105 (talk) 07:38, 19 December 2021 (UTC)
- You can ask at Wikipedia:WikiProject on open proxies/Requests for it to be blocked. – SD0001 (talk) 07:49, 19 December 2021 (UTC)
- Confirmed per SSL Cert on 443, blocked the /24. Will try to find some time to see if I can uncover anything else later. --Blablubbs (talk) 14:53, 19 December 2021 (UTC)
- Found and blocked quite a few more. Closing. --Blablubbs (talk) 17:54, 21 December 2021 (UTC)
114.41.200.225
{{proxycheckstatus}}
- 114.41.200.225 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: IP is currently OS blocked, they also claimed they are an open proxy. — xaosflux Talk 14:38, 21 December 2021 (UTC)
- @Xaosflux: At the very least Highly likely – it's an OS block, so I won't fiddle with it myself, but I would recommend extending to a month and making it a hardblock. Closing. --Blablubbs (talk) 17:38, 21 December 2021 (UTC)
- @Blablubbs: thank you, I'll convert it to a proxy block at this point. — xaosflux Talk 19:34, 21 December 2021 (UTC)
185.136.216.158
{{proxycheckstatus}}
- 185.136.216.158 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: IPVandal admittingly using an open-proxy from this address. Currently blocked for 1-week per WP:Vandalism Amortias (T)(C) 10:28, 24 December 2021 (UTC)
- Confirmed – the IP is a VPN exit, 185.136.216.0/22 is hosting range. Also found three other ranges belonging to the same provider:
- All blocked, closing. Thank you for reporting, Amortias. --Blablubbs (talk) 11:12, 24 December 2021 (UTC)
83.136.182.0/24
{{proxycheckstatus}}
Reason: Dedicated webhosting server with open proxies. 47.5.105.113 (talk) 19:32, 12 January 2022 (UTC)
- Confirmed – that's NordVPN. Will try to take a closer look later. --Blablubbs (talk) 20:14, 12 January 2022 (UTC)
- Found some more, blocked some more, closing. Also noting for posterity that the filing IP is a (now-blocked) proxy too. --Blablubbs (talk) 15:33, 13 January 2022 (UTC)
182.160.154.134
{{proxycheckstatus}}
- 182.160.154.134 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Used for UPE and promotional edits. IPCheck indicates high likelihood of being a proxy hosted by "Hostopia Australia Web". – Joe (talk) 16:12, 3 February 2022 (UTC)
- From a preliminary look I can say that the single IP is a Confirmed VPN exit on a hosting range. I'll have a closer look later – proxychecks on mobile are no fun. --Blablubbs (talk) 16:26, 3 February 2022 (UTC)
- @Joe Roe: As mentioned above, 182.160.128.0/18 is a confirmed hosting range. Hardblocked two years, plus the following, which also belong to Hostopia or its subsidiaries:
- There might be more to be found with a deeper dive, but I'm on pizzamaking duty tonight. Closing, thanks for the report. --Blablubbs (talk) 17:23, 3 February 2022 (UTC)
- @Joe Roe: As mentioned above, 182.160.128.0/18 is a confirmed hosting range. Hardblocked two years, plus the following, which also belong to Hostopia or its subsidiaries:
168.245.155.0/24
{{proxycheckstatus}}
Reason: Amazon AWS. Disruption. 2601:1C0:4401:24A0:95E8:4DB9:3862:F374 (talk) 20:51, 15 December 2021 (UTC)
- Closing without action; see Wikipedia:WikiProject on open proxies/Requests/Archives/45#216.24.45.0/24 for the rationale – this is the same provider. --Blablubbs (talk) 11:23, 23 February 2022 (UTC)
101.0.32.228
{{proxycheckstatus}}
- 101.0.32.228 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Flagged on proxy checker as a possible proxy, as well as recent minor disruptive edits (mostly unexplained section blanking) OhKayeSierra (talk) 14:20, 26 December 2021 (UTC)
