User talk:Zzuuzz/Archive 36

This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page .

I did remember. 95.179.176.0/20 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · block user · block log) is in need of a block (see Special:Contributions/95.179.183.45 / 95.179.183.45.vultr.com). - Tom | Thomas.W ^talk 19:56, 18 January 2019 (UTC)[reply]

Shingling334 is currently editing from choopa/vultur 199.247.19.165 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log)... --IamNotU (talk) 00:34, 23 January 2019 (UTC)[reply]

Looks like the filters didn't work, as Bidhan Singh is back causing disruption. I guess I'm going to have to accept it. Wikipedia simply can't stop the guy :( GoodDay (talk) 16:48, 21 January 2019 (UTC)[reply]

Hi Zzuuzz, Does the edit filter not work on talk pages ? this is third such edit on talk page in 3 days. [1] --DBigXrayᗙ 14:55, 24 January 2019 (UTC)[reply]

You are indeed currently correct, and I cordially refer you at this time to my ANI posts on the topic. Feel free to hassle me further, however. -- zzuuzz ^(talk) 16:49, 24 January 2019 (UTC)[reply]

All right, I will continue keeping an eye on these talk pages. What is the hit count on the Bidhan Singh filter so far? --DBigXrayᗙ 17:06, 24 January 2019 (UTC)[reply]

We are at 12, with regular stuff plus this template possibly a newer target. -- zzuuzz ^(talk) 21:28, 24 January 2019 (UTC)[reply]

OK, you won't see that in that form again. And thus we've moved forward to the latest edits. -- zzuuzz ^(talk) 14:59, 25 January 2019 (UTC)[reply]

you won't see that in that form again.. meaning in the form that includes his name ? . Do we already have an LTA page on this ? is he eligible for one ? (I believe he does) --DBigXrayᗙ 15:07, 25 January 2019 (UTC)[reply]

Who knows what they'll do next. I'm not persuaded about an LTA page, however it may be beneficial to make some notes at the SPI, especially, but not exclusively, anything before this month. -- zzuuzz ^(talk) 15:11, 25 January 2019 (UTC)[reply]

As you can see, Bidhan Singh isn't going to stop. Perhaps, Wikimedia needs to step in. GoodDay (talk) 04:23, 1 February 2019 (UTC)[reply]

(User:Oshwah lets discuss further on User_talk:Zzuuzz since this entry was going to be removed by AIV bot.)

• 2405:205:A081:553:9122:1321:E028:67FC (talk · contribs · (/64) · deleted contribs · filter log · WHOIS · RBLs · http · block user · block log) – Enough recent and ongoing disruptive edits by Bidhan Singh vandalizer to merit an IP block. DBigXrayᗙ 06:20, 11 February 2019 (UTC)[reply]

Warned user. The IP user's edits seem to be editing tests or

good faith attempts to edit or see what can be edited. Left a warning accordingly. ~Oshwah~^{(talk) (contribs)} 06:24, 11 February 2019 (UTC)[reply

]

it is a Dynamic IP of a narcissist

WP:LTA vandal, whose self promotional campaign has been checked by edit filters (thanks to Zzuuzz), hence he is resorting to such nonsensical disruptive, edits. For pages that are regularly vandalized, I also seek page protection e.e. diff, diff. Based on what I have seen recently, his IP is dynamic, but he continues on 10-15 disruptive edits, so IMHO it makes sense to block his IP which is why I had reported him at AIV, If admins like Zzuuzz and Oshwah feel that it is not worth blocking then I will save my efforts in future and let him continue his vandalism for the day. --DBigXrayᗙ 07:12, 11 February 2019 (UTC)[reply

]

good faith attempts to edit" . While we discuss, if posting him at AIV makes sense. regards. --DBigXrayᗙ 07:20, 11 February 2019 (UTC)[reply

]

Ahh, this huge IP range-hopping tomfoolery again... Yeah, I've been trying to figure out a good way with dealing with this throughout the day today... unfortunately, there's no perfect option. The ranges are incredibly wide, the articles edited are many, and the issues are ongoing. I've blocked the IP above for evasion. I'm interested to see how quickly the edits hop from one IP and range to another... ~Oshwah~^{(talk) (contribs)} 07:25, 11 February 2019 (UTC)[reply]

yes, good call on blocking the IP, better late than never. you can also see thoughts of other page watchers at User_talk:GoodDay#Requested PP for 2 pages already on how he behaves. --DBigXrayᗙ 07:32, 11 February 2019 (UTC)[reply]

@Oshwah: I'll generally insta-block a /64 for a day or so if it's within the last day or so (with good reason, although not entirely effective). There's at least two common ranges which are something like 2405:204:C000::/39 and 2405:205:A000::/39. And we're filtering with 58 and 478. It's a tricky one to nail down. I'm hoping this is just a final spurt before they get bored. -- zzuuzz ^(talk) 08:47, 11 February 2019 (UTC)[reply]

Zzuuzz - Thanks for the information. Yup, that's what I found when I looked into it and did some digging on the IP ranges involved; they're two very wide ranges that are both from the same ISP and geolocation, and (as you said) a tough situation to crack down on that doesn't have a silver bullet solution. I hope so, too... we'll find out one way or another. ;-) Thanks again for the input. Cheers - ~Oshwah~^{(talk) (contribs)} 08:53, 11 February 2019 (UTC)[reply]

@Oshwah: Can't we not temporarily protect Indian Central Government related pages. He mostly vandalizes those pages. - Fylindfotberserk (talk) 09:40, 11 February 2019 (UTC)[reply]

]

@Oshwah: OK I'll RPP articles as soon as I find any vandalism on them by this Bidhan Singh guy. I'll mention his "name" in the request as well. - Fylindfotberserk (talk) 09:50, 11 February 2019 (UTC)[reply]

Fylindfotberserk - Perfect. ;-) ~Oshwah~^{(talk) (contribs)} 09:54, 11 February 2019 (UTC)[reply]

• Yes
  WP:LTA--DBigXrayᗙ 10:01, 11 February 2019 (UTC)[reply
  ]

DBigXray, Absolutely. - Fylindfotberserk (talk) 10:05, 11 February 2019 (UTC)[reply]

The key to it, is that the community is becoming more aware. GoodDay (talk) 13:30, 11 February 2019 (UTC)[reply]

WP:AIV and request page protection, whenever you see him. --DBigXrayᗙ 13:36, 11 February 2019 (UTC)[reply

]

I just may. GoodDay (talk) 13:49, 11 February 2019 (UTC)[reply]

Requested PP for few articles today. - Fylindfotberserk (talk) 12:14, 12 February 2019 (UTC)[reply]

Started Wikipedia:Long-term abuse/Bidhan Singh, please expand and update the page. --DBigXrayᗙ 04:42, 16 February 2019 (UTC)[reply]

Inviting to expand and add on the LTA page above. @LiberatorG:, @Shellwood:, @General Ization:, @Cptmrmcmillan:, @Fylindfotberserk:, @GoodDay:, Zzuuzz, @Oshwah: --DBigXrayᗙ 03:40, 17 February 2019 (UTC)[reply]

Cool. Ya'll usually got the rascal's IPs caught, while I'm away :) GoodDay (talk) 03:44, 17 February 2019 (UTC)[reply]

@DBigXray: Nice job sir. - Fylindfotberserk (talk) 09:29, 17 February 2019 (UTC)[reply]

Vandal block request

Hi. An user with username Chow Mridu paban is involved in POV pushing and adding unsourced/manipulated content(unrelated reference links) in Magh Bihu even after repeated reverts. User trying to remove his name from this list. Kindly take action soon.157.47.190.33 (talk) 13:35, 23 January 2019 (UTC)[reply]

	The Anti-Vandalism Barnstar
	Thank you for shutting this vandalism down. Criticalthinker (talk) 10:20, 26 January 2019 (UTC)[reply]

Thanks. Any time. -- zzuuzz ^(talk) 13:21, 26 January 2019 (UTC)[reply]

		The Checkuser's Barnstar
		I, the IP, hereby give you the Checkuser Barnstar; for your due diligence and tiring works (including behind the scenes) in Sockpuppet investigations, courage to come up and block frivolous yet dangerous proxies, besides, management of time not withstanding the overall service you have provided to Wikipedia. Thnx very much zzuuzz you are really great!!!182.58.172.35 (talk)

Thanks, you're welcome. -- zzuuzz ^(talk) 22:26, 27 January 2019 (UTC)[reply]

There is currently a discussion at Wikipedia:Administrators' noticeboard/Incidents regarding an issue with which you may have been involved. The thread is Any CU interested in a new rabbit hole?. GAB^gab 21:43, 29 January 2019 (UTC)[reply]

I think the time has come to put random additions of the word "pubg" [2] to be added in edit filter list against vandalism. your thoughts ? (refer

)

It's a new one on me. I think we have a fortnite-type filter somewhere. Is it common though? -- zzuuzz ^(talk) 10:03, 30 January 2019 (UTC)[reply]

