Jump to content

Wikipedia:WikiProject on open proxies/Requests/Archives/46

From Wikipedia, the free encyclopedia


104.225.160.0/19

{{proxycheckstatus}}

Reason: Registered to iboss, inc. Softblock needed on this one. Lots of vandalism coming from this IP address as well. 2601:1C0:4401:24A0:8093:DB9C:FC19:972F (talk) 21:18, 10 November 2021 (UTC)

105.112.191.250

{{proxycheckstatus}}

Reason: Flagged by proxycheck.io and spur as an open proxy. Malcolmxl5 (talk) 01:36, 15 November 2021 (UTC)

77.66.105.10

{{proxycheckstatus}}

Reason: Webhost. Owned by Netgroup A/S, hosting and cloud service provider in Denmark. Flagged by db-ip, proxycheck.io, getipintel and IPQS. Previous blocks as colocationwebhost in log[1]. Malcolmxl5 (talk) 12:02, 9 November 2021 (UTC)

NMAP shows port 443 as open and used with Cisco ASA SSL VPN. ~Oshwah~(talk) (contribs) 06:06, 17 December 2021 (UTC)
This specific subrange appears to be owned by the Solrød Municipality; while there is indeed some hosting going on that range, I'm not seeing any evidence of ongoing abuse and blocking around subranges would be a pain, so I'll go ahead and close without action. --Blablubbs (talk) 01:06, 18 December 2021 (UTC)

72.140.180.86

{{proxycheckstatus}}

Reason: A Toronto-based Rogers IP, flagged by ipcheck as a proxy. This IP has an interest in the same geographic area as Ineedtostopforgetting (talk · contribs). Shodan says that port 7547 is open for the device using this IP. EdJohnston (talk) 17:42, 20 November 2021 (UTC)

107.115.16.0/20

{{proxycheckstatus}}

Reason: AT&T has a new proxy server called AT&T VPN Web Browser. This is one of their IP ranges. Lamesdoes (talk) 19:45, 1 December 2021 (UTC)

@Lamesdoes: Could you provide links to the service you are referring to, and details as to what makes you believe this range belongs to it? Thanks. --Blablubbs (talk) 19:49, 1 December 2021 (UTC)
@Blablubbs nvm, that IP range is too large. Anyway, since it was only released last month, ISP rangefinder has yet to add this. Lamesdoes (talk) 20:33, 1 December 2021 (UTC)
Interesting, because I can't find any mention of it whatsoever. Closing. --Blablubbs (talk) 20:34, 1 December 2021 (UTC)

12.217.180.250

{{proxycheckstatus}}

Reason: flagged by ipcheck and spur as (possible) proxy. an AT&T ip address making contentious edits on Singapore related articles relating to Singapore politics and judiaciary. – robertsky (talk) 13:38, 14 December 2021 (UTC)

This IP is using lighttpd, and with port 80 open. This takes you to a Cisco Meraki administration console. ~Oshwah~(talk) (contribs) 09:58, 17 December 2021 (UTC)
Might have been proxying traffic at some point, but I'm not seeing anything right now that would make me inclined to block. Closing without action. --Blablubbs (talk) 01:02, 18 December 2021 (UTC)

104.249.62.105

{{proxycheckstatus}}

Moved from WP:VPT

I should be blocked, but am not

This IP address is a VPN service (Surfshark, specifically, their Bend, Oregon, USA server). It should therefore be blocked per WP:PROXY.

I'm actually User:NateNate60, just signed out for the purposes of making this post. 104.249.62.105 (talk) 07:38, 19 December 2021 (UTC)

You can ask at Wikipedia:WikiProject on open proxies/Requests for it to be blocked. – SD0001 (talk) 07:49, 19 December 2021 (UTC)
 Confirmed per SSL Cert on 443, blocked the /24. Will try to find some time to see if I can uncover anything else later. --Blablubbs (talk) 14:53, 19 December 2021 (UTC)

114.41.200.225

{{proxycheckstatus}}

Reason: IP is currently OS blocked, they also claimed they are an open proxy. — xaosflux Talk 14:38, 21 December 2021 (UTC)

185.136.216.158

{{proxycheckstatus}}

Reason: IPVandal admittingly using an open-proxy from this address. Currently blocked for 1-week per WP:Vandalism Amortias (T)(C) 10:28, 24 December 2021 (UTC)

83.136.182.0/24

{{proxycheckstatus}}

Reason: Dedicated webhosting server with open proxies. 47.5.105.113 (talk) 19:32, 12 January 2022 (UTC)