- Declined to run a check. Edits seem consistent with the IP geolocation, and I'm not seeing any other red flags. --Blablubbs (talk) 11:21, 23 February 2022 (UTC)
173.10.230.157
{{proxycheckstatus}}
- 173.10.230.157 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious spam edit; Hostname: mail.ludwig-walpole.com, could be compromised host ☆ Bri (talk) 02:48, 28 December 2021 (UTC)
- Definitely Possible, but not strong enough for me to block. Closing without action. --Blablubbs (talk) 11:20, 23 February 2022 (UTC)
204.13.168.0/21
{{proxycheckstatus}}
Reason: Doesn't appear to belong to an open proxy anymore, the range has belonged to the Roblox Corporation since 2019. wizzito | say hello! 06:52, 16 January 2022 (UTC)
- Unblocked. Thanks, --Blablubbs (talk) 11:24, 23 February 2022 (UTC)
45.80.168.0/22
{{proxycheckstatus}}
Reason: According to [2], 45.80.168.0/22 is now assigned to AS206238 (Freedom Internet BV) rather than AS62240, as noted in the block message. Martin Urbanec (talk) 15:30, 5 February 2022 (UTC)
- I concur. Unblocked. Thanks, --Blablubbs (talk) 11:28, 23 February 2022 (UTC)
74.243.15.112
{{proxycheckstatus}}
- 74.243.15.112 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Flagged by GetIPIntel and IPHub. Firestar464 (talk) 08:31, 2 February 2022 (UTC)
- This appears to be a BellSouth/AT&T IP sublet from Microsoft (which might lead to those flags), but I see no clear indication that this is a proxy aside from that bit of weirdness. Closing without action. --Blablubbs (talk) 20:28, 25 February 2022 (UTC)
2A01:4F8:C0C:C129:0:0:0:1
{{proxycheckstatus}}
- 2A01:4F8:C0C:C129:0:0:0:1 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
Reason: Proxy IP used by hide.me Germany server, block range if needed. Kline | yes? 22:40, 23 February 2022 (UTC)
- Confirmed webhost, hardblocked the /29 and a bunch of other Hetzner ranges. Closing. --Blablubbs (talk) 20:18, 25 February 2022 (UTC)
192.99.37.222
{{proxycheckstatus}}
- 192.99.37.222 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Proxy IP used by VPNBook (www.vpnbook.com), block range if needed. Kline | yes? 23:18, 23 February 2022 (UTC)
- Confirmed, /16 hardblocked. Closing, thanks for reporting. --Blablubbs (talk) 20:21, 25 February 2022 (UTC)
2A01:4F9:C010:B393:0:0:0:1
{{proxycheckstatus}}
- 2A01:4F9:C010:B393:0:0:0:1 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
Reason: Proxy IP used by hide.me Finland server, block range if needed. Kline | yes? 19:38, 25 February 2022 (UTC)
- Confirmed, already caught in a rangeblock from Special:Permalink/1073994218#2A01:4F8:C0C:C129:0:0:0:1. Closing, thank you for reporting. --Blablubbs (talk) 20:22, 25 February 2022 (UTC)
213.152.9.2
{{proxycheckstatus}}
- 213.152.9.2 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Flagged by GetIPIntel. Blocked on ruwiki and ruwikiquote as an open proxy. Firestar464 (talk) 02:48, 8 March 2022 (UTC)
- Possilikely (a mix between possible and likely) at best from a technical perspective; I can't confirm. Already AO-gblocked though, which should be enough. Closing without local action. --Blablubbs (talk) 09:32, 8 March 2022 (UTC)
107.182.226.18
{{proxycheckstatus}}
- 107.182.226.18 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Proxy IP used by VPNBook (www.vpnbook.com). Kline | yes? 22:06, 14 March 2022 (UTC)