Not as common as Fortnite, AFAIK. Kids play Fortnite more than PUBG. ―Abelmoschus Esculentus (talk • contribs) 12:23, 30 January 2019 (UTC)[reply]

• Zzuzz, from the pages I watch, I have reverted 3 such additions, I am sure that they aren't only happening on pages I watch. DBigXrayᗙ 06:26, 10 February 2019 (UTC)[reply]

AE, please see List of best-selling video games#List#6 with 50 million sales. Never heard about Fortnite nor is it in the list.--DBigXrayᗙ 06:26, 10 February 2019 (UTC)[reply]

@DBigXray: Well, Fortnite is released in 2017 and it's free. It was a meme as well. ―Abelmoschus Esculentus (talk • contribs) 06:34, 10 February 2019 (UTC)[reply]

Hi, I'm CaptainDanger25, I'm the user that reported the Sim12 accounts. The user you blocked Benedictfoos2 hacked my account just right now. He changed the password under MediaWiki and now I can't log back in. He was a user I had issues with years ago. I was wondering if you try to get it back under my control. Thanks! --2605:6000:A507:A300:59AA:B37C:7C87:D6EC (talk) 03:38, 10 February 2019 (UTC)[reply]

Never mind I figured it out. Thanks anyway! --CaptainDanger25 (talk) 04:02, 10 February 2019 (UTC)[reply]

@CaptainDanger25: OK, drop me a line if there's any further trouble. I can't recover an account for you, but I can check it and block it, so we repeat the process you've already been through. Please make sure you have a strong unique password, which you can remember. See Wikipedia:User account security. -- zzuuzz ^(talk) 10:10, 10 February 2019 (UTC)[reply]

@Zzuuzz: I'll remember that next time, Thanks a lot. --CaptainDanger25 (talk) 16:10, 10 February 2019 (UTC)[reply]

thought no one was going to turn up on that one - thank you JarrahTree 00:30, 14 February 2019 (UTC)[reply]

You're welcome. -- zzuuzz ^(talk) 00:50, 14 February 2019 (UTC)[reply]

I see you've blocked multiple blogspot spammers this morning; an account was just blocked for repeated addition of this link; not sure if it should be blacklisted also. Home Lander (talk) 18:42, 17 February 2019 (UTC)[reply]

I'll generally reserve blacklisting for sites which are repeatedly spammed. Not sure that's the case here. Also, different MO to the rest of today's spammers. -- zzuuzz ^(talk) 19:54, 17 February 2019 (UTC)[reply]

If NBA Referees1 is a LTA, would User talk:NBA Referees be as well? 331dot (talk) 20:38, 20 February 2019 (UTC)[reply]

Unrelated. It's a typical joe-job from Nsmutte. -- zzuuzz ^(talk) 20:38, 20 February 2019 (UTC)[reply]

Ah. Makes sense. Thanks for the clarification. 331dot (talk) 20:46, 20 February 2019 (UTC)[reply]

Hello. My Evlekis-detector started buzzing when Konigboom (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log) reverted a recent edit of mine, and I saw their contributions so far. Not 100% sure yet, though. Cheers, - Tom | Thomas.W ^talk 14:40, 24 February 2019 (UTC)[reply]

I don't think so. All things are possible, but I don't think so. -- zzuuzz ^(talk) 16:14, 24 February 2019 (UTC)[reply]

You could compare it to Special:Contributions/Hick Hick. I got the exact same vibes when this account showed up last summer, and kept an eye on it for a while, but then it stopped editing, only to resurface several months later, and get CU-blocked by Ponyo. - Tom | Thomas.W ^talk 19:39, 24 February 2019 (UTC)[reply]

Hope this helps heal your blocking finger which is surely getting a workout today! HickoryOughtShirt?4 (talk) 22:47, 24 February 2019 (UTC)[reply]

Hello! There is an ongoing survey going on at User:ImmortalWizard/User survey 1. As a fellow Wikipedian ImmortalWizard would like you to answer some questions. It wouldn't take too long, and your participation will be appreciated. Thanks, THE NEW ImmortalWizard(chat) 16:59, 26 February 2019 (UTC)[reply]

I see that you blocked

]

Rollback request

Hi zzuuzz, I'd like to request rollback privileges. Initially thought I could manage without it, but have recently dealt with two instances that made me reconsider.

1) The first is described on this talk page thread I started today. An IP user made 3 consecutive edits, and in the first edit (Edit #1), they inserted (what I suspect was intentionally) incorrect info. In order to revert Edit #1, I had to revert Edits #2 and 3, which they quickly reverted before I could revert Edit #1. Rollback would've allowed me to just directly roll back all 3.

2) The second was clearly vandalism, in 2 parts. Edit #1 inserted vandalism in one part of the article; Edit #2 moved the reworded vandalism to a different spot in the article. When I reverted Edit #2, it rolled back to Edit #1, which ALSO contained the vandalism, and made it look like I was the one who added it. I quickly undid Edit #1, but the rollback tool would've prevented this problem.

In any case, if granted the rollback privilege, I will definitely use it carefully and sparingly per the rollback guidelines; I also noticed there were confirmation scripts available, as well as a way to add edit summaries--both would be quite useful.

Thanks! Big universe (talk) 04:49, 16 March 2019 (UTC)[reply]

Hi zzuuzz, forgot to leave a message here yesterday--I ended up enabling TWINKLE, and it's the better option for me, so thanks a lot for the suggestion. I posted a reply to your post anyway, in case you had time to read it. It is a bit long (didn't have enough time to trim it down more), but I hope it contains satisfactory answers to your questions/concerns. Thanks again for your time and help! Big universe (talk) 03:20, 20 March 2019 (UTC)[reply]

Hello sir, I'm a active user of Wikipedia. And I have requested for permission for helping Wikipedia for a safer place and help fellow Wikipedian's. If you feel I need more practice though, I'll be happy to gain more experience. So, I would like to grab your attention. Im extremely sorry if I words are rude towards you sir. Thank you for taking the time to review my case, and have a nice day! AR.Dmg (talk) 12:22, 23 March 2019 (UTC)[reply]

remove TPA? --Thegooduser Life Begins With a Smile :) 🍁 22:03, 23 March 2019 (UTC)[reply]

General philosophy:

RBI. -- zzuuzz ^(talk) 22:05, 23 March 2019 (UTC)[reply

]

Ok, Got it. Just like

WP:DENY. --Thegooduser Life Begins With a Smile :) 🍁 22:07, 23 March 2019 (UTC)[reply

]

Hi Zzuuzz. Since they are continually adding a protection template to a page that is not protected removal of TPA would keep the page from showing up in the Category:Wikipedia pages with incorrect protection templates. They might get bored and stop eventually though :-) MarnetteD|Talk 22:24, 23 March 2019 (UTC)[reply]

]

Thank you--that account was evading a block. Would you mind increasing the protection for that article? JNW (talk) 20:56, 24 March 2019 (UTC)[reply]

• Thanks, JNW (talk) 21:14, 24 March 2019 (UTC)[reply]

Oops! ——SerialNumber54129 09:29, 27 March 2019 (UTC)[reply]

Definitely not the first! -- zzuuzz ^(talk) 09:33, 27 March 2019 (UTC)[reply]

Thanks very much! ——SerialNumber54129 09:37, 27 March 2019 (UTC)[reply]

I see you deleted content I uploaded, can it not be used freely for commentary?

• Do you not understand what "copyright" means? Drmies (talk) 19:17, 30 March 2019 (UTC)[reply]
• @
  WP:NFCC in particular. -- zzuuzz ^(talk) 19:19, 30 March 2019 (UTC)[reply
  ]

@Zzuuzz the free alternative is now out of date with Brexit having not happened on March 29th, my revision corrects to April 12th the timeline. — Preceding unsigned comment added by InfodudeUK (talk • contribs) 19:23, 30 March 2019 (UTC)[reply]

@InfodudeUK: You are welcome to write some text, or create a new image, or update the existing image, though obviously nothing too similar to the BBC image. Sorry but we take copyright very seriously around here. There simply not enough justification here to just nick someone else's work (and claim it as your own). You should really read that page. -- zzuuzz ^(talk) 19:27, 30 March 2019 (UTC)[reply]

@Zzuuzz Very well then, I'll set about creating my own image. — Preceding unsigned comment added by InfodudeUK (talk • contribs) 19:29, 30 March 2019 (UTC)[reply]

Here's another sock of 2603:3023:169:C000:902C:27DA:A5F0:6F56 (talk · contribs · (/64) · deleted contribs · filter log · WHOIS · RBLs · http · block user · block log): 206.188.62.113 (talk · contribs · deleted contribs · filter log · WHOIS · RDNS · RBLs · http · block user · block log), based on Special:Diff/891433425, a repeat of Special:Diff/890107316. —[AlanM1(talk)]— 02:08, 8 April 2019 (UTC)[reply]

Thanks. For the record, that's Wikipedia:Sockpuppet investigations/DeepNikita. -- zzuuzz ^(talk) 06:22, 8 April 2019 (UTC)[reply]

Hi,

Thanks for blocking that IP I reported. As you included yourself in

has been sitting just below the backlog threshold for a couple of days (for reasons entirely unrelated to the fact that I'm on that request list). If you have a moment to consider those requests, it would be much appreciated.

