Wikipedia:WikiProject on open proxies/Requests/Archives/21

200.239.128.64


Reason: Suspicious edits at AN/I, and Geolocate marks it as a "confirmed proxy server" BMK (talk) 22:05, 5 July 2015 (UTC)
 * Confirmed, reblocked. Materialscientist (talk) 22:31, 5 July 2015 (UTC)

190.77.0.0/16


Reason: Requested unblock. A global User asked me for help via private email. While logged in to their home Wikipedia, that user gets the following notice when attempting to go to the English Wikipedia:

Account creation from IP addresses in the range 190.77.0.0/16, which includes your IP address (190.77.172.147), has been blocked by NawlinWiki. The reason given by NawlinWiki is The IP address that you are currently using has been blocked because it is believed to be an open or anonymizing proxy. To prevent abuse, these proxies may be blocked from editing Wikipedia.

That's a big range with lots of collateral damage. WhoIs indicates this range is a dynamic pool of an ISP. Thanks in advance for your help. DocTree (ʞlɐʇ·ʇuoɔ) WER 05:08, 7 July 2015 (UTC)


 * . I don't see anything that would indicate that this particular IP is an open proxy, or anything other than a dynamic ISP. I do see an extremely aggressive and vile troll operating from that range over a long period (with many deleted edits), which is the likely reason for the block. The block only impacts anonymous editors, it may be best to point them to WP:ACC, or to contact the blocking administrator for perspectives.  Kuru   (talk)  12:12, 7 July 2015 (UTC)

162.219.24.202


Seems to be related to a sockfarm I've been dealing with. Left me messages on my talk page of the same style as the SM. Crow  Caw 22:59, 10 July 2015 (UTC)

Reason: Suspicious edits
 * Yes, port scans + edits strongly suggest that these are open proxies, hence blocked. Materialscientist (talk) 23:20, 10 July 2015 (UTC)

46.32.238.218


Reason: Geo locate says known proxy server. User self-identifies as who is known to use proxy servers for his edits. Current rash of vandalism from this IP. Geraldo Perez (talk) 00:21, 16 July 2015 (UTC)
 * Same as below; vpnflat/freemybrowser.com exit node. Kuru   (talk)  02:37, 16 July 2015 (UTC)

5.9.97.199


Reason: Geolocate says confirmed proxy server. Used by who only vandal edits through proxies. Geraldo Perez (talk) 02:20, 16 July 2015 (UTC)


 * . Exit node for freemybrowser.com on port 443; extended the existing block as a proxy block. Kuru   (talk)  02:34, 16 July 2015 (UTC)

212.117.181.107


Reason: Another open proxy used for vandalism edit by. Geo locate says known proxy server. Geraldo Perez (talk) 21:22, 16 July 2015 (UTC)
 * As above; Mr. Scientist has already extended the block per the exit node on 443. Kuru   (talk)  02:35, 17 July 2015 (UTC)

195.30.108.27


Reason: Gabucho181 IP sock. Geolocate says confirmed proxy server. Geraldo Perez (talk) 01:48, 17 July 2015 (UTC)
 * Block extended; same as above. Kuru   (talk)  02:38, 17 July 2015 (UTC)

186.88.177.160


Reason: Requested unblock. PhilKnight (talk) 21:42, 19 July 2015 (UTC)
 * Same situation and problematic editor as 190.77.0.0/16 above (nothing with this specific IP), except in this case it is a hard block so I cannot suggest ACC. Kuru   (talk)  01:56, 20 July 2015 (UTC)

89.255.92.42


Reason: Suspicious edits. IP is apparently a network sharing device and appears on several black lists. PRECOCIOUS editing soon after a sock was blocked. The previous sock also edited from an open proxy.- MrX 21:16, 21 July 2015 (UTC)
 * Already blocked for six months as a proxy by User:Materialscientist on 25 July. EdJohnston (talk) 02:23, 15 August 2015 (UTC)

212.253.113.239


Reason: Anti-LGBT troll at Reference Desk
 * Same as below; nothing obvious. Kuru   (talk)  23:59, 28 July 2015 (UTC)

106.188.52.5


Reason: Anti-LGBT troll at Reference Desk. This troll is known to use open proxies.
 * I don't see anything open or obvious here. Kuru   (talk)  23:41, 28 July 2015 (UTC)

46.35.231.12


Reason: Anti-LGBT troll at Reference Desk. Troll is known to use open proxies.
 * 465/995 are open, but they look like mailserver ports. Can't connect to anything. The IP is on a few blacklists, but I can't see anything else. Kuru   (talk)  23:37, 28 July 2015 (UTC)