- Confirmed webhost, blocked the /20. Closing, thank you for reporting. --Blablubbs (talk) 16:08, 30 March 2022 (UTC)
185.244.130.59
{{proxycheckstatus}}
- 185.244.130.59 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: SkyVPN according to Spur. Malcolmxl5 (talk) 23:36, 16 March 2022 (UTC)
- In progress --Blablubbs (talk) 16:10, 30 March 2022 (UTC)
- Confirmed webhost, blocked along with a couple others. Closing, thank you for reporting. --Blablubbs (talk) 16:13, 30 March 2022 (UTC)
148.72.0.0/16
{{proxycheckstatus}}
Reason: Webhost (GoDaddy), recently unblocked but someone forgot to reblock wizzito | say hello! 04:54, 17 March 2022 (UTC)
- Already handled. Closing, thanks for reporting. --Blablubbs (talk) 16:14, 30 March 2022 (UTC)
216.73.160.0/22
{{proxycheckstatus}}
Reason: VPN (Bandito Networks) 2601:901:4300:1CF0:97D8:7DA6:CA14:BFA4 (talk) 11:57, 30 March 2022 (UTC)
- Confirmed plus 2602:FC2A::/36 · contribs · block · log · stalk · Robtex · whois · Google; both blocked. Closing, thank you for reporting. --Blablubbs (talk) 16:18, 30 March 2022 (UTC)
5.255.102.127
{{proxycheckstatus}}
- 5.255.102.127 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: TOR exit according to Spur. Malcolmxl5 (talk) 12:40, 31 March 2022 (UTC)
- Confirmed webhost, I blocked everything here that wasn't blocked yet. Closing, thank you for reporting. --Blablubbs (talk) 15:19, 2 April 2022 (UTC)
104.129.57.128/26
{{proxycheckstatus}}
Reason: Windscribe VPN 104.129.57.154 (talk) 20:04, 2 April 2022 (UTC)
- Confirmed, blocked, closing. --Blablubbs (talk) 09:02, 5 April 2022 (UTC)
104.129.56.160/27
{{proxycheckstatus}}
Reason: Windscribe VPN 104.129.56.174 (talk) 20:08, 2 April 2022 (UTC)
- Confirmed, blocked, closing. Thank you for reporting. --Blablubbs (talk) 09:03, 5 April 2022 (UTC)
169.150.197.0/24
{{proxycheckstatus}}
Reason: Windscribe VPN 169.150.197.215 (talk) 20:44, 2 April 2022 (UTC)
- Confirmed, blocked, closing. Thank you for reporting. --Blablubbs (talk) 09:04, 5 April 2022 (UTC)
66.90.72.174
{{proxycheckstatus}}
- 66.90.72.174 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Proton VPN. Malcolmxl5 (talk) 15:06, 4 April 2022 (UTC)
- Confirmed, /18 blocked, closing. Thank you for reporting. --Blablubbs (talk) 09:05, 5 April 2022 (UTC)
91.228.152.0/22
{{proxycheckstatus}}
Reason: Webhost wizzito | say hello! 15:11, 2 April 2022 (UTC)
- Fornex Hosting S.L. --Malcolmxl5 (talk) 23:41, 10 April 2022 (UTC)
- Confirmed and blocked along with some others. Closing, thank you for reporting. --Blablubbs (talk) 10:11, 20 April 2022 (UTC)
103.172.145.0/24
{{proxycheckstatus}}
Reason: Appears to be a proxy (Giga Fibernet) wizzito | say hello! 15:12, 2 April 2022 (UTC)
- Giga Fibernet appears to offer residential Internet access. I can't see any sign of proxy here, although anything is possible with Microtik routers. MarioGom (talk) 20:01, 6 April 2022 (UTC)
- Concur with Mario, I don't have enough to rangeblock here – though given the region, I wouldn't be surprised if there are some compromised routers floating around. Closing without action. --Blablubbs (talk) 10:13, 20 April 2022 (UTC)
82.165.0.0/16
{{proxycheckstatus}}
Reason: Webhost (Ionos/Fasthosts) wizzito | say hello! 23:09, 4 April 2022 (UTC)
- N.B. 82.165.64.0/18 is globally blocked until May 2024. Malcolmxl5 (talk) 23:27, 4 April 2022 (UTC)
- Mixed range, so this is a little tricky. I did find a VPN exit that recently edited, so I blocked that, but I'll hold off on whacking the entire /16 since current global block seems to be mostly working. Closing. --Blablubbs (talk) 10:22, 20 April 2022 (UTC)