Best, Mdaniels5757 (talk) 17:34, 13 April 2019 (UTC)[reply]

Moving this here since it’s really a different discussion, but thanks for pointing them out. I looked at the OTRS ticket and there was nothing particularly sensitive going on there, and over a decade the ownership of the IPs may have changed/whatever students were in the supposed school are now at the very least no longer there/not in school at all given the passage of time. TonyBallioni (talk) 15:34, 19 April 2019 (UTC)[reply]

Then thanks for reviewing and unblocking them, though I would say that it's the staff and not the students that matter, and whether the same staff is still there and what they might have been promised (wiki policy aside). The staff obviously realised that it's no use stopping particular students and that kids will always be kids and that the spew will always continue. Hopefully their firewall investment has improved in the last decade. -- zzuuzz ^(talk) 15:46, 19 April 2019 (UTC)[reply]

You're fast![3] Bishonen | talk 20:44, 21 April 2019 (UTC).[reply]

An editor has asked for a discussion to address the redirect ＃Metoo. Since you had some involvement with the ＃Metoo redirect, you might want to participate in the redirect discussion if you wish to do so. UnitedStatesian (talk) 02:44, 26 April 2019 (UTC)[reply]

You may wish to revoke talk page access.--Cahk (talk) 09:13, 26 April 2019 (UTC)[reply]

Only one person was vandalizing this article a few years ago https://en.wikipedia.org/wiki/Tony_Attwood

]

OK. I'll put on some pending changes for a while. -- zzuuzz ^(talk) 19:43, 26 April 2019 (UTC)[reply]

Hello, could the above user be Wikipedia:Long-term abuse/JarlaxleArtemis? JACKINTHEBOX • ^TALK 07:49, 28 April 2019 (UTC)[reply]

Or perhaps User:TryToBeFunny. I thought as you are a Checkuser, you might be able to find out. Anyway the user is now blocked. JACKINTHEBOX • ^TALK 08:09, 28 April 2019 (UTC)[reply]

Indeed that's User:TryToBeFunny.[4] -- zzuuzz ^(talk) 08:49, 28 April 2019 (UTC)[reply]

Ah thanks. JACKINTHEBOX • ^TALK 09:03, 28 April 2019 (UTC)[reply]

Would it be at all possible if I could ask you to block 140.0.160.175 (

]

(talk page watcher) Blocked (Extinct Species Vandal) — JJMC89 (T·C) 04:51, 29 April 2019 (UTC)[reply]

If one of these is blocked, what duration do you suggest? Thanks, EdJohnston (talk) 18:12, 2 May 2019 (UTC)[reply]

I'd say a lot of the time you can probably rely on your own usual non-proxy block length algorithm. Most are gone within a few days, so a month won't usually hurt anyone. Three probably won't hurt much either. If they've been blocked before it's probably a different matter - blocked in the last year, maybe block for a year? -- zzuuzz ^(talk) 18:56, 2 May 2019 (UTC)[reply]

This message was sent to all administrators following a recent motion. Thank you for your attention. For the Arbitration Committee, Cameron11598 03:02, 4 May 2019 (UTC)[reply]

ArbCom would like to apologise and correct our previous mass message in light of the response from the community.

Since November 2018, six administrator accounts have been compromised and temporarily desysopped. In an effort to help improve account security, our intention was to remind administrators of existing policies on account security — that they are

remains an optional means of adding extra security to your account. The choice not to enable 2FA will not be considered when deciding to restore sysop privileges to administrator accounts that were compromised.

We are sorry for the wording of our previous message, which did not accurately convey this, and deeply regret the tone in which it was delivered.

For the Arbitration Committee, -Cameron11598 21:04, 4 May 2019 (UTC)[reply]

Moved from Special:Diff/895636479

Zzuuzz, could you kindly ask Mr. Docker not to edit my talk entries? He's made the odd allegation that it is an "unwarranted reference to his wife," when. in fact, it refers to a someone who was editing under that name. I'm done editing here, but it's the principle of the matter, as there is nothing violative that I can think of. Thanks. Mystic Technocrat (talk) 16:07, 5 May 2019 (UTC)[reply]

@Mystic Technocrat and D. R. Docker: Since User:Janthana was editing and being referred to, there is no problem referring to this user. Thanks. -- zzuuzz ^(talk) 16:32, 5 May 2019 (UTC)[reply]

Hi Z, Rajeshbieee is requesting an unblock. There is a history of sockpuppetry, but with a cursory understanding of his case, I think he might have screwed up early on and may now have a legitimate interest in contributing constructively. He's invoking the

]

"That impersonation LTA again"

...is at it again, as you can see in my logs. Between heavy hitters such as you and DoRD, what can you do? Drmies (talk) 17:18, 9 May 2019 (UTC)[reply]

@Drmies:. Or see my log. I see there's quite some global log. Maybe the way forward. If not global we could go local. -- zzuuzz ^(talk) 20:21, 9 May 2019 (UTC)[reply]

Zzuuzz, I LOVE looking at your log, but I was more being chatty along the lines of "hey smart people put a stop to this", haha, because I saw y'all's names in the CU logs. You know, I still know way too little about the global thing and don't have much of an inclination to learn. Should I? What these stewards do seems so difficult, and even further removed from article writing... Drmies (talk) 00:13, 10 May 2019 (UTC)[reply]

I am a new user. I have been undoing vandalism edits and reporting users, but i want to learn more about Wikipedia.

Do you know if there is an article about Wikipedia policy?

Thanks. 186.11.3.51 (talk) 22:30, 9 May 2019 (UTC)[reply]

Hello. How about

WP:SOCK? -- zzuuzz ^(talk) 22:40, 9 May 2019 (UTC)[reply

]

OK that was hilarious. Drmies (talk) 00:18, 10 May 2019 (UTC)[reply]

After some peace and quiet, the Indian university cellphone spammer dropped another one: 9540098653 [5]. Maybe you can add to filter as opportunity arises. Cheers --Elmidae (talk · contribs) 16:47, 11 May 2019 (UTC)[reply]

 Done. Yup the filter's been blocking some more of this stuff recently. -- zzuuzz ^(talk) 14:30, 12 May 2019 (UTC)[reply]

'nother one please: 9470493850 [6]. Cheers --Elmidae (talk · contribs) 18:36, 24 May 2019 (UTC)[reply]

Three different numbers from that IP. Done. -- zzuuzz ^(talk) 19:27, 24 May 2019 (UTC)[reply]

One more, obfuscated: 987l3648l5 (using l's) [7]. Cheers --Elmidae (talk · contribs) 13:30, 27 May 2019 (UTC)[reply]

Another one (must be enrolment season...): O987l36 4815@ [8] --Elmidae (talk · contribs) 21:57, 27 May 2019 (UTC)[reply]

Another one: 8447424471 [9] --Elmidae (talk · contribs) 14:27, 28 May 2019 (UTC)[reply]

And another one (may have already been added by Widr): 987l364&l5 [10] --Elmidae (talk · contribs) 14:30, 28 May 2019 (UTC)[reply]

Another one: 844742447one [11] --Elmidae (talk · contribs) 16:03, 4 June 2019 (UTC)[reply]

I think we're mostly up to date, as there are some variations of that number in the filter. The spammer is hitting what I'll dub the 'useless nonsense limit', where they have to mangle stuff so much to avoid the filter that it becomes useless nonsense. Have some PC instead, this time. -- zzuuzz ^(talk) 18:16, 4 June 2019 (UTC)[reply]

• Onurkd (talk · contribs · deleted contribs · logs · filter log · block user · block log)

Hi. Onurkd is a new account that is showing good abilities to make edits that require experience such as uploading pics and very good skills with reference templates. Seraphim System and her confirmed socks had a habit of typing their edit summaries before the auto-generated text ([12][13][14][15][16][17]). The same thing is being done by Onurkd. Onurkd till now has edited only articles of the main topic edited by Seraphim System and her socks (Ottoman and Turkish history). Can you check the accounts to see whether they are linked or not?

]

I'm not exactly saying it's unlikely, but the evidence doesn't match up. -- zzuuzz ^(talk) 20:22, 16 May 2019 (UTC)[reply]

Thanks for the CU. I am glad Onurkd is innocent and will continue to contribute. Thanks again. Cheers,

Ktrimi991 (talk) 20:40, 16 May 2019 (UTC)[reply

]

Thank you so much for good advice and kindness.

Ktrimi991

Same person?