216.169.108.214


Reason: Self-identified Gabucho181 socks. MO is to use open proxies for vandalism edits. Geraldo Perez (talk) 05:52, 30 July 2015 (UTC)
 * No obvious open proxies, but 216 is a web host (ezzi.net). 173 is also a web host (webair.net). Kuru   (talk)  11:31, 30 July 2015 (UTC)

205.204.85.22


Reason: Suspicious edits; showed up in a checkuser on a malicious user suspected to be a long-time nuisance. --jpgordon:==( o ) 00:06, 1 August 2015 (UTC)
 * Not a proxy checker, but the WHOIS/Robtex data look like it belongs to a webhost - a webhost block case, maybe? Also listed on several spam blacklists. Jo-Jo Eumerus (talk, contributions) 15:58, 1 August 2015 (UTC)
 * Blocked as webhost. Materialscientist (talk) 22:27, 1 August 2015 (UTC)

104.156.228.146


Reason: Sockpuppetry on Subway (restaurant) Keri (talk) 10:40, 2 August 2015 (UTC)


 * Also using and
 * Reason: Sockpuppetry on Subway (restaurant) and sockpuppetry/block evasion on Sockpuppet investigations/XenoRasta. Keri (talk) 10:42, 2 August 2015 (UTC)
 * All of these are privateinternetaccess.com exit nodes. I've put a small range block up for the 104.156 addresses as a quick spot check shows that many of the IPs there are hosted servers for the same service. I blocked the 104.200.154.59 address directly - will need more data there to form a viable range block.  Kuru   (talk)  14:02, 2 August 2015 (UTC)

208.31.49.57


Reason: Per this and this Geraldo Perez (talk) 19:12, 2 August 2015 (UTC)
 * Confirmed cyberghost vpn exit node on 443. Kuru   (talk)  19:42, 2 August 2015 (UTC)

208.31.49.59


Reason: Gabucho181 sock uses open proxies and this. Currently has a short sock block. Also per above looks to be in a range of IPs that could be ranged blocked. Geraldo Perez (talk) 23:03, 2 August 2015 (UTC)
 * I poked around on the 208.31.49.0/24 range, and every single IP editing wikipedia with more than 2 edits tested positive as a CyberGhost node (443 - they make no effort to mask it). I've blocked that range; let me know if he edits again. It might be faster to just pay CyberGhost and get a list of nodes from them. :) Kuru   (talk)  00:31, 3 August 2015 (UTC)

95.125.131.171


Hi there. I suspect this might be a proxy because it was recently used by a sock operator who historically has edited from Aberdeen, Scotland. This IP geolocates to Spain (ISP: Telefonica de Espana). Thanks! Cyphoidbomb (talk) 17:59, 6 August 2015 (UTC)

Reason: Suspicious edits
 * I don't see anything. Maybe on vacation in sunny Spain?  Kuru   (talk)  23:22, 6 August 2015 (UTC)
 * Thanks for looking. Cyphoidbomb (talk) 02:48, 7 August 2015 (UTC)

104.156.228.193


Previously blocked sock, using isp Choopa LLC See WikiProject on open proxies/Requests Keri (talk) 14:50, 10 August 2015 (UTC)
 * Blocked both, thanks. Materialscientist (talk) 00:44, 13 August 2015 (UTC)

Also Keri (talk) 13:06, 13 August 2015 (UTC)
 * Expanded the previous rangeblock a little to pick that one up. Kuru   (talk)  02:33, 15 August 2015 (UTC)

45.55.3.174


Reason: Suspicious edits IP editor only has interest in Pakistan-related articles, but IP geolocates to San Francisco, California, US. Not impossible, of course, but weird. They've flagged another user who edits primarily in Pakistan-related subjects as a sockpuppet. The user has also communicated with another editor in a foreign language. Again, not impossible for someone from San Francisco, but worth looking into. Thanks. Cyphoidbomb (talk) 19:41, 10 August 2015 (UTC)
 * Geosigns are irrelevant, but whois says that 45.55.0.0/16 belongs to "DigitalOcean - Simple Cloud Hosting" (digitalocean.com). CU scans show some activity, but also abuse. I went ahead and hardblocked /16 as a webhost. Materialscientist (talk) 00:52, 13 August 2015 (UTC)

199.19.250.123


Reason: Suspicious edits, involved with logged-in editor suspected of COI [//en.wikipedia.org/w/index.php?title=User_talk:Jackmcbarn&diff=672487279&oldid=672487092]; host lookup says "Blue Coat Systems, Inc cloud services".
 * Nothing obvious, sorry for the delay. Kuru   (talk)  00:44, 25 October 2015 (UTC)

