Wikipedia:WikiProject on open proxies/Requests/Archives/38

165.225.197.20
close

Appears to be an open proxy based on whois results. Vandalism has occurred, but very few edits, so not not sure if any action actually needed however. Alex Noble / 1-2 / TRB 18:58, 17 August 2020 (UTC)
 * This is a Zscaler IP. These are typically shared and dynamic, and used by large major corporations (for example AstraZeneca and Carlsberg Group), with lots of potential collateral. They aren't generally regarded as 'open'. One half (/17) of this range was actually soft-blocked by this year, so they get a ping, but I'm not seeing a pressing need to block the rest of it. -- zzuuzz (talk) 21:27, 17 August 2020 (UTC)
 * Range is currently anonblocked: link -- zzuuzz (talk) 22:47, 2 September 2020 (UTC)

36.77.0.0/16
close

Discussion disruption at Talk:History of English: added a bunch of articles as subjects of the RM despite the OP's (Soumya-8974) intention. Later added a comment that copied a sentence from someone else's almost verbatim, likely in an attempt to create an impression of canvassing or puppetry.

The latter tests poorly on IPQualityScore. The range has been blocked in the past by Berean Hunter. Nardog (talk) 04:38, 6 August 2020 (UTC) — Berean Hunter   (talk)  18:07, 28 August 2020 (UTC)
 * . The range you're looking for (including 1 from your ANI report) is 36.77.92.0/23. I'm going to leave this open for someone else to take a look, to see if a block is indicated anyways. —Mdaniels5757 (talk) 20:45, 7 August 2020 (UTC)
 * User:Berean Hunter had previously twice blocked all of 36.77.0.0/16 for three months, anon-only, account creation blocked, for "CheckUser block: squelch sock account creation and IP socking". It's possible they might see a reason to reapply that block based on technical data. But if we just look at the behavior of Special:Contributions/36.77.92.0/23 I don't think it is quite vandalistic enough to justify a block on its own. Though a /23 is much narrower if we were tempted at all. The worst thing I noticed was the behavior at Talk:History of English that was already noted above. EdJohnston (talk) 16:20, 28 August 2020 (UTC)
 * Thanks EdJohnston. I have blocked that /16 again. That sockmaster is appearing in more than the /23, see 36.77.101.211, 36.77.135.116, 36.77.139.145, 36.77.111.114 as a few examples. He has multiple blocked accounts but was editing while logged out in this range.

143.244.48.0/22
close

Reason: Personal attacks on talk page after block. WHOIS data indicates some sort of colowebhost. The IP has already been temporarily blocked for disruptive editing however I'm wondering if the entire range should be blocked. --   LuK3      (Talk)   15:26, 28 August 2020 (UTC)
 * ✅, . Closing without further action. —&#8205;Mdaniels5757 (talk &bull; contribs) 20:28, 28 August 2020 (UTC)

152.32.109.37
close

Reason: Suspicious edits, IP Reported as Blacklisted Proxy/VPN Detection	Proxy/VPN Proxy/VPN Detected ☆ Bri (talk) 14:31, 1 September 2020 (UTC)
 * 152.32.108.72 similar edits same range ☆ Bri (talk) 14:49, 1 September 2020 (UTC)
 * No proxy found on either; closing. —&#8205;Mdaniels5757 (talk &bull; contribs) 22:04, 1 September 2020 (UTC)
 * Sometimes I get results like this, and it's puzzling. Do you know why IPQualityScore shows checkmarks by the first IP for proxy and recent abuse? ☆ Bri (talk) 04:58, 2 September 2020 (UTC)
 * IPQualityScore isn't particularly accurate; it also can give old results (I don't know how recent they mean by "recent", but many proxies aren't active for long). —&#8205;Mdaniels5757 (talk &bull; contribs) 15:56, 2 September 2020 (UTC)

80.161.48.203
close

Reason: Requested unblock. This proxy used is not public and I can not see why it is blocked? — Preceding unsigned comment added by 217.16.108.164 (talk) 07:59, 2 September 2020 (UTC)
 * IP is not blocked; no signs that it's a proxy anyways. Closing. —&#8205;Mdaniels5757 (talk &bull; contribs) 15:59, 2 September 2020 (UTC)

202.65.154.182
close

Reason: Suspicious edits, appears to be a data center, ipqualityscore reports VPN or proxy & fraud score 99.