Could

]

I'd say that's likely (usual disclaimers about meatpuppetry apply). The middle one is almost certainly Deepak Gauravnath (talk · contribs) and Sridhar reddy mca (talk · contribs). Hey you lot, stick to one account please. -- zzuuzz ^(talk) 13:00, 21 May 2019 (UTC)[reply]

Userpage of Malayalammojo contains suspicious descriptions. New account, but sounds like not a beginner user, especially the last sentence seems like the user was involved in arguments before and got blocked. Is the user calling the administrators an *******? 2405:204:D38A:CA0B:7D0F:C514:A118:5A35 (talk) 14:12, 22 May 2019 (UTC)[reply]

Wikipedia:Sockpuppet investigations/Lechuzaj and Wikipedia:Sockpuppet investigations/Mhdsuhail111. -- zzuuzz ^(talk) 15:45, 22 May 2019 (UTC)[reply]

On several Wikia sites, I've noticed several disgusting attack pages directed towards you (such as [18] & [19]). Should we take these as potentially serious threats or just abominable trolling? Are these necessary to report, in your opinion? I am curious to know who's behind this trolling. 12.217.229.162 (talk) 16:31, 25 May 2019 (UTC)[reply]

Hello, yes there's a few of those, and TBH it's nothing particularly new. This time (as usual) it's a troll in America who is banned here for doing vandalism and making threats. I take it about as seriously as a flying turd. I've never figured out the correct place to report abuse there. Maybe you or someone else would know? -- zzuuzz ^(talk) 16:41, 25 May 2019 (UTC)[reply]

This one was blocked (for persistent unsourced editing) before I could file an SPI that come under this group. This is likely a follow up sock after Vaishakh bahu bali. Vandalising the financials in selected pages and the same "Tags: Mobile edit, Mobile web edit, Visual edit". Could you please perform a check to confirm it is the same guy. So this account can also be used as a reference in identifying the behaviour in future cases. Continental Rift (talk) 19:14, 29 May 2019 (UTC)[reply]

It's inconclusive. Also, regarding your own edits, see

WP:LOGOUT. -- zzuuzz ^(talk) 20:38, 29 May 2019 (UTC)[reply

]

You've got mail

Can you escape

Hi zzuuzz, I haven’t looked since the initial check, but Bsadowski1 pinged me in -checkuser IRC about them because of other issues. I’m assuming you found more accounts on different ranges than I checked, but we were both curious as to who the original master was. Courtesy ping to Ruslik0 since he seems to be running point on meta. Probably relevant since they apparently want to run for +sysop again immediately... TonyBallioni (talk) 22:36, 2 June 2019 (UTC)[reply]

@TonyBallioni: Yup, I would say note the checks I did - several accounts (most locked and some noted elsewhere), and a good rummage around various xwiki logs and deleted edits. And I CU-blocked VoltageP. But I don't know any such sockmaster. There were a few blocks on simplewiki, IIRC, but the answer probably lies somewhere between rowiki and wikidata. -- zzuuzz ^(talk) 23:44, 2 June 2019 (UTC)[reply]

They may be related to User:Praxdicae, User:QwertyUyr, User:LVHSer, User:Breaker0987 and some other accounts. At least they registered from the same range. Ruslik_Zero 19:09, 3 June 2019 (UTC)[reply]

@TonyBallioni: After looking over the accounts (and what you said above about the LTA wanting to "run for +sysop again immediately"), my conclusion is that this is Wonderfool, who is probably better known as Robdurbar here on en.wiki. This guy managed to trick the en.wiktionary admins into granting him adminship 5 times on that site. From what I can tell, he's been doing this for years, and when he's not trolling & making a mess on the admin-related pages here, it seems that he's trying to build up trust via a "good hand" sock to make another run at adminship again (one of his socks on en.wiktionary even claimed that someday, he would "find a way back in"). This person appears to be very familiar with CheckUsers and sysops in general, and he even claims to be an ex-SPI Clerk. (Though from his activities, he may have been a CU, though I can't really tell.) He's still making a mess cross-wiki, mostly here and on en.wiktionary. He never seems to stop for long. LightandDark2000 🌀 (talk) 06:19, 4 June 2019 (UTC)[reply]

Hello. The reason this article was set for

]

Hello. I'll consider that going forward, however, whether the edit should remain (which it currently does) is a different question to whether the pending edit should have been approved. If you don't like it (and I can see why you might not) then simply undo it. In terms of PC approval it did not violate any policies and you could even say that the consensus, and history, about this particular change is weak at best. PC is not a good tool for content disputes of this sort. Attempting to hold a lede in stasis with PC is almost certainly going to fail. -- zzuuzz ^(talk) 15:14, 6 June 2019 (UTC)[reply]

On

, you Revision Deleted one of my edits as "purely disruptive material". I do not believe my edits were disruptive in any way whatsoever. Would you mind explaining the deletion?

The

states the following:

Again, I don't believe my edits matched any of the criterion listed in the policy. EggRoll97 ^(talk) 16:56, 19 June 2019 (UTC)[reply]

Hello

oversighted. I won't speculate about the reasons - oversight don't normally do something like that without good reason, but I can probably point in the direction of some places to query it if you have reason to doubt. The main point I'd like you to take away about this stuff when it happens: if a revision has been deleted then it was deleted because the page contained something deletable. It doesn't mean that you added it. -- zzuuzz ^(talk) 18:45, 19 June 2019 (UTC)[reply

]

Sorry for the pre-emptive tagging

Thanks for correcting my incorrect tagging of Joe-Job socks. Sasquatch t|c 21:41, 19 June 2019 (UTC)[reply]

No problem. There's a lot of joe-jobbing going on. -- zzuuzz ^(talk) 21:45, 19 June 2019 (UTC)[reply]

What you are saying is that I was wrong to fight vandalism that was happening realtime while I was addressing it. You are ignoring my view of the incidents and defending someone who was deliberately breaching BLP. Perhaps you would prefer me to ignore vandals in future? After all, I would much rather write articles than be a policeman. Why do I bother? No Great Shaker (talk) 00:09, 3 July 2019 (UTC)[reply]

Not in the slightest. I'm just saying, only say "they edited after warning", after they've edited after a warning. From my point of view, and probably theirs, you asked them to stop and they stopped, which is what we're after. -- zzuuzz ^(talk) 00:14, 3 July 2019 (UTC)[reply]

Hii, This user is hard blocked by ArbCom (by you) 2 months ago, Can you remove their special user rights? Thanks! -- CptViraj (📧) 14:21, 3 July 2019 (UTC)[reply]

OK, done. For the record, although I am not on Arbcom, I do happen to be familiar with the particular circumstances behind this block. Also for the record, per

WP:INDEFRIGHTS in general such rights are not permanent but there is often no hurry to remove them. Saying that, this one won't be needing those again. -- zzuuzz ^(talk) 15:40, 3 July 2019 (UTC)[reply

]

Got it! Regards -- CptViraj (📧) 16:12, 3 July 2019 (UTC)[reply]

re [20]: honestly, I can't quite figure out now what happened there. Obviously, the current Jampal abhrishek (talk · contribs) is Wikinger, as was the Jampal abhrishrek (talk · contribs) I got locked in January. At that time, I must have been seeing a different legitimate user under the "Jampal abhrishek" name somewhere, but I'm damned if I know how Wikinger now got hold of that account name too. Either I misspelled it at the time and the legitimate user is somewhere under yet a third similar spelling, or the legitimate user got renamed and Wikinger subsequently hijacked the name? Fut.Perf. ☼ 08:48, 4 July 2019 (UTC)[reply]

Ah, got it, the legitimate guy was Jampal abhishek (talk · contribs). One "r" less. Fut.Perf. ☼ 08:51, 4 July 2019 (UTC)[reply]

One less mystery in the multiverse. Thanks. -- zzuuzz ^(talk) 09:07, 4 July 2019 (UTC)[reply]

Hi Zzuuzz. Recently an editor filed a report at WP:AN3 from a London-based IP. (This was their only Wikipedia edit, and they were not a party to the dispute they were reporting). Ipqualityscore.com says it is a VPN, but only gives a score of '65 - suspicious'.

https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/178.239.161.219

Would this justify any action? One rule that occurs to me is that socks should not participate in Wikipedia space. ("Undisclosed alternative accounts are not to be used in discussions internal to the project.") I am not aware of any general rule about editing from a VPN. Thanks, EdJohnston (talk) 15:40, 5 July 2019 (UTC)[reply]

Hi Ed. I'm not sure about a 65. VPNs are generally quite difficult to verify, but I'd also consider that IP suspicious. I've been away for a little while and I'm still catching up, but what I do know is that there's some sockpuppetry and trouble-making going on generally in that topic area, for example Newshunter14 (talk · contribs · block log) is technically likely/indistinguishable from the user you mentioned - whatever they were doing is probably related. So be suspicious and take things with a pinch of salt is what I'd say. -- zzuuzz ^(talk) 16:02, 5 July 2019 (UTC)[reply]

Also a slight chance of a joe-job. A while back, we had someone who was imitating the account names of people who were at WP:AN3 and then pretending to continue a war in which they were involved. (e.g. if XX12 is named in a report, they start to edit the article with the newly-created XX14, hoping to put a charge of socking on XX12). The IP and Newshunter14 might both be the identities of a joe-jobber trying to get Newshunter12 blocked. EdJohnston (talk) 19:07, 5 July 2019 (UTC)[reply]