198.136.25.82


Reason: Suspicious edits at article prone to autobio [//en.wikipedia.org/w/index.php?title=List_of_long-distance_motorcycle_riders&curid=28813103&diff=676032152&oldid=673774715], host lookup said Gorilla Servers
 * Gorillaservers webhost; blocked. Kuru   (talk)  02:30, 15 August 2015 (UTC)

69.87.100.1


Reason: Suspicious edits associated with COI editor; host lookup at whatismyip.com says IP is a known proxy.
 * The is the exit node for a corporate proxy, not an open proxy or webhost. I can see all sorts of interesting COI edits related to some of the entities in that "family" which sort of confirms this. Just block like a regular shared IP if there's too many bad edits. Kuru   (talk)  02:15, 16 August 2015 (UTC)

145.226.158.81 / 145.226.158.82


Reason: Used to evade active block in zhwiki, and the IP also edit here. The IP is from France but other IPs used by that zhwiki user is from Germany.--GZWDer (talk) 02:02, 20 August 2015 (UTC)
 * Sorry, I don't see anything obvious on either IP. Kuru   (talk)  02:22, 20 August 2015 (UTC)

2C0F:F930:0:3:0:0:0:221


I just reverted some vandalism which does not need any follow up, but when I looked at the IP's talk (User talk:2C0F:F930:0:3:0:0:0:221) is saw a claim "This is a Tor exit node.2C0F:F930:0:3:0:0:0:221 (talk) 13:01, 16 August 2015". I'm hoping someone will take any action necessary, but it's a not a problem at the moment. Johnuniq (talk) 02:33, 26 August 2015 (UTC)
 * Can't do much checking now. Their global contributions indeed suggest international sharing. This tool doesn't identify the IP as Tor; the tool used to work well with ipv4, but I'm not sure about ipv6. Materialscientist (talk) 03:06, 26 August 2015 (UTC)
 * I'm not seeing it; no open ports there. It seems most tor exit nodes are easy to spot, like 5.9.123.81:9001. Kuru   (talk)  12:10, 26 August 2015 (UTC)

104.238.83.28


Reason: Suspicious edits. A persistent sockpuppet of user: Asdisis hiding behind a proxy. - MrX 17:50, 27 August 2015 (UTC)
 * ip-104-238-83-28.ip.secureserver.net - port 443 (confirmed) and probably some other ports. -- zzuuzz (talk) 18:00, 27 August 2015 (UTC)

2001:41D0:8:B330:0:0:0:1


Reason: Suspicious edits. Sock of. - MrX 22:39, 27 August 2015 (UTC)
 * Already blocked by Bbb23 Kuru   (talk)  13:28, 30 August 2015 (UTC)

95.172.74.63


Reason: Suspicious edits. WHOIS reports this is an open proxy from Zscaler. Brianhe (talk) 04:38, 30 August 2015 (UTC)
 * , 95.172.74.63:8080, already blocked by MaterialScientist. Kuru   (talk)  13:01, 30 August 2015 (UTC)

109.192.2.224


Appears to be connected to company called Wittenstein that sells a product called Fitbone - they trying to edit war PROMO content about that product into several articles. Reported at COIN here and was referred to this board. Jytdog (talk) 10:03, 31 August 2015 (UTC)

Reason: Suspicious edits
 * I don't see an open proxy there, but anonblocked per spam. Materialscientist (talk) 10:16, 31 August 2015 (UTC)
 * It was reported as an open proxy here: http://whatismyipaddress.com/ip/109.192.2.224 — Brianhe (talk) 18:58, 31 August 2015 (UTC)
 * It's actually reported as a 'confirmed proxy server', of which open proxies are possibly a subset. Likewise, I don't see that it's open (in fact I don't agree it's even a proxy), more like a relatively static broadband IP in Germany. -- zzuuzz (talk) 19:11, 31 August 2015 (UTC)
 * Thanks, I'll be more careful with labels in future. — Brianhe (talk) 21:48, 31 August 2015 (UTC)