There are other suspicious IPs editing in same set of articles, I have reported two of them before. Running list at User:Bri/COIbox97 ☆ Bri (talk) 17:02, 3 September 2020 (UTC)
 * ✅ colocationwebhost via WHOIS and open SSH port, as is the rest of the 202.65.128.0/19 range. Colocationwebhost block of the 202.65.128.0/19 range requested: last global block, which recently expired, was for a year, so I'd go for 1-3 years. —&#8205;Mdaniels5757 (talk &bull; contribs) 16:15, 4 September 2020 (UTC)
 * ✅.  ~Oshwah~  (talk) (contribs)   21:26, 12 September 2020 (UTC)

36.73.190.62
close

Reason: Suspicious edits: another beauty pageant IP that is reported proxy by ipqualityscore.com. ☆ Bri (talk) 02:45, 9 September 2020 (UTC)

Found it to be a low-risk proxy via the proxy checker. Firestar464 (talk) 06:15, 14 October 2020 (UTC)
 * IPQS is the only one flagging it and I can't see any other indication of abuse from any other source. -- Amanda  (aka DQ) 20:29, 21 October 2020 (UTC)

138.43.96.0/20
close

Reason: Seeing some edit filter hits on a few IPs within this range. WHOIS indicates some sort of colo. --    LuK3      (Talk)   18:29, 21 September 2020 (UTC)
 * Reading between the lines on the provider's website, it looks like some kind of fancy cloud VPN with monitoring. I see almost nothing constructive coming out of the range. Colo softblock is probably appropriate here, I'll give it a six month block. GeneralNotability (talk) 14:52, 12 October 2020 (UTC)
 * I updated the block to the standard. Iboss does seem like colocation. -- Amanda  (aka DQ) 20:32, 21 October 2020 (UTC)

152.32.108.102
close

Reason: Suspicious edits, multiple sock farms active at article this IP has edited, likely block evasion. IPqualityscore reports IP Reported as Blacklisted & Proxy/VPN Detected. ☆ Bri (talk) 13:24, 26 September 2020 (UTC)

Ths IP appears to be a high-risk proxy based on the proxy checker. Firestar464 (talk) 06:44, 14 October 2020 (UTC)
 * , you need to do a more in-depth search than just reading what the proxy checker says. Same for the below. GeneralNotability (talk) 22:35, 14 October 2020 (UTC)


 * I'm not certified. I'm just presenting my findings. Firestar464 (talk) 01:57, 15 October 2020 (UTC)
 * IPQS is the only one indicating. Some spam from March, but nothing to be concerning. -- Amanda  (aka DQ) 20:36, 21 October 2020 (UTC)

Beauty pageant SPA proxies
close
 * IPQualityScore lists as proxy & VPN, fraud score 75
 * IPQualityScore lists as proxy & VPN, fraud score 75
 * IPqualityscore lists as a proxy

Reason: Suspicious single-purpose editing; edits in a common set of beauty pageant articles. ☆ Bri (talk) 22:09, 4 October 2020 (UTC)
 * 209.52.89.130 resolves to w2kweb.pacificgroup.net, Nmap gives me two open ports - one is SSH, the other is 8080 but doesn't appear to be an open proxy (though it appears to be some kind of embedded management device).

The first one is not a proxy. The second is a high-risk proxy. The third is a low-risk proxy. Firestar464 (talk) 06:21, 14 October 2020 (UTC)
 * 108.21.69.90 - - IPQS is the only one flagging.
 * 209.52.89.130 - - IP is sublet from telus to Pacific Customs Brokers. IPQS is the only one flagging.
 * 202.80.213.234 - - 8080 requires login, therefore not an open proxy, and not blockable based on that alone.
 * -- Amanda  (aka DQ) 20:46, 21 October 2020 (UTC)

76.85.70.60
close

Likely an open proxy-other IPs used. Check for "loser". Likely from IPShark. --67.85.37.186 (talk) 21:22, 14 October 2020 (UTC)
 * Not likely to be an open proxy it is a low-risk IP from a guanine ISP (Spectrum) but should likely be blocked due to vandalism 🌸 1.Ayana 🌸 (talk) 22:22, 14 October 2020 (UTC)
 * , did you do any checking besides reading the output of the "proxy checker" link? You will need to do a more in-depth check than that. Open proxies can be operating from real ISPs. GeneralNotability (talk) 22:36, 14 October 2020 (UTC)
 * I should have done a more in-depth check before posting so please disregard my post.🌸 1.Ayana 🌸 (talk) 22:49, 14 October 2020 (UTC)
 * It appears to be coming from IPSharkk. Abuse reported. See also extensive ANI thread. --67.85.37.186 (talk) 22:54, 14 October 2020 (UTC)
 * The proxy checker showed that this is a normal IP. Firestar464 (talk) 02:02, 15 October 2020 (UTC)
 * IPQS is the only one flagging. Charter is not one to regularly host proxies either. -- Amanda  (aka DQ) 20:49, 21 October 2020 (UTC)