Yup, that was my initial thought (also have a look at Newshunter12's recent user talk edits). There's a few of those joe-jobbers, but I'm not currently sure about the pattern. It might be a local problem, but I don't yet have the full background story. That topic area though - for some reason there's always problems of one sort or another lurking around. -- zzuuzz ^(talk) 19:55, 5 July 2019 (UTC)[reply]

I got a note on my talkpage about this. For whatever reason Newshunter12 (and to a lesser extent me and @Randykitty:) got a few ridiculous death threats 6 months ago, and it resurfaced a few weeks ago; see here for a quick refresher. There has historically been a problem with IPs promoting the GRG and trying to model our articles after their pages. Whoever this is clearly wants to get Newshunter12 in some sort of hot water, most likely because he's been at the forefront of a multi-year effort trying to remove gigantic reams of longevity trivia. The Blade of the Northern Lights (話して下さい) 00:10, 6 July 2019 (UTC)[reply]

Hi, these two users, Jooch A Schmidt and WillColemans, registered and made their first edits at around the same time, and they seem to edit at very similar times of day (plus very similar editing interests). Also, WillColemans created Jooch's talk page with a barnstar. Could they be sock- or meatpuppets? JACKINTHEBOX • ^TALK 19:28, 9 July 2019 (UTC)[reply]

Also see this edit, in which Jooch refers to 'Will Coleman'. JACKINTHEBOX • ^TALK 19:29, 9 July 2019 (UTC)[reply]

I'd say they're probably meatpuppets. I wouldn't be surprised if if one gets blocked they both get blocked. -- zzuuzz ^(talk) 20:25, 9 July 2019 (UTC)[reply]

JUST HOLD UP ONE MF'IN SCHMIDT.

MEATPUPPETS OR SOCK- YOU ASK? WELL LET ME TELL YOU, INTERNET POLICEMEN, WE ARE NEITHER. WE ARE PEOPLE BEHIND THIS KEYBOARD, BARN STARS OF TRUTH. JUSTICE.

YOU MAY KILL BLOCK ONE COLEMAN BUT THREE WILL RISE TO REPLACE ME.

-WILLCOLEMANS — Preceding unsigned comment added by WillColemans (talk • contribs) 20:51, 9 July 2019 (UTC)[reply]

Truth justice, eh? I'm sure that will go a long way. Have you considered contributing something constructive towards the encyclopaedia? -- zzuuzz ^(talk) 21:05, 9 July 2019 (UTC)[reply]

• Adding Special:Contributions/67.182.111.25 —PaleoNeonate – 22:23, 9 July 2019 (UTC)[reply]

Many thanks for blocking; it's of course your decision which I'll respect, but I thought I'd just beg to extend it a bit longer. —PaleoNeonate – 20:52, 9 July 2019 (UTC)[reply]

Yup, just getting a feel for things. I sense longer blocks coming. The paired range, btw, is 172.58.222.0/24. Also btw Newshunter12, all the above (Newshunter14 etc) is/was the same person. -- zzuuzz ^(talk) 21:00, 9 July 2019 (UTC)[reply]

Yes, the route would even be for CIDR 172.32.0.0/11 but that's quite large... Thanks, —PaleoNeonate – 21:05, 9 July 2019 (UTC)[reply]

Actually the 172.56 and 172.58 ranges are both very well known to most admins. Fortunately, they are segmented, to some extent, into even smaller blockable ranges like those I've blocked. -- zzuuzz ^(talk) 21:09, 9 July 2019 (UTC)[reply]

Thank you very much for this information and for all your efforts to combat this issue. I am also grateful you removed the latest vandalism from my talk page. Hopefully this person will find something better to do with their time then harrying me on Wikipedia. Newshunter12 (talk) 02:34, 10 July 2019 (UTC)[reply]

I just wanted to let you know that the same individual vandalized my talk page again, but the comment was removed and the editor blocked for one month by Ponyo. Newshunter12 (talk) 01:05, 11 July 2019 (UTC)[reply]

Heya! How do you feel about Special:AbuseFilter/test/997? It seems to match his recent behaviour (I'm tired of seeing new reports almost every day on AIV) -- Luk ^talk 15:11, 12 July 2019 (UTC)[reply]

Hi Luk. I feel your pain. I think I can speed it up - see what you think. Also, I think last time I looked we were dealing with some specific (quite large) IP ranges. Do you happen to have them? Going by the results so far it's going to be a busy filter otherwise. -- zzuuzz ^(talk) 15:41, 12 July 2019 (UTC)[reply]

I see the two ranges I was thinking of - one in particular - are listed at the LTA. What are your thoughts on that? -- zzuuzz ^(talk) 16:13, 12 July 2019 (UTC)[reply]

I remember of 2409:4064::/36 (talk · contribs · WHOIS) and 2409:4052:2000::/36 (talk · contribs · WHOIS), the last 2 ranges I acted on (I blocked a subnet) -- Luk ^talk 22:56, 12 July 2019 (UTC)[reply]

@Luk: So looking at the hits I think we're going to have to restrict it to those IP ranges being used. Sound OK? -- zzuuzz ^(talk) 09:24, 13 July 2019 (UTC)[reply]

It sounds more reasonable to me than my broad strokes that caught a few false positives! :) -- Luk ^talk 12:49, 13 July 2019 (UTC)[reply]

Hi Zzuuzz. Please check your email. -- Marchjuly (talk) 07:31, 18 July 2019 (UTC)[reply]

Hey! I see you have blocked 71.56.23.5 for 6 months. According to What'sMyIPAdress, that IP is likely a dynamic IP. As such, this IP may be shared by a lot of users. Because this is a long term block, I suggest it can be useful to contact the organisation to whom the IP is registered (

]

While the IP is technically dynamic, it has very clearly been assigned to the same disruptive user for months. This IP address is almost certainly not shared with anybody outside the vandal's home network. Reaper Eternal (talk) 00:30, 20 July 2019 (UTC)[reply]

@Reaper Eternal: True, and it is probably a sticky dynamic IP. Would it be worth it tagging the IP's talk page with {{Dynamic IP}} in case the vandal's network modem is turned off long enough (for whatever reason) for their lease to end? --MrClog (talk) 00:39, 20 July 2019 (UTC)[reply]

What the Reaper said. Actually the vandal has also been using other IP addresses in the meantime, so make of that what you will. I personally see no need to add any tags. If you've ever seen any abuse complaint actually have any effect (or even get a reply), then you're probably in a minority. -- zzuuzz ^(talk) 00:58, 20 July 2019 (UTC)[reply]

Hi zzuuzz, could you maybe take a look at

]

Verified users

Hey, could you add me to the verified user list of WikiProject on open proxies? About that hotel IP thingy: I looked through my results again and couldn't find it for whatever reason. not even when searching for both the IP and "hotel". --MrClog (talk) 12:07, 21 July 2019 (UTC)[reply]

Hi. I'd be happy to help you along the path, but I'm a bit of a stickler for seeing some evidence and throwing some challenges, so for a start I'd like to see you edit with the latest proxy I blocked, and make an edit identical to this one I did a few minutes ago, using the same address. -- zzuuzz ^(talk) 12:35, 21 July 2019 (UTC)[reply]

Can you check that it is still open? It seems to be a HTTP proxy, but the only port nmap found, 113, is closed. Or did I miss something? Thanks, MrClog (talk) 13:18, 21 July 2019 (UTC)[reply]

It's definitely open. Hint: Don't use nmap, you won't need it. You will almost never need nmap. And if necessary, have another read of the previously linked guide. I'll add, to save you any hassle, that you won't need to download or install any software to use it. -- zzuuzz ^(talk) 13:43, 21 July 2019 (UTC)[reply]

I have tried all the usual things: Google results, rDNS, WHOIS, etc. Doesn't seem to be a web proxy, and I tried the various port numbers on the internet, but none worked. Am I missing something obvious here? --MrClog (talk) 13:58, 21 July 2019 (UTC)[reply]

Of course you are. No to be fair it's a fairly decent test of a fairly typical proxy one might encounter and the thinking required, and it's not too obvious for that reason. But it's not too hard. So let's start with the starting point, is port 80 open? Your nmap results seem to suggest not, but how about this? From there you should be coasting. -- zzuuzz ^(talk) 14:10, 21 July 2019 (UTC)[reply]

I tried that, but my browser (Microsoft Edge) says it "Can't reach this page". --MrClog (talk) 14:22, 21 July 2019 (UTC)[reply]

Oh, Microsoft Edge's 'friendly' error messages. You can Google that. I don't use it myself and I doubt any other browser would hide the real message. I guess that another browser might be a requirement (though telnet should get you the right error). Does anything happen to the URL? -- zzuuzz ^(talk) 14:30, 21 July 2019 (UTC)[reply]