IP 220.255.3.185


Reason: Suspicious edits
 * This IP was asking some questions about socking at WP:AN, as well as talking back to User:Drmies about an SPI case. A web search for 220.255.*.* shows some generally-advertised proxy services based in Singapore. May not be this exact range, though. This IP gets some hits from a spam finder at Cleantalk. There are seven hits in the SPI directory for cases that contain the string '220.255'. EdJohnston (talk) 02:39, 3 September 2015 (UTC)
 * . I recognise this proxy user. Apart from that, getting close, 220.255.3.170:80 exits at 220.255.3.186. A few more rolls of the dice might nail it. If not, it's a duck. -- zzuuzz (talk) 03:07, 3 September 2015 (UTC)
 * I can't proxy-check it now (and would leave this to zzuuzz anyway), but CU scan shows that this IP is shared, is not particularly active, and was abused by an unrelated spambot yesterday. Materialscientist (talk) 03:13, 3 September 2015 (UTC)
 * ❌ 220.255.3.170 (over ssl) -- zzuuzz (talk) 03:28, 3 September 2015 (UTC)

112.79.38.210


Reason: Suspicious edits
 * See this AN/I thread. BMK (talk) 02:58, 5 September 2015 (UTC)
 * Block evasion, yes, but I don't see an open proxy there. Materialscientist (talk) 03:07, 5 September 2015 (UTC)

104.238.169.86



 * Per http://whatismyipaddress.com/ip/104.238.169.86, "Confirmed proxy server, Recently reported forum spam source."
 * Trolling User talk:Jimbo Wales: ,

Reason: Suspicious edits
 * Blocked. Materialscientist (talk) 12:18, 8 September 2015 (UTC)

119.81.135.18


Reason: Suspicious edits BMK (talk) 13:09, 10 September 2015 (UTC)
 * Blocked. Materialscientist (talk) 23:25, 10 September 2015 (UTC)

122.3.238.242


Reason: Disruptive edit of WP:OR by a sockpuppet using OpenVPN as Open proxy.
 * Blocked, thanks. Materialscientist (talk) 22:57, 18 September 2015 (UTC)

190.37.0.0/16


Block reason given is Blocked_proxy for the entire range. A lot of collateral damage when such a wide range is blocked as an open proxy. If all of the ISP's servers are actually misconfigured and usable as open proxies, can a user or admin fluent in Spanish contact them to recommend better configuration and XFF? WhoIs shows CANTV Servicios, Venezuela located at Venezuela, Bolivarian Republic Of Caracas Cantv Servicios Venezuela. Thanks, DocTree (ʞlɐʇ·ʇuoɔ) WER 17:51, 9 September 2015 (UTC)

Reason: Requested unblock.
 * Comment: The two IPs with the most edits on this range don't seem to have any proxies on them. There's really only a handful of edits on the entire range and yet this block affects up to 65,536 IPs. This seems like some pretty major overkill to me. do you have any comments as the blocking admin?  M w w 1 1 3     (talk) 05:49, 29 October 2015 (UTC)
 * Block has expired— UY Scuti Talk  06:50, 13 April 2016 (UTC)

217.165.22.88


Reason: Suspicious edits and traceroute goes through cogentco.com who describe theselves: "Cogent Data Centers also host Cogent's Utility Computing servers". — Brianhe (talk) 23:12, 14 September 2015 (UTC)
 * , belongs to UAE telecommunications corp. — UY Scuti Talk  07:03, 13 April 2016 (UTC)

146.23.3.250


This IP is owned by Chevron Corporation, located in their San Ramon, California, office. It is reported as a confirmed open proxy. People operating the proxy have made personal attacks and have violated the 1RR limitation set at the Abortion and mental health article. (All abortion topics have a 1RR limitation.) Since May 2015, other edits have been made by this proxy to disputed and controversial topics such as Conversion therapy (to convert gays) and Beginning of human personhood (a debate point in the abortion topic.) Binksternet (talk) 06:29, 17 September 2015 (UTC)
 * Comment: Looks to me.  M w w 1 1 3     (talk) 05:57, 29 October 2015 (UTC)

174.142.138.234


Reason: Suspicious edits. WHOIS→iWeb Technologies Inc.. Google→"iWeb: Cloud Hosting, Server Hosting & Hosted Solutions". Brianhe (talk) 15:06, 21 September 2015 (UTC)
 * (unchecked) 174.142.0.0/16 is rangeblocked. -- zzuuzz (talk) 19:44, 3 April 2016 (UTC)

168.1.23.79


Reason: Suspicious edits. - MrX 12:01, 25 September 2015 (UTC)
 * I can't check it for proxy at the moment, but blocked it as an (abused) webhost. Materialscientist (talk) 12:06, 25 September 2015 (UTC)
 * (unchecked) blocked directly plus 168.1.0.0/16 is rangeblocked. -- zzuuzz (talk) 19:46, 3 April 2016 (UTC)