72.21.16.0/22
{{proxycheckstatus}}
Reason: Webhost/server (Whatbox) 2601:901:4300:1CF0:8AA3:3020:6ABD:E109 (talk) 02:45, 9 April 2022 (UTC)
- Confirmed and blocked, plus everything here. Closing, thank you for reporting. --Blablubbs (talk) 10:07, 20 April 2022 (UTC)
213.174.128.0/19
{{proxycheckstatus}}
Reason: Webhosts 2601:901:4300:1CF0:A958:3BCD:2592:9CBB (talk) 00:55, 10 April 2022 (UTC)
- Advanced Hosters B.V. Malcolmxl5 (talk) 08:59, 10 April 2022 (UTC)
- In progress --Blablubbs (talk) 10:23, 20 April 2022 (UTC)
- Confirmed and blocked, plus . Closing, thank you for reporting. --Blablubbs (talk) 10:27, 20 April 2022 (UTC)
185.57.222.177
{{proxycheckstatus}}
- 185.57.222.177 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits & from geo it appears to be a static IP assigned to a datacenter & IPHunter says it is bad ☆ Bri (talk) 22:24, 11 April 2022 (UTC)
- Possible at best, though that might be because too much time has elapsed since the report. In any case, I don't have enough to action this at this time. Closing. --Blablubbs (talk) 10:47, 20 April 2022 (UTC)
136.23.0.0/19
{{proxycheckstatus}}
Reason: Google One VPN 2601:901:4300:1CF0:928B:61C3:40AC:EE08 (talk) 13:52, 18 April 2022 (UTC)
- Confirmed, blocked. Thank you for the report. --Blablubbs (talk) 10:49, 20 April 2022 (UTC)
217.138.0.0/16
{{proxycheckstatus}}
Reason: Datacenter/VPN wizzito | say hello! 02:23, 10 April 2022 (UTC)
- Very Unlikely – appears to be a B2B fibre internet provider per WHOIS. Closing without action. --Blablubbs (talk) 16:15, 25 April 2022 (UTC)
64.124.10.50
{{proxycheckstatus}}
- 64.124.10.50 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Requesting review of this /17 block based on an off-wiki request (the specific IP is the one the requester is using). Requester reports that they are using a new wireless fiber network called WeLink that has been in service for ~2 months, and that no proxies or VPNs are in use. ‑‑ElHef (Meep?) 20:07, 16 April 2022 (UTC)
- Seems like this checks out [3][4]. This looks like a fairly annoying mixed range with individual /24s being leased to non-hosting customers (I also found this children's hospital for example), since the upstream ISP seems to offer lots of fiber connection things. Pinging the blocking admin @SQL: Could I bother you to take a look? I'm not sure what the best approach here is – maybe drop down the entire range to AO? --Blablubbs (talk) 10:42, 20 April 2022 (UTC)
- @Blablubbs and SQL: Just a bump so this doesn't get forgotten. If it needs some time to sort out that's fine, but I've been working with this requester for awhile and at the moment we're blocked on the outcome of this request. Could we maybe workaround with IPBE if we created an account for this requester? I can provide more details of the request privately if needed, feel free to email or IRC me. ‑‑ElHef (Meep?) 21:44, 23 April 2022 (UTC)
- Dropping by to note that I've seen this. SQLQuery Me! 23:06, 23 April 2022 (UTC)
- @Blablubbs & @ElHef: It's probably OK to whitelist this range, the more I've looked into it. The range resolution is pretty sketchy, but it's probably alright. It looks like this was a webhosting range in the past, per a couple searches, but while some domains do still point to these ranges, none appear to actually have any working web services.