I have downloaded Firefox, but no response it that browser either, nor any change in the URL. --MrClog (talk) 15:21, 21 July 2019 (UTC)[reply]

I used Browserling to simulate Google Crome in Windows 7 and I did get a response there, which showed the following domain: www1.sitemix.jp. Can't access that website. --MrClog (talk) 15:40, 21 July 2019 (UTC)[reply]

OK, that's one way to do it. You're on the right path. Hint: What can you find out about this "sitemix.jp" in relation to this quest? -- zzuuzz ^(talk) 15:47, 21 July 2019 (UTC)[reply]

Ipqualityscore on on 157.250.156.30 says it is a 'high risk proxy connection'. I am nervous about using nmap so it's good to hear that it's not required. EdJohnston (talk) 16:05, 21 July 2019 (UTC)[reply]

A list of free proxies on the web offers http://aircon.sitemix.jp as a proxy for you to use. EdJohnston (talk) 16:13, 21 July 2019 (UTC)[reply]

@Zzuuzz: I was able to find various links of webproxies within the sitemix.jp domain, but none seemed active. This is an example of one, accessed via the Wayback Machine. Not sure how to actually access the proxy from this point. --MrClog (talk) 16:25, 21 July 2019 (UTC)[reply]

Never mind, I think I got it now. One sec. --MrClog (talk) 16:35, 21 July 2019 (UTC)[reply]

@Zzuuzz: I placed a messsage with the proxy. For whatever reason, both Edge and Firefox refused to load the website from which I could access the proxy. Used Browserling again. --MrClog (talk) 16:40, 21 July 2019 (UTC)[reply]

Good stuff, so we sort of got there eventually as a team. I think maybe you should have a think about this exercise. For example, why the nmap results? And how to overcome the port 80 issue you experienced. And why couldn't you use the proxy? And I will leave you an optional exercise: Telnet the IP at port 80, and issue a simple GET / HTTP request. When you've had some time to consider the results, and you're ready for round 2, or if I can help further, just say. -- zzuuzz ^(talk) 16:42, 21 July 2019 (UTC)[reply]

I used the open <IP> 80 command in telnet, it wasn't able to connect. The GET/HTTP request did respond (status code 200), which indicates the website was active (it responded to a GET request). I'm not sure, but the fact that the telenet thingy didn't work might indicate that my laptop can't access open proxies for whatever reasons, while the domain did respond to a GET/HTTP request.

Regarding why I had to use Browserling: I don't think it has to do with my firewall, because my firewall is set to notify me if it blocks a certain domain. I'm not sure what is the reason, but I don't think it's an issue, because now that I know it, I can use Browserling in the future.

Regarding the nmap result, I believe it didn't show port 80 because the web server was ran by the server behind the www1.sitemix.jp domain, not the local machine. If any answers are wrong, please tell. If not, then I should be ready for round 2. --MrClog (talk) 20:38, 21 July 2019 (UTC)[reply]

If you can connect to the IP it's probably not a firewall issue, unless you have some sort of content filtering which wouldn't be helpful, and nmap would have no reason not to say it's not open on 80. So, to be clear the telnet session should go something like this: telnet <IP> 80 (you can also open telnet and issue the open command as you did); the server responds with some stuff including Connected to <IP>. Then you issue the command GET / HTTP/1.0 with two line breaks. The server responds with the content and you're on your way. This will probably need figuring out. And Firefox works for me, as they say. I doubt it would be a geolocation issue causing this difference. OK, let's try something less interesting. 205.204.67.189. Go. Make as many informations as you think is appropriate. -- zzuuzz ^(talk) 22:19, 21 July 2019 (UTC)[reply]

I go to WHOIS and find out that the IP is registered to eStruxture Data Centers Inc., a company that has 5 datacenters in Canada (found this on their website). Through Google Maps I found out that center MTL-1 matches the address to which the IP is registered. Because colocation services anonymise their users, it should be blocked. --MrClog (talk) 22:31, 21 July 2019 (UTC)[reply]

Not so fast. I'd refer your colo comments to the comments on Ninja's talk page. But that bit is easy - you can tell all that from the block log. I want proof, I want the access point. -- zzuuzz ^(talk) 22:36, 21 July 2019 (UTC)[reply]

I was able to use the proxy through http://proxy.luclapierre.com. Couldn't place a talk page message. --MrClog (talk) 22:43, 21 July 2019 (UTC)[reply]

I see 178.120.6.7 is listed at WP:OP. What are your thoughts on that? -- zzuuzz ^(talk) 23:07, 21 July 2019 (UTC)[reply]

I first tried HTTP (via Browserling), no response. I then Googled the IP, but wasn't able to find a host or a port number. Nmap didn't find anything either.  Unlikely that it is an open proxy. Based on the information I did find, it seems to be a regular dynamic IP from Beltelecom (Belarus). --MrClog (talk) 23:27, 21 July 2019 (UTC)[reply]

153.232.251.74? -- zzuuzz ^(talk) 23:51, 21 July 2019 (UTC)[reply]

I am heading to bed now, will look at that one tomorrow if you don't mind. Should I close the 178.120.6.7 request (assuming I was correct) before I go? --MrClog (talk) 23:55, 21 July 2019 (UTC)[reply]

OK, in your own time. After that one, I'd be interested to hear my thought process behind the block of 122.155.174.66. -- zzuuzz ^(talk) 07:37, 22 July 2019 (UTC)[reply]

Regarding 153.232.251.74: HTTP didn't work. Through Google, I found that this IP was mentioned on a web page which has "proxy" in the URL. When opening the URL, I get a 503 error. I wasn't able to find any ports. Based on this, it seems to be a possible former open proxy, though  Unlikely to be an open proxy now. --MrClog (talk) 07:52, 22 July 2019 (UTC)[reply]

I tend to think it's almost certainly OpenVPN. Ipqualityscore, although not always reliable, lists it as a high risk VPN. Do you have access to the "IPcheck" tool used in the WP:OP proxy templates? I can probably go a bit further. To a seasoned eye, those edits just look suspicious. The first edit, to undo another IP editor, suggests one should look at this IP, which is certainly not in Japan. That IP also uses the same reference elsewhere. Looking through the wider /64 you can see similar edits, some of which have been undone or questioned. Going back to the original IP and article history, you'd even have to wonder if this is a sock of User:Gala19000. And there's another clue here. I'd call this one likely. -- zzuuzz ^(talk) 08:20, 22 July 2019 (UTC)[reply]

I suppose that this is enough to block as a suspected VPN? --MrClog (talk) 08:30, 22 July 2019 (UTC)[reply]

Regarding 122.155.174.66: HTTP comes up with an error page with a NordVPN logo at the bottom. In addition, when it comes to behaviour, you have never warned the user yet they insult you (they're not new). It seems to be block evasion by someone that really hates you. --MrClog (talk) 11:31, 22 July 2019 (UTC)[reply]

I tend to think they probably like me deep down, whoever they are. But why the /28 block? -- zzuuzz ^(talk) 11:51, 22 July 2019 (UTC)[reply]

If you HTTP IP 122.155.174.64 (but not with IPs under this value), you get the same page. If you then continue to HTTP IPs while increasing their value, you find out that the range of NordVPN continues until 122.155.174.72. Throw this into ip-range-calc and you get the range 122.155.174.64/28. MrClog (talk) 12:07, 22 July 2019 (UTC)[reply]

While we're at it, could you take a look at this? --MrClog (talk) 09:21, 23 July 2019 (UTC)[reply]

I see that's done. On the previous example, correct. In case you're wondering, you're doing OK so far after a dodgy start, but I'd still like to probe your competence further before I can say people can depend on what this person says. So, my talk page has seen some action recently, tell me about some of the IPs, and I'd especially like to hear about 46.45.138.102 which is mentioned below. -- zzuuzz ^(talk) 16:08, 23 July 2019 (UTC)[reply]

Thank you for all the time you spent in this, by the way. Now, regarding 46.45.138.102: HTTP didn't show anything, nor was I able to find any open ports. WHOIS, however, did reveal that this is a datacenter used for colocation hosting by "IstanbulDC" (https://www.istanbuldc.com/), and should as such, be blocked. What was strange is that rDNS showed that the IP was hosted on a domain that ended in a full stop. When you talk about the other IPs, do you mean the ones mentioned below or the ones that have vandalised your talk page? --MrClog (talk) 19:07, 23 July 2019 (UTC)[reply]

I think that's pretty much the same thing ;) -- zzuuzz ^(talk) 19:27, 23 July 2019 (UTC)[reply]

Regarding 176.53.112.100 (talk · contribs · WHOIS): I was again not able to connect, but this one is also a colocation webhost. The address registered to the IP is not an actual address, but a Turkish sentence that translates to "these IP addresses are rented to other site providers." These IPs are owned by "INTER NET BILGISAYAR LTD STI", whom's site shows they are a colocation webhost. Interestingly, this IP's domain is merely a full stop, and its ISP, just like the other IP, is "SAYFA-NET". — Preceding unsigned comment added by MrClog (talk • contribs)