 Confirmed – that's NordVPN. Will try to take a closer look later. --Blablubbs (talk) 20:14, 12 January 2022 (UTC)

182.160.154.134

{{proxycheckstatus}}

Reason: Used for UPE and promotional edits. IPCheck indicates high likelihood of being a proxy hosted by "Hostopia Australia Web". – Joe (talk) 16:12, 3 February 2022 (UTC)

From a preliminary look I can say that the single IP is a  Confirmed VPN exit on a hosting range. I'll have a closer look later – proxychecks on mobile are no fun. --Blablubbs (talk) 16:26, 3 February 2022 (UTC)

168.245.155.0/24

{{proxycheckstatus}}

Reason: Amazon AWS. Disruption. 2601:1C0:4401:24A0:95E8:4DB9:3862:F374 (talk) 20:51, 15 December 2021 (UTC)

101.0.32.228

{{proxycheckstatus}}

Reason: Flagged on proxy checker as a possible proxy, as well as recent minor disruptive edits (mostly unexplained section blanking) OhKayeSierra (talk) 14:20, 26 December 2021 (UTC)

173.10.230.157

{{proxycheckstatus}}

Reason: Suspicious spam edit; Hostname: mail.ludwig-walpole.com, could be compromised host ☆ Bri (talk) 02:48, 28 December 2021 (UTC)

204.13.168.0/21

{{proxycheckstatus}}

204.13.168.0/21 · contribs · block · log · stalk · Robtex · whois · Google

Reason: Doesn't appear to belong to an open proxy anymore, the range has belonged to the Roblox Corporation since 2019. wizzito | say hello! 06:52, 16 January 2022 (UTC)

45.80.168.0/22

{{proxycheckstatus}}

45.80.168.0/22 · contribs · block · log · stalk · Robtex · whois · Google

Reason: According to [2], 45.80.168.0/22 is now assigned to AS206238 (Freedom Internet BV) rather than AS62240, as noted in the block message. Martin Urbanec (talk) 15:30, 5 February 2022 (UTC)

74.243.15.112

{{proxycheckstatus}}

Flagged by GetIPIntel and IPHub. Firestar464 (talk) 08:31, 2 February 2022 (UTC)

  • This appears to be a BellSouth/AT&T IP sublet from Microsoft (which might lead to those flags), but I see no clear indication that this is a proxy aside from that bit of weirdness. no Closing without action. --Blablubbs (talk) 20:28, 25 February 2022 (UTC)

2A01:4F8:C0C:C129:0:0:0:1

{{proxycheckstatus}}

Reason: Proxy IP used by hide.me Germany server, block range if needed. Kline | yes? 22:40, 23 February 2022 (UTC)

192.99.37.222

{{proxycheckstatus}}

Reason: Proxy IP used by VPNBook (www.vpnbook.com), block range if needed. Kline | yes? 23:18, 23 February 2022 (UTC)

2A01:4F9:C010:B393:0:0:0:1

{{proxycheckstatus}}

Reason: Proxy IP used by hide.me Finland server, block range if needed. Kline | yes? 19:38, 25 February 2022 (UTC)

213.152.9.2

{{proxycheckstatus}}

Reason: Flagged by GetIPIntel. Blocked on ruwiki and ruwikiquote as an open proxy. Firestar464 (talk) 02:48, 8 March 2022 (UTC)

  •  Possilikely (a mix between possible and likely) at best from a technical perspective; I can't confirm. Already AO-gblocked though, which should be enough. Closing without local action. --Blablubbs (talk) 09:32, 8 March 2022 (UTC)

107.182.226.18

{{proxycheckstatus}}

Reason: Proxy IP used by VPNBook (www.vpnbook.com). Kline | yes? 22:06, 14 March 2022 (UTC)

185.244.130.59

{{proxycheckstatus}}

Reason: SkyVPN according to Spur. Malcolmxl5 (talk) 23:36, 16 March 2022 (UTC)

148.72.0.0/16

{{proxycheckstatus}}

Reason: Webhost (GoDaddy), recently unblocked but someone forgot to reblock wizzito | say hello! 04:54, 17 March 2022 (UTC)

216.73.160.0/22

{{proxycheckstatus}}

Reason: VPN (Bandito Networks) 2601:901:4300:1CF0:97D8:7DA6:CA14:BFA4 (talk) 11:57, 30 March 2022 (UTC)

5.255.102.127

{{proxycheckstatus}}

Reason: TOR exit according to Spur. Malcolmxl5 (talk) 12:40, 31 March 2022 (UTC)