- You'll need to block around it (and 64.124.31.0/24 as well, per the BGP report also belongs to this carrier). The following blocks should block all but 64.124.31.0/24 and 64.124.10.0/24:
- 64.124.0.0/21 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.8.0/23 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.11.0/24 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.12.0/22 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.16.0/21 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.24.0/22 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.28.0/23 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.30.0/24 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.32.0/19 · contribs · block · log · stalk · Robtex · whois · Google
- 64.124.64.0/18 · contribs · block · log · stalk · Robtex · whois · Google SQLQuery Me! 23:46, 23 April 2022 (UTC)
- Dropping by to note that I've seen this. SQLQuery Me! 23:06, 23 April 2022 (UTC)
- @Blablubbs and SQL: Just a bump so this doesn't get forgotten. If it needs some time to sort out that's fine, but I've been working with this requester for awhile and at the moment we're blocked on the outcome of this request. Could we maybe workaround with IPBE if we created an account for this requester? I can provide more details of the request privately if needed, feel free to email or IRC me. ‑‑ElHef (Meep?) 21:44, 23 April 2022 (UTC)
- @SQL and ElHef: Should be all Done – I also excluded the hospital I linked above. Closing, thanks both. --Blablubbs (talk) 15:57, 24 April 2022 (UTC)
213.251.238.26
{{proxycheckstatus}}
- 213.251.238.26 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Open proxy. Previously blocked by the proxy-bot in March 2022 for 2 weeks. 213.251.238.26 (talk) 17:51, 28 April 2022 (UTC)
- Already blocked by Malcolmxl5 – Confirmed, for the record. Closing, thanks for reporting. --Blablubbs (talk) 15:13, 7 May 2022 (UTC)
5 Juli-stiftelsen
{{proxycheckstatus}}
- 85.24.253.12 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 85.24.253.14 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 85.24.253.18 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: It appears that the edits were from a Swedish VPN. It has been blocked in other Wikipedia editions and projects. SpinnerLaserzthe2nd (talk) 18:09, 6 May 2022 (UTC)
- This group is Confirmed (Integrity VPN, a whitelabel service selling to ISPs). Further checks In progress – I've poked someone smarter than me to see if we can enumerate the remaining nodes. --Blablubbs (talk) 15:33, 7 May 2022 (UTC)
- @Blablubbs: Oh my Jesus, these proxies needs to be blocked ASAP. I knew something fishy was going on with these IPs. SpinnerLaserzthe2nd (talk) 19:10, 10 May 2022 (UTC)
- Thanks for the reminder – Confirmed by the aforementioned smarter person:
- 85.24.253.0/26 · contribs · block · log · stalk · Robtex · whois · Google
- 79.136.77.96/27 · contribs · block · log · stalk · Robtex · whois · Google
- 85.24.253.0/26 · contribs · block · log · stalk · Robtex · whois · Google
- 94.254.51.192/27 · contribs · block · log · stalk · Robtex · whois · Google
- 155.4.14.0/26 · contribs · block · log · stalk · Robtex · whois · Google
- 155.4.89.128/25 · contribs · block · log · stalk · Robtex · whois · Google
- 176.10.248.192/27 · contribs · block · log · stalk · Robtex · whois · Google
- Will block. Closing, thank you for reporting. --Blablubbs (talk) 20:16, 10 May 2022 (UTC)
- Thanks for the reminder – Confirmed by the aforementioned smarter person:
- @Blablubbs: Oh my Jesus, these proxies needs to be blocked ASAP. I knew something fishy was going on with these IPs. SpinnerLaserzthe2nd (talk) 19:10, 10 May 2022 (UTC)
94.244.0.45
{{proxycheckstatus}}
- 94.244.0.45 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: When i checked in https://whatismyipaddress.com/ip/94.245.0.45, i suspected a proxy server belongs to Ukrdatakom Ltd. Vitaium (talk) 13:11, 23 February 2022 (UTC)
- Inconclusive, quite low risk. It's a Google Cache server, located in a range owned by Rusanovka. The company is both a hosting provider and also a residential ISP. Given that the IP has never edited Wikipedia, and that the range 94.244.0.0/19 · contribs · block · log · stalk · Robtex · whois · Google seems fine, I'm closing without action. MarioGom (talk) 17:23, 13 May 2022 (UTC)