Regarding 198.8.81.228 (talk · contribs · WHOIS):  Unlikely to be an open proxy. It is a colocation webhost: Total Server Solutions, https://www.totalserversolutions.com --MrClog (talk) 20:38, 23 July 2019 (UTC)[reply]

I found similar results for 198.8.81.74 (talk · contribs · WHOIS). It appears the entire range 198.8.80.0/20 (talk · contribs · WHOIS) is owned by the colocation host Total Server Solutions, so I propose rangblocking 'em. --MrClog (talk) 20:45, 23 July 2019 (UTC)[reply]

We'll have a chat about data centers and colos at some point. I know you want to know about 46.45.138.102, and the answer is, 46.45.138.101! That's no coincidence. The whois gives a small range - /29, and just so you know, /28s and /29s are very common for VPNs. -- zzuuzz ^(talk) 20:48, 23 July 2019 (UTC)[reply]

Why did the NordVPN not show up when HTTPing the .102 IP? --MrClog (talk) 20:52, 23 July 2019 (UTC)[reply]

VPNs are under no obligation to announce themselves. Many try very hard to hide it. Some such as PIA are absolute pros at disguising themselves. -- zzuuzz ^(talk) 20:57, 23 July 2019 (UTC)[reply]

Same goes for 176.53.112.102 (talk · contribs · WHOIS). If you HTTP .101 or .99, you'll get NordVPN. --MrClog (talk) 21:05, 23 July 2019 (UTC)[reply]

And 176.53.118.93 (talk · contribs · WHOIS) - .90 and .92 bring up NordVPN too. Hm, I wonder which VPN service the sockmaster uses? --MrClog (talk) 21:09, 23 July 2019 (UTC)[reply]

Did I miss any IPs or did I get all of them? MrClog (talk) 17:39, 24 July 2019 (UTC)[reply]

I think that's enough of them for now. Let's go global.. what are your thoughts on this (these) block(s)? As many thoughts as you can muster please. Imagine someone is requesting unblock and you've decided to respond to a request for advice. -- zzuuzz ^(talk) 22:04, 24 July 2019 (UTC)[reply]

A look at their contribs shows that only one IP has edited from the range: 176.12.107.132 (talk · contribs · WHOIS), so I'm investigating this IP. HTTP doesn't show anything. WHOIS shows that the IP (and the entire /24 range) is registered to a "Custodian DataCentre" (company's site). These data centres function as colocation webhost. I dig a bit deeper and continue looking through Google. I find an interesting link: cq2.retydhdooik.cf/qse, which then redirects me to freenom.link ("Freenom World"), a website from a public DNS resolver. I google the IP combined with "freenom", but can't find anything. Because this is possibly an open proxy from Freenom World, I decide that an nmap is necessary. I cannot find any open ports. The IP is from a colocation webhost and should as such remain locked. It is currently locked as open proxy, which may have to do with Freenom World, but I wasn't able to connect. --MrClog (talk) 22:49, 24 July 2019 (UTC)[reply]

I'd absolutely disagree with that. Have more thoughts... :) -- zzuuzz ^(talk) 22:54, 24 July 2019 (UTC)[reply]

I have looked some more. Again it shows that the DNS is used by Custodian. Nothing new, really. Haven't been able to connect. --MrClog (talk) 23:17, 24 July 2019 (UTC)[reply]

You're about to be overruled :( Take your time. Again, no nmap required, and no software required, and I can say that it's probably very unlikely that you will be able to use the network (with any reasonable or expected effort). -- zzuuzz ^(talk) 23:25, 24 July 2019 (UTC)[reply]

Last attempt: according to abuseat.org, the IP has been infected with Trojan:Win32/Ramnit, a member of the Win32/Ramnit malware family. As such, the access to the IP is no longer limited to customers of CustodianDC, but intruders as well. --MrClog (talk) 23:43, 24 July 2019 (UTC)[reply]

An interesting observation, actually not too surprising, but probably not so relevant in this case. OK, I'll put you out of your misery. There's actually three blocks here. If anyone wants to unblock they will have to address both the local block and the global block. The meta block is part of the global block (for an obscure technical reason), but it doesn't need lifting for our purposes. The global block can be locally disabled, or the stewards can be contacted if necessary. Let's take that one IP you mentioned: 176.12.107.132. Actually, we can look the range: Special:Contributions/176.12.107.0/24. There only a few IPs being used. Curiously, a few edits are to their talk pages. I wonder what they're saying? Oh, now let's look their talk pages. Oh, I also see that some trusted admin has placed a notice on them. Actually there's a big clue in the whois. It's the words "Client" and "Icomera". A little Googling will tell you what Icomera get up to. We can also look a bit closer at the Custodian website, where they mention a few organisations such as the NHS, universities, and local councils. You can see that they provide both colocation (a very loose word if there ever was one) and "Connectivity". Connectivity and "Transit" are not the droids we are looking for. So, a combination of whois, Google, and the contributions tells us that these are Wifi networks on trains. I've actually experienced one of these blocks, and it's fairly annoying. Now what are your thoughts? -- zzuuzz ^(talk) 00:00, 25 July 2019 (UTC)[reply]

What do you mean with my "thoughts" here: as in, should the IP be blocked or as in, try to find the open proxy (which meta says there is)? --MrClog (talk) 00:18, 25 July 2019 (UTC)[reply]

Both. It's an unblock request which says, "this is not an open proxy". -- zzuuzz ^(talk) 00:24, 25 July 2019 (UTC)[reply]

Thanks guys this stuff is very informative. 196.240.255.12 (talk) 02:48, 25 July 2019 (UTC)[reply]

I have done some research. The unblock requests mention Great Northern Railway. According to their Wi-Fi FAQ, they block certain sites, like adult/illegal content and data-intensive sites. Based on this information, I think it is safe to assume that this is enforced with the use of a transparent proxy, so shouldn't be unblocked. Even if they wouldn't be a proxy, it seems to be a public Wi-Fi often abused, so it is still appropriate to block it. --MrClog (talk) 09:21, 25 July 2019 (UTC)[reply]

"use of a transparent proxy, so shouldn't be unblocked". I'm not sure I understand what you're saying here. Most proxies are welcome to edit. Large organisations might run thousands of users through transparent proxies. It's only really the "

open or anonymising" ones that are an issue. All the block reasons in this situation are basically wrong, but you're right, there might just be too much disruption to not apply an anonblock. In OP terms, this is not an open proxy - it's not really any different to a mobile phone network. For the next installment, please opine on 104.129.192.0/20. -- zzuuzz ^(talk) 12:34, 25 July 2019 (UTC)[reply

]

I see that I wrote a confusing message (it was in the morning and had to head to work), I tried to say indeed that it shouldn't be blocked, because the proxy allows us to identiffy its actual owner (Icomera, instead of just Custodian) and thus does not anonymise its user. A WHOIS shows that the IP is registered to Zscaler, a company that provides colocation hosting with some modern cloud software - very interesting. HTTP the latest IP used (104.129.198.61) brings me to a login page. I can't find any indication it is an open proxy. It is, however, an anonymizing proxy, because we cannot see which company is using the IP (which would be possible if it was a transparent proxy, instead we see Zscaler, the colocation service provider), so it should be blocked. --MrClog (talk) 19:34, 25 July 2019 (UTC)[reply]

Also, shouldn't someone contact the stewards and tell them that the IP range 176.12.107.0/24 (talk · contribs · WHOIS) does not appear to be an open proxy? --MrClog (talk) 19:37, 25 July 2019 (UTC)[reply]

If they can be bothered. There are many things mislabelled on Wikipedia. As long as the block is right, that's the most important thing. On the other hand this is the type of thing that wastes volunteers' time at UTRS and OTRS, so I'll just drop a courtesy ping to @Ajraddatz: (TLDR: there is a global block on 176.12.107.0/24 but it's not your average colo or open proxy, it's Wifi on certain trains in the UK; more detail just above). Going back on topic, no I wouldn't block Zscaler unless I had to; see Zscaler. It is used by some of the largest and most secure companies in the world; hard blocks can cause enormous collateral. -- zzuuzz ^(talk) 19:56, 25 July 2019 (UTC)[reply]

Block updated, thanks! -- Ajraddatz (talk) 00:40, 26 July 2019 (UTC)[reply]

So colocation host can be left unblocked if they are used by major corporations? --MrClog (talk) 21:01, 25 July 2019 (UTC)[reply]

Yes. As I mentioned above, colocation is a very loose term, and data centre is similarly vague - as you can see with the trains example. Another example, some schools send all their traffic through filtering software, similar to Zscaler, which might be located at Azure, or AWS, or some other server operator. In those cases users may have no option about how their traffic is routed, and you couldn't say they were deliberately using anonymisation to avoid scrutiny. If they are blocked then they don't get to edit. There's also people using their own servers or VPS because they don't like their ISP and government snooping on everything they're doing. You can usually tell what's going on from the quality of contributions. Really everything comes down to preventing abuse and avoiding collateral. After all, we like people to edit the encyclopaedia. -- zzuuzz ^(talk) 21:31, 25 July 2019 (UTC)[reply]