104.129.57.128/26

{{proxycheckstatus}}

Reason: Windscribe VPN 104.129.57.154 (talk) 20:04, 2 April 2022 (UTC)

104.129.56.160/27

{{proxycheckstatus}}

Reason: Windscribe VPN 104.129.56.174 (talk) 20:08, 2 April 2022 (UTC)

169.150.197.0/24

{{proxycheckstatus}}

Reason: Windscribe VPN 169.150.197.215 (talk) 20:44, 2 April 2022 (UTC)

66.90.72.174

{{proxycheckstatus}}

Reason: Proton VPN. Malcolmxl5 (talk) 15:06, 4 April 2022 (UTC)

91.228.152.0/22

{{proxycheckstatus}}

Reason: Webhost wizzito | say hello! 15:11, 2 April 2022 (UTC)

Fornex Hosting S.L. --Malcolmxl5 (talk) 23:41, 10 April 2022 (UTC)

103.172.145.0/24

{{proxycheckstatus}}

Reason: Appears to be a proxy (Giga Fibernet) wizzito | say hello! 15:12, 2 April 2022 (UTC)

Giga Fibernet appears to offer residential Internet access. I can't see any sign of proxy here, although anything is possible with Microtik routers. MarioGom (talk) 20:01, 6 April 2022 (UTC)
  • Concur with Mario, I don't have enough to rangeblock here – though given the region, I wouldn't be surprised if there are some compromised routers floating around. no Closing without action. --Blablubbs (talk) 10:13, 20 April 2022 (UTC)

82.165.0.0/16

{{proxycheckstatus}}

Reason: Webhost (Ionos/Fasthosts) wizzito | say hello! 23:09, 4 April 2022 (UTC)

N.B. 82.165.64.0/18 is globally blocked until May 2024. Malcolmxl5 (talk) 23:27, 4 April 2022 (UTC)
  • Mixed range, so this is a little tricky. I did find a VPN exit that recently edited, so I blocked that, but I'll hold off on whacking the entire /16 since current global block seems to be mostly working. Closing. --Blablubbs (talk) 10:22, 20 April 2022 (UTC)

72.21.16.0/22

{{proxycheckstatus}}

Reason: Webhost/server (Whatbox) 2601:901:4300:1CF0:8AA3:3020:6ABD:E109 (talk) 02:45, 9 April 2022 (UTC)

213.174.128.0/19

{{proxycheckstatus}}

Reason: Webhosts 2601:901:4300:1CF0:A958:3BCD:2592:9CBB (talk) 00:55, 10 April 2022 (UTC)

Advanced Hosters B.V. Malcolmxl5 (talk) 08:59, 10 April 2022 (UTC)

185.57.222.177

{{proxycheckstatus}}


Reason: Suspicious edits & from geo it appears to be a static IP assigned to a datacenter & IPHunter says it is bad ☆ Bri (talk) 22:24, 11 April 2022 (UTC)

  •  Possible at best, though that might be because too much time has elapsed since the report. In any case, I don't have enough to action this at this time. Closing. --Blablubbs (talk) 10:47, 20 April 2022 (UTC)

136.23.0.0/19

{{proxycheckstatus}}

Reason: Google One VPN 2601:901:4300:1CF0:928B:61C3:40AC:EE08 (talk) 13:52, 18 April 2022 (UTC)

217.138.0.0/16

{{proxycheckstatus}}

Reason: Datacenter/VPN wizzito | say hello! 02:23, 10 April 2022 (UTC)

64.124.10.50

{{proxycheckstatus}}

64.124.10.50 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Requesting review of this /17 block based on an off-wiki request (the specific IP is the one the requester is using). Requester reports that they are using a new wireless fiber network called WeLink that has been in service for ~2 months, and that no proxies or VPNs are in use. ‑‑ElHef (Meep?) 20:07, 16 April 2022 (UTC)

213.251.238.26

{{proxycheckstatus}}

Reason: Open proxy. Previously blocked by the proxy-bot in March 2022 for 2 weeks. 213.251.238.26 (talk) 17:51, 28 April 2022 (UTC)

5 Juli-stiftelsen

{{proxycheckstatus}}

Reason: It appears that the edits were from a Swedish VPN. It has been blocked in other Wikipedia editions and projects. SpinnerLaserzthe2nd (talk) 18:09, 6 May 2022 (UTC)

94.244.0.45

{{proxycheckstatus}}

Reason: When i checked in https://whatismyipaddress.com/ip/94.245.0.45, i suspected a proxy server belongs to Ukrdatakom Ltd. Vitaium (talk) 13:11, 23 February 2022 (UTC)

