User:Dominic/IP blocking


 * Courtesy of the legendary JRM:

For use when blocking IPs

 * Here's a very brief checklist that usually works well.
 * Check if the IP address is in a proxy range. In this case, that's easy enough: 69.111.161.69 is nowhere near any range on Special:Blockip. No ranges start with 69. To really know whether an IP address is in a range you'll have to read up a bit on their format, but for most of the ranges listed, looking at the bold numbers to see if they match is enough.
 * Then use a WHOIS service to find out where the IP is coming from. Direct link: ARIN WHOIS. This yields:

Pac Bell Internet Services PBI-NET-0803 (NET-69-104-0-0-1) 69.104.0.0 - 69.111.255.255 PPPoX Pool - Rback11 PLTN13 SBC06911116000022040322224055 (NET-69-111-160-0-1) 69.111.160.0 - 69.111.163.255
 * Ignore all the funky numbers&mdash;this is an IP address operated by Pacific Bell for PPP. Checking out their website, it appears to be a dialup address, as that is all they have.
 * Google is your friend in obtaining this sort of information&mdash;a WHOIS record is often cryptic. Googling on PLTN, I find this! Small world, eh? You can also try a traceroute&mdash;this will often give you a clue where, approximately, the address is in cyberspace, and often where it is in meatspace as well. Look for certain keywords in the hostname, like "proxy", "dialup", "pool". They often reveal directly what the address is assigned for. In this case, we don't see much.


 * Summing up, we've found it's a dialup address. What does that mean? Two things:
 * It's unlikely someone else who edits Wikipedia will be assigned the exact same dialup address in 48 hours. Dialup addresses are only handed out when users call in to their ISPs.
 * Unfortunately, it's also unlikely the person who made those edits will be assigned the same dialup address the next time they login. The block you handed out probably didn't stop the person from accessing Wikipedia for 48 hours&mdash;but it did make them go away, which was enough.


 * Now, do you really need to go through all this trouble every time you want to block an IP address? No. Blocking IP addresses is generally safe. Collateral damage, if it occurs at all, is very mild. A few basic guidelines are enough:
 * First, ensure that you really need to block. Revert and warn the user first: test, test2, test2a, test3, test4, test5 (not all of them apply all the time, and you're free to come up with more specific warnings). Many vandals just do one stupid thing and leave. Blocking them is a waste of time. Most others stop after being informed they will be blocked if they do whatever they did again. Of course, some folks just won't listen&mdash;and others are deliberately pissing people off to see how quickly they get blocked. This is where personal judgement comes in.
 * Check if the IP address is in a proxy range. If it is, and you've decided that you really need to block to put an end to it, make the block short. Try 15 minutes, and after those 15 minutes check if the vandal is still at it. If they are, you can reblock, possibly for a slightly longer time. But always aim for the shortest block time possible.
 * If it isn't, then you can block for up to 24 hours. For non-proxy IPs, you can usually safely assume that no innocents will get hurt by such a block.
 * Longer blocks are usually not effective, because the original vandal will be long gone, or they will have returned under another address. If you notice the same guy keeps coming back making the same edits from the same address over and over again, longer blocks make sense. In general, try to estimate how long someone has kept a single address&mdash;the longer this is, the safer long blocks are.
 * You'll often see an IP address with unrelated "bouts" of vandalism over different periods. These are usually dialup addresses or school computers that have seen multiple vandals pass by. This typically does not warrant handing out longer blocks; just block, rinse, repeat.