Alright, which IP is next? --MrClog (talk) 22:08, 25 July 2019 (UTC)[reply]

Oh, that will be 103.111.83.26. -- zzuuzz ^(talk) 14:48, 26 July 2019 (UTC)[reply]

I HTTP the IP and find out it belongs to "MikroTik", who provide open proxies, seemingly for free. --MrClog (talk) 15:55, 26 July 2019 (UTC)[reply]

Also, I tried HTTP lower and higher values, but I wasn't able to find any other IPs from MikroTik. MrClog (talk) 10:10, 27 July 2019 (UTC)[reply]

You've been walking up the wrong path. MikroTik. -- zzuuzz ^(talk) 10:17, 27 July 2019 (UTC)[reply]

The port is 40336. Wasn't able to post a message on the talk page. --MrClog (talk) 13:02, 27 July 2019 (UTC)[reply]

Yup, the ports seem to change every week, probably a cracked box, or as some would say, a zombie. Continuing, 117.242.147.85. -- zzuuzz ^(talk) 20:26, 27 July 2019 (UTC)[reply]

See User talk:117.242.147.85. Found the port via Google. --MrClog (talk) 21:23, 27 July 2019 (UTC)[reply]

How long do you think I will block it for? Will I block it? -- zzuuzz ^(talk) 21:33, 27 July 2019 (UTC)[reply]

It should be blocked because it is an open proxy. In addition, if you look at the IP's first edit, it has beeen used by a banned user. Now, the block length. First off, according to abuseat.org, the IP is infected with Trojan:Win32/Matsnu, a Trojan horse. I am not sure what the life of such a zombie proxy is, but I suppose it can take a while before the owner finds the malware. 3 months? Also, FYI: I will be on holiday from tomorrow until Aug. 14, so I will be very inactive here. --MrClog (talk) 12:22, 28 July 2019 (UTC)[reply]

Nice guess. It was previously blocked last November and probably hasn't closed since, so I'm going to make it a year. Drop me a note when you're back if you're still interested and we'll head towards wrapping this up. -- zzuuzz ^(talk) 12:32, 28 July 2019 (UTC)[reply]

I have a question: is there any way in which admins ensure that once the block expires, an admin can check if the proxy is still a proxy? --MrClog (talk) 13:28, 28 July 2019 (UTC)[reply]

That's slightly ambiguous, so I'll answer both. The

WP:IPB page recommends that admins make a note of why an IP is an open proxy. It can help unblock requests as well as future blocks. But check all open proxies after their block has expired? No, there's too many and too much work. In theory a proportion of it could be automated (eg by ProcseeBot or Ronaldbot), but it's not. -- zzuuzz ^(talk) 16:27, 28 July 2019 (UTC)[reply

]

My IP editor problem

Hello, the IP editor problem we have been dealing with seems to have escalated. In a discussion with me, editor BrownHairedGirl stated here that someone tried to hack into her account in the same manner as in December. Both attempted hackings happened after I brought up the topic of hacking (the first time I had made a hacking joke to BHG, the second time after I started re-litigating the issue again with her in a new AfD by chance for the same article.) I've come to the belief that the London based IP who created Newshunter14 and who has been vandalizing my talk page is behind the hacking attempts on her account.

My reasons are as follows: During the first hacking hoopla, a very similar IP to the one that has been vandalizing my talk page, 172.56.37.136 followed me to EENG's talk page to accuse me of hacking BHG's account. After the new hacking incident, an IP editor basically admitting to being the person who has been vandalizing my talk page followed me to the new AfD and went to her talk page, where they used very similar language (ex. talk of me and my cronies, and how they are the good guy) to the IP user who posted to EENG's page. Further evidence is that it was during a heated exchange with editor TFBCT1 when Newshunter14 appeared and tried to frame me for threatening him, just as both hacking attempts on BHG happened around the time of heated exchanges and the topic of hacking between the two of us, with me looking the obvious culprit just as before. Since this IP abuse issue appears to have reached the real world (the attempted hacking I strongly assume would be criminal conduct), is it possible that this could be investigated on a much deeper level on Wikipedia? Far worse then the talk page annoyance is the fact that someone is by all appearances trying to make me appear guilty of real world criminal conduct. I greatly appreciate any assistance or guidance you are able to provide. Newshunter12 (talk) 05:33, 23 July 2019 (UTC)[reply]

Again just a funny coincidence that you seemed to know about the attempted hacking after it took place and before anyone had said anything about it. Hopefully there is a way to check the IP of the attempted hacker I have a feeling it will belong to Newshunter12. 198.8.81.74 (talk) 06:40, 23 July 2019 (UTC)[reply]

I've blocked the latest IP(s). If it's not all the same person then I'll eat my hat. The best mitigation at this time: awareness of potential trolling problems, and strong passwords. -- zzuuzz ^(talk) 07:16, 23 July 2019 (UTC)[reply]

I cannot thank you enough, Zzuuzz, for your support, hard work and guidance dealing with this issue. I've been wondering for seven months about that event, which spooked me at the time and wondering what really happened, and we were able to get to the bottom of it together. Just knowing what happened is such a relief. I will follow your advice for sure, and I greatly appreciate the long blocks you handed out in response to this abuse. Sincerely, Newshunter12 (talk) 08:17, 23 July 2019 (UTC)[reply]

Could you at least listen to what I'm saying ? 176.53.118.93 (talk) 07:20, 23 July 2019 (UTC)[reply]

I'm hearing this. -- zzuuzz ^(talk) 07:23, 23 July 2019 (UTC)[reply]

The evidence points towards Newshunter12 being the person who tried to hack into BHG's account if you don't want to even look into it that's your problem not mine. I'm done here. 176.53.118.93 (talk) 07:40, 23 July 2019 (UTC)[reply]

Au contraire. The evidence points to you being an abusive troll. Goodbye. -- zzuuzz ^(talk) 07:42, 23 July 2019 (UTC)[reply]

Well I guess this is never going to be resolved then. You should stop blocking these IP I have thousands and your kind of just screwing over the next person using it by doing this type of blanket ban. Cheers. 176.53.112.102 (talk) 08:00, 23 July 2019 (UTC)[reply]

You might be slightly overlooking your own role. And I thought you were done here. I am. Goodbye. -- zzuuzz ^(talk) 08:05, 23 July 2019 (UTC)[reply]

They keep at it with Special:Contributions/46.45.138.102. Please block. — JFG ^talk 13:22, 23 July 2019 (UTC)[reply]

They are now disrupting articles, such as here. Please block Special:Contributions/196.240.255.12. Newshunter12 (talk) 05:49, 25 July 2019 (UTC)[reply]

Thanks for your change. I was trying to think of how to include the AT&T example last night without getting overly technical. I tweaked your change a bit to be slightly less technical, because the essay is really aimed at admins who don't understand how networking works and trying to give them rules of thumb for effective ways to make blocks that will usually be safe. I'm fine with any other tweaks you want to make without asking me, but I also might edit it again to make it more "/64 blocks for dummies" style TonyBallioni (talk) 15:23, 23 July 2019 (UTC)[reply]

That's fine. I think the two important points, already alluded to somewhat but also somewhat trashed by the preceding paragraph, are that there's always exceptions, and always check the contribs anyway. I see they're still there.. -- zzuuzz ^(talk) 15:36, 23 July 2019 (UTC)[reply]

Yeah, speaking as someone who was afraid to make even the simplest range block even 2 years ago, I get that, but I think the problem we're dealing more with now is that admins are afraid to make range blocks they should be making rather than making too many, so I wrote it with that in mind. Most admins are naturally conservative, so if they do make a mistake it's pretty easy to point out and avoid in the future. TonyBallioni (talk) 15:48, 23 July 2019 (UTC)[reply]

Could you checkout the internet fraud page, [21] Internet Fraud. Same acronym weirdo guy revived some old sock accounts from 2006 and is making BLP Violations. He used to be the Soda Vandal Guy. IP should resolve to Washington state for Joe Schmit Jam Doesn't Care 5 0 2 7 Spacenacho (talk) 04:04, 25 July 2019 (UTC)[reply]

I sent a reply to your email, but it's about something different than the original exchange. MrClog (talk) 01:03, 26 July 2019 (UTC)[reply]

Could you check if you received it; my email software acted a bit strangely, not sure if the email was actually sent. --MrClog (talk) 19:30, 26 July 2019 (UTC)[reply]

You are recipient no.

]

Many thanks Gerda Arendt, much appreciated. -- zzuuzz ^(talk) 21:30, 27 July 2019 (UTC)[reply]

user:202.137.25.8 is abusing her talkpage. CLCStudent (talk) 14:23, 30 July 2019 (UTC)[reply]

Got it, doing things accordingly. Crow^Caw 18:22, 30 July 2019 (UTC)[reply]