Inconclusive, quite low risk. It's a Google Cache server, located in a range owned by Rusanovka. The company is both a hosting provider and also a residential ISP. Given that the IP has never edited Wikipedia, and that the range 94.244.0.0/19 · contribs · block · log · stalk · Robtex · whois · Google seems fine, I'm closing without action. MarioGom (talk) 17:23, 13 May 2022 (UTC)

161.69.123.0/24

{{proxycheckstatus}}

Reason: Mcafee Wgcs VPN per Spur. Malcolmxl5 (talk) 23:44, 30 March 2022 (UTC)

For the admin handling this: there's a previous discussion about McAfee WGCS at Wikipedia:WikiProject on open proxies/Requests/Archives/43#185.125.227.0/24, which is a corporate VPN. MarioGom (talk) 15:53, 1 April 2022 (UTC)
N.B. IP 161.69.123.10 is softblocked for three years. Malcolmxl5 (talk) 19:55, 25 April 2022 (UTC)
Malcolmxl5: Thanks! I'm closing the case. It seems McAfee WGCS does not allow completely arbitrary IP changes, so risk of jumping to other IPs seems low. However, if the abuse does appear again in a different IP, I'd recommend soft-blocking the /16: 161.69.0.0/16 · contribs · block · log · stalk · Robtex · whois · Google. For future reference, if anyone considers fully blocking McAfee WGCS, here's their full list of ranges: [5]. MarioGom (talk) 17:17, 13 May 2022 (UTC)

37.1.200.0/21

{{proxycheckstatus}}

Reason: Webhost/VPS wizzito | say hello! 22:31, 4 April 2022 (UTC)

86.127.19.37

{{proxycheckstatus}}

Reason: Suspicious spammy edits [6] & IPQualityScore indicates proxy+VPN ☆ Bri (talk) 23:01, 8 May 2022 (UTC)

@MarioGom: you reverted this IP [7], interested in the possible proxy? ☆ Bri (talk) 19:59, 13 May 2022 (UTC)
Yeah, I was checking this IP but had to leave. I'll post later. MarioGom (talk) 20:22, 13 May 2022 (UTC)
Bri: It's  Unlikely that this is a proxy right now (per port scan and other services). IPQS data might be older. MarioGom (talk) 23:11, 13 May 2022 (UTC)

38.130.248.0/22

{{proxycheckstatus}}

Reason: Proxy/webhost (MR Networking, SRL) wizzito | say hello! 23:05, 4 April 2022 (UTC)

103.214.112.0/23

{{proxycheckstatus}}

Reason: webhost wizzito | say hello! 23:25, 8 April 2022 (UTC)

 Confirmed, the following IPs are unblocked nodes of FlyGateVPN:
Everything else is already covered by other webhost blocks. I would recommend hardblocking the following with {{colocationwebhost}}:
Best, MarioGom (talk) 23:44, 13 May 2022 (UTC)
 Done and closing. --Malcolmxl5 (talk) 07:49, 14 May 2022 (UTC)

175.143.95.18

{{proxycheckstatus}}

Reason: I'm using a shadowsocks proxy. This is my IP address. — Preceding unsigned comment added by 175.143.95.18 (talkcontribs) 16:32, 6 May 2022 UTC) (UTC)

Do you have connection details or a reference to the proxy listing this came from? I cannot verify this externally. MarioGom (talk) 23:12, 13 May 2022 (UTC)
 Highly likely an open proxy. I have found a probable external signature for this open shadowsocks proxy network. This particular IP seems to be residential, so the proxy probably won't stay in the same IP indefinitely. Requesting a second opinion for the appropriate administative action. MarioGom (talk) 21:00, 23 May 2022 (UTC)
  •  Proxy blocked for a month – that's usually my starting point for open proxies because I think it's a reasonable compromise between covering a good chunk of the expected lifespan and not incurring excessive collateral, though I guess it's mostly a matter of preference. Closing. --Blablubbs (talk) 06:39, 25 May 2022 (UTC)

2001:2d8::/32, 2001:e60::/32, 2001:4430::/32 (IPv6)