161.69.123.0/24
{{proxycheckstatus}}
Reason: Mcafee Wgcs VPN per Spur. Malcolmxl5 (talk) 23:44, 30 March 2022 (UTC)
- For the admin handling this: there's a previous discussion about McAfee WGCS at Wikipedia:WikiProject on open proxies/Requests/Archives/43#185.125.227.0/24, which is a corporate VPN. MarioGom (talk) 15:53, 1 April 2022 (UTC)
- N.B. IP 161.69.123.10 is softblocked for three years. Malcolmxl5 (talk) 19:55, 25 April 2022 (UTC)
- Malcolmxl5: Thanks! I'm closing the case. It seems McAfee WGCS does not allow completely arbitrary IP changes, so risk of jumping to other IPs seems low. However, if the abuse does appear again in a different IP, I'd recommend soft-blocking the /16: 161.69.0.0/16 · contribs · block · log · stalk · Robtex · whois · Google. For future reference, if anyone considers fully blocking McAfee WGCS, here's their full list of ranges: [5]. MarioGom (talk) 17:17, 13 May 2022 (UTC)
37.1.200.0/21
{{proxycheckstatus}}
Reason: Webhost/VPS wizzito | say hello! 22:31, 4 April 2022 (UTC)
- 37.1.207.52 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan is a Confirmed VPN exit. I'll perform some further checks on the range. MarioGom (talk) 17:30, 13 May 2022 (UTC)
- 37.1.200.0/21 · contribs · block · log · stalk · Robtex · whois · Google belongs to cloud provider scalaxy, and hosts a large number of VPN nodes (see shodan, ports 500 and 50000) of an unidentified service. Please, hard-block this range for, at least, one year.Blablubbs: you may want to to look into AS 58061 or prepare one of these beautiful block tables? This AS has many ranges identified as Rsocks LTD, so it looks worth to look into it. MarioGom (talk) 19:14, 13 May 2022 (UTC)
- Doing... --Blablubbs (talk) 22:22, 13 May 2022 (UTC)
- @MarioGom: Grabbed the AS and blocked some of the more obvious ranges (including the one above). Special:Permalink/1087682055 has the remainder of the AS, in case you want to take a closer look at the remainder. Closing. --Blablubbs (talk) 22:34, 13 May 2022 (UTC)
- Thanks! MarioGom (talk) 23:45, 13 May 2022 (UTC)
- @MarioGom: Grabbed the AS and blocked some of the more obvious ranges (including the one above). Special:Permalink/1087682055 has the remainder of the AS, in case you want to take a closer look at the remainder. Closing. --Blablubbs (talk) 22:34, 13 May 2022 (UTC)
- Doing... --Blablubbs (talk) 22:22, 13 May 2022 (UTC)
86.127.19.37
{{proxycheckstatus}}
- 86.127.19.37 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious spammy edits [6] & IPQualityScore indicates proxy+VPN ☆ Bri (talk) 23:01, 8 May 2022 (UTC)
- @MarioGom: you reverted this IP [7], interested in the possible proxy? ☆ Bri (talk) 19:59, 13 May 2022 (UTC)
- Yeah, I was checking this IP but had to leave. I'll post later. MarioGom (talk) 20:22, 13 May 2022 (UTC)
- Bri: It's Unlikely that this is a proxy right now (per port scan and other services). IPQS data might be older. MarioGom (talk) 23:11, 13 May 2022 (UTC)
- Yeah, I was checking this IP but had to leave. I'll post later. MarioGom (talk) 20:22, 13 May 2022 (UTC)
38.130.248.0/22
{{proxycheckstatus}}
Reason: Proxy/webhost (MR Networking, SRL) wizzito | say hello! 23:05, 4 April 2022 (UTC)
- It's a little hard to tell what the ISP offers precisely, but this doesn't look like a dedicated hosting range. Closing without action. --Blablubbs (talk) 10:58, 14 May 2022 (UTC)
103.214.112.0/23
{{proxycheckstatus}}
Reason: webhost wizzito | say hello! 23:25, 8 April 2022 (UTC)
- Confirmed, the following IPs are unblocked nodes of FlyGateVPN:
- 31.192.107.217 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 94.103.12.201 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 102.223.74.94 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 103.214.112.26 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 103.214.112.29 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 103.214.112.42 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 103.214.112.153 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 103.214.112.229 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 194.156.67.200 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- Everything else is already covered by other webhost blocks. I would recommend hardblocking the following with {{colocationwebhost}}:
- 31.192.107.0/24 · contribs · block · log · stalk · Robtex · whois · Google (HOSTKEY-RU-AS, NL)
- 94.103.12.0/24 · contribs · block · log · stalk · Robtex · whois · Google (TRUSTEDNETWORK-AS, RU)
- 102.223.72.0/22 · contribs · block · log · stalk · Robtex · whois · Google (SUN NETWORK AFRICA CLOUD [8])
- 103.214.112.0/23 · contribs · block · log · stalk · Robtex · whois · Google (PT Cloud Hosting Indonesia / PT Denbe Anugerah Solusindo [9])
- 194.156.67.0/24 · contribs · block · log · stalk · Robtex · whois · Google (FOXCLOUD_COMMUNICATIONS_SRL)
- Best, MarioGom (talk) 23:44, 13 May 2022 (UTC)
- Done and closing. --Malcolmxl5 (talk) 07:49, 14 May 2022 (UTC)
175.143.95.18
{{proxycheckstatus}}
- 175.143.95.18 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: I'm using a shadowsocks proxy. This is my IP address. — Preceding unsigned comment added by 175.143.95.18 (talk • contribs) 16:32, 6 May 2022 UTC) (UTC)
- Do you have connection details or a reference to the proxy listing this came from? I cannot verify this externally. MarioGom (talk) 23:12, 13 May 2022 (UTC)
- Highly likely an open proxy. I have found a probable external signature for this open shadowsocks proxy network. This particular IP seems to be residential, so the proxy probably won't stay in the same IP indefinitely. Requesting a second opinion for the appropriate administative action. MarioGom (talk) 21:00, 23 May 2022 (UTC)
- Proxy blocked for a month – that's usually my starting point for open proxies because I think it's a reasonable compromise between covering a good chunk of the expected lifespan and not incurring excessive collateral, though I guess it's mostly a matter of preference. Closing. --Blablubbs (talk) 06:39, 25 May 2022 (UTC)
- Highly likely an open proxy. I have found a probable external signature for this open shadowsocks proxy network. This particular IP seems to be residential, so the proxy probably won't stay in the same IP indefinitely. Requesting a second opinion for the appropriate administative action. MarioGom (talk) 21:00, 23 May 2022 (UTC)
2001:2d8::/32, 2001:e60::/32, 2001:4430::/32 (IPv6)
{{proxycheckstatus}}
- 2001:2d8::/32 · contribs · block · log · stalk · Robtex · whois · Google – SK Telecom, Currently blocked on this wiki for 1 year for unknown reasons (probably an open proxy or Long-term abuse)
- 2001:e60::/32 · contribs · block · log · stalk · Robtex · whois · Google – Korea Telecom
- 2001:4430::/32 · contribs · block · log · stalk · Robtex · whois · Google – LG U+
Reason: South Korean mobile network operator's LTE open proxy bands. These bands have a lot of block logs on kowiki (Typical reasons are page pranks, page vandalism, and avoiding of block through multiple accounts and IPs within the bands: 2001:2d8::/32, 2001:e60::/32, 2001:4430::/32), and these bands are violating policies and guidelines and vandalising through multi-accounts and IP adresses abuse. Also, these bands are habitual multi-account mass creation band and in the blocking log, the reason for 2 bands is "Long-term abuse". 2001:2d8::/32 and 2001:e60::/32 band is currently blocked on kowiki for 3 days. (2d8 and e60) If unblocked, there is a risk of causing problems in various wiki projects including Wikipedia. Please permanently block editing user talk page too and globally lock these LTE bands with IP adress only. Goondae (talk) 11:43, 9 May 2022 (UTC)
- Additional information needed. @Goondae: I'm confused – is there any evidence these ranges have proxies on them? If yes, could you please provide it? If no, I'm afraid this is not the right venue; WP:ANI or m:SRG would probably be your best bet. On a sidenote, @Girth Summit: I've added {{anonblock}} to the block mentioned by the filer; I hope that's alright. --Blablubbs (talk) 20:30, 10 May 2022 (UTC)
- Thanks Blablubbs, I should have done that in the first place. Cheers Girth Summit (blether) 05:34, 11 May 2022 (UTC)
- These LTE bands are proxyed by mobile network operators. These bands, which are IPv6, are more anonymous because the IP address changes just by turning LTE off and on. This easily circumvents penalties and abuses policies and guidelines (e.g. changing an IPv6 address by turning LTE off and on on a blocked IPv6 address). Therefore, these bands can be considered as open proxy. Goondae (talk) 12:15, 15 May 2022 (UTC)