{{proxycheckstatus}}

Reason: South Korean mobile network operator's LTE open proxy bands. These bands have a lot of block logs on kowiki (Typical reasons are page pranks, page vandalism, and avoiding of block through multiple accounts and IPs within the bands: 2001:2d8::/32, 2001:e60::/32, 2001:4430::/32), and these bands are violating policies and guidelines and vandalising through multi-accounts and IP adresses abuse. Also, these bands are habitual multi-account mass creation band and in the blocking log, the reason for 2 bands is "Long-term abuse". 2001:2d8::/32 and 2001:e60::/32 band is currently blocked on kowiki for 3 days. (2d8 and e60) If unblocked, there is a risk of causing problems in various wiki projects including Wikipedia. Please permanently block editing user talk page too and globally lock these LTE bands with IP adress only. Goondae (talk) 11:43, 9 May 2022 (UTC)

These LTE bands are proxyed by mobile network operators. These bands, which are IPv6, are more anonymous because the IP address changes just by turning LTE off and on. This easily circumvents penalties and abuses policies and guidelines (e.g. changing an IPv6 address by turning LTE off and on on a blocked IPv6 address). Therefore, these bands can be considered as open proxy. Goondae (talk) 12:15, 15 May 2022 (UTC)
By that logic, shouldn't we block most mobile networks IP addresses? I can do exactly the same thing and jump around on a /13 IPv4 covering an entire city of 1.5 million. Mako001 (C)  (T)  🇺🇦 12:30, 15 May 2022 (UTC)

175.158.155.92

{{proxycheckstatus}}

Reason: Editing corp article frequented by COI editors including logged-out UPE sockfarm [10] & spur indicates this is a call-back proxy. ☆ Bri (talk) 20:39, 31 May 2022 (UTC)

 Highly likely a residential proxy. Given the exact proxy service here (as seen in spur advanced API), the article target, and some other characteristics of this edit, I'm fairly sure this is the Yoodaba sockfarm. They have used this proxy network since June 2021. Usage by other sockfarms is very unusual. Note that they almost never use the same IP twice, and that residential proxies are highly dynamic, so a block is unlikely to be even noticed by them. MarioGom (talk) 18:39, 3 June 2022 (UTC)
Marking for a second opinion on the administrative action (or lack of thereof). MarioGom (talk) 18:40, 3 June 2022 (UTC)
  • This would have likely been an ineffective block if we had gotten to it at the time (the pool here is large and dynamic), and by now, the IP is functionally  Stale. Closing. --Blablubbs (talk) 10:01, 15 June 2022 (UTC)

92.53.0.0/18

{{proxycheckstatus}}

I have noticed a continued string of poor quality edits from this IP range, usually on automotive pages or pages about windows software. The pattern is typically nonconstructive copyedits, unsourced info, and the like, which are often reverted. IP user only ever leaves the edit summary "New changes". Usually the edits will persist over several days until the IP is warned about using an edit summary on their talk page, and then a similar pattern will emerge with a different IP. IPBilly (talk) 23:01, 14 June 2022 (UTC)

It appears that nine IPs in that range are currently blocked by ST47ProxyBot as P2P VPN. That does suggest an issue. Malcolmxl5 (talk) 23:27, 14 June 2022 (UTC)
Looking at the /16, I see a host of /22, /23, /24 rangeblocks by ST47 as a colocation webhost. And three global /20, /22 blocks by Jon Kolbert. This might be more trouble than it’s worth. Malcolmxl5 (talk) 23:36, 14 June 2022 (UTC)
As far as this particular individual is concerned (the "New changes" guy), they are using 92.53.16.0/23. Malcolmxl5 (talk) 00:11, 15 June 2022 (UTC)
Might be this guy: User:Иван Стефановски. Malcolmxl5 (talk) 00:28, 15 June 2022 (UTC)
  • @IPBilly and Malcolmxl5: I vaguely remember that ISP because I recall having been annoyed by it in the past. They do offer some hosting, but they are primarily a broadband provider. Both the Shodan return for the /18 and spot checks of individual IPs that have edited don't show any clear signs of proxy presence, and the /23 mentioned above is part of a block assigned to "CableTEL DOOEL Macedonia Veles Triple Play Clients". The apparently fairly stable presence of this one user on a single range also speaks against the possibility of proxy use. Other bits of the /16 do seem to be hosting ranges, but those are owned by other providers. no Closing without action from a proxy perspective only; I haven't looked at the socking angle. Thanks for the report. --Blablubbs (talk) 10:16, 15 June 2022 (UTC)
    Should I open a report at SPI? IPBilly (talk) 15:50, 15 June 2022 (UTC)
    @IPBilly: Your call – if you think you can prove socking, sure. --Blablubbs (talk) 09:20, 16 June 2022 (UTC)
  • Just a postscript that the /23 was blocked by JBW for three months as a normal admin action. --Malcolmxl5 (talk) 22:35, 28 June 2022 (UTC)