- By that logic, shouldn't we block most mobile networks IP addresses? I can do exactly the same thing and jump around on a /13 IPv4 covering an entire city of 1.5 million. Mako001 (C) (T) 🇺🇦 12:30, 15 May 2022 (UTC)
- While dynamic IPs may be harder block targets sometimes, that does not make them proxies. Closing without action. --Blablubbs (talk) 12:58, 15 May 2022 (UTC)
175.158.155.92
{{proxycheckstatus}}
- 175.158.155.92 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Editing corp article frequented by COI editors including logged-out UPE sockfarm [10] & spur indicates this is a call-back proxy. ☆ Bri (talk) 20:39, 31 May 2022 (UTC)
- Highly likely a residential proxy. Given the exact proxy service here (as seen in spur advanced API), the article target, and some other characteristics of this edit, I'm fairly sure this is the Yoodaba sockfarm. They have used this proxy network since June 2021. Usage by other sockfarms is very unusual. Note that they almost never use the same IP twice, and that residential proxies are highly dynamic, so a block is unlikely to be even noticed by them. MarioGom (talk) 18:39, 3 June 2022 (UTC)
- Marking for a second opinion on the administrative action (or lack of thereof). MarioGom (talk) 18:40, 3 June 2022 (UTC)
- This would have likely been an ineffective block if we had gotten to it at the time (the pool here is large and dynamic), and by now, the IP is functionally Stale. Closing. --Blablubbs (talk) 10:01, 15 June 2022 (UTC)
92.53.0.0/18
{{proxycheckstatus}}
I have noticed a continued string of poor quality edits from this IP range, usually on automotive pages or pages about windows software. The pattern is typically nonconstructive copyedits, unsourced info, and the like, which are often reverted. IP user only ever leaves the edit summary "New changes". Usually the edits will persist over several days until the IP is warned about using an edit summary on their talk page, and then a similar pattern will emerge with a different IP. IPBilly (talk) 23:01, 14 June 2022 (UTC)
- It appears that nine IPs in that range are currently blocked by ST47ProxyBot as P2P VPN. That does suggest an issue. Malcolmxl5 (talk) 23:27, 14 June 2022 (UTC)
- Looking at the /16, I see a host of /22, /23, /24 rangeblocks by ST47 as a colocation webhost. And three global /20, /22 blocks by Jon Kolbert. This might be more trouble than it’s worth. Malcolmxl5 (talk) 23:36, 14 June 2022 (UTC)
- As far as this particular individual is concerned (the "New changes" guy), they are using 92.53.16.0/23. Malcolmxl5 (talk) 00:11, 15 June 2022 (UTC)
- Might be this guy: User:Иван Стефановски. Malcolmxl5 (talk) 00:28, 15 June 2022 (UTC)
- As far as this particular individual is concerned (the "New changes" guy), they are using 92.53.16.0/23. Malcolmxl5 (talk) 00:11, 15 June 2022 (UTC)
- Looking at the /16, I see a host of /22, /23, /24 rangeblocks by ST47 as a colocation webhost. And three global /20, /22 blocks by Jon Kolbert. This might be more trouble than it’s worth. Malcolmxl5 (talk) 23:36, 14 June 2022 (UTC)
- @IPBilly and Malcolmxl5: I vaguely remember that ISP because I recall having been annoyed by it in the past. They do offer some hosting, but they are primarily a broadband provider. Both the Shodan return for the /18 and spot checks of individual IPs that have edited don't show any clear signs of proxy presence, and the /23 mentioned above is part of a block assigned to "CableTEL DOOEL Macedonia Veles Triple Play Clients". The apparently fairly stable presence of this one user on a single range also speaks against the possibility of proxy use. Other bits of the /16 do seem to be hosting ranges, but those are owned by other providers. Closing without action from a proxy perspective only; I haven't looked at the socking angle. Thanks for the report. --Blablubbs (talk) 10:16, 15 June 2022 (UTC)
- Should I open a report at SPI? IPBilly (talk) 15:50, 15 June 2022 (UTC)
- @IPBilly: Your call – if you think you can prove socking, sure. --Blablubbs (talk) 09:20, 16 June 2022 (UTC)
- Should I open a report at SPI? IPBilly (talk) 15:50, 15 June 2022 (UTC)
- Just a postscript that the /23 was blocked by JBW for three months as a normal admin action. --Malcolmxl5 (talk) 22:35, 28 June 2022 (UTC)