2.181.49.113
close

Reason: Suspicious edits, possible beauty pageant sockfarm block evasion & listed as proxy by IPQualityScore ☆ Bri (talk) 13:11, 22 October 2020 (UTC)
 * Note regarding the first IP: A quick  session gives no responses for HTTP, SOCKS4 or SOCKS5 proxies running on ports 80, 1080, 8080, 8888, 3128 or 8000. Haven't done any other checks yet (and would appreciate for someone to re-check anyway, given my lack of experience). Blablubbs (talk • contribs) 14:43, 22 October 2020 (UTC)
 * Not on the basis of IPQS and potential block evasion alone. -- Amanda  (aka DQ) 07:34, 16 November 2020 (UTC)

86.57.56.189
close

Reason: Suspicious edits : beauty pageant block evasion likely (see ). IPQS reports proxy. ☆ Bri (talk) 05:34, 16 November 2020 (UTC)
 * Not on the basis of IPQS and potential block evasion alone. -- Amanda  (aka DQ) 07:34, 16 November 2020 (UTC)

103.130.78.8
close

EDIT:IPQS high risk at https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/%20103.130.78.8 Reason: Suspicious edits. Why is a New-Zealand based IP so focused on posting defamation at an American politician article, Elena Parent??. 4thfile4thrank (talk) 05:00, 5 December 2020 (UTC)
 * Noting that the /22 is already blocked as a proxy. Blablubbs | talk 13:44, 5 December 2020 (UTC)
 * Closing per Blablubbs - range is proxy-blocked for three years, no value in checking whether it's an open proxy or not. GeneralNotability (talk) 03:36, 6 December 2020 (UTC)

199.66.88.0/21
closed

Webhost, associated with ExpressVPN (a friend has a subscription and showed me the IP, which is how I found it). /23 is currently colo-blocked, but the entire /21 seems to belong to the host. Blablubbs | talk 02:13, 9 January 2021 (UTC)
 * Rangeblocked. GeneralNotability (talk) 04:07, 9 January 2021 (UTC)

102.130.119.0/24
closed

Webhost: xneelo Blablubbs | talk 13:26, 12 January 2021 (UTC)
 * Colo-blocked 102.130.112.0/20 (whole range is part of ASN 37153). GeneralNotability (talk) 01:38, 13 January 2021 (UTC)

124.217.128.0/18
close

Reason: Suspicious edits Matthew hk (talk) 05:26, 21 January 2021 (UTC)

The ip range is from HGC (which for household usually it is static ip) (edit: not HGC but Hutchison Telecommunications Hong Kong Holdings 11:44, 23 January 2021 (UTC)), an ISP. But it seems it is leased by a company DOMAIN FIVE ENTERPRISES LIMITED to run as an open proxy / VPN. Matthew hk (talk) 05:26, 21 January 2021 (UTC)


 * Example, Talk:List of lighthouses in China (124.217.188.172, ‎124.217.189.103 ), Talk:Holy Trinity Cathedral, Hong Kong Matthew hk (talk) 05:44, 21 January 2021 (UTC)


 * You originally kick-started this section with my IP address. but the reasons why you did so remain unknown. Meanwhile as you've been told you got the burden to factcheck before you submit allegations as such. Domain Five Enterprises Ltd is not known anywhere for VPNs/open proxies. It's a wholly owned subsidiary of Hutchison Telecom, a CK-Hutchison company and the second largest mobile network operator in the territory; whereas HGC had been sold to a private equity firm like three or four years ago such they they are no longer associated in any way. And if you bother to google Domain Five Enterprises is an authorised insurance agency. You've yet to demonstrate how Domain Five Enterprises is (iff they are an ISP) relevant to the picture here and how their IPs (if there's any) are related to Hutchison Telecom and/or HGC. 124.217.189.34 (talk) 16:52, 21 January 2021 (UTC)


 * In any way, it seems you abuse your company ip at work then..... Matthew hk (talk) 19:46, 21 January 2021 (UTC)
 * These aren't the only IPs as well. There's also:
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)
 * And god knows how many more there are. While it might not be a proxy, its more like WP:LOUTSOCK at work, and they are getting emboldened as it's hard to get these blocked. Every one of them geolocates to Hong Kong, that's for sure. I'd say to just semiprotect the articles that they frequent and ignore such edit requests from these ranges. ShelteredCook (talk) 20:10, 21 January 2021 (UTC)


 * C'mon they don't even belong to the same ISP do they? Loutsock? Loutsock at work!? 124.217.189.34 (talk) 20:58, 21 January 2021 (UTC)


 * (Re User:Matthew hk 19:46, 21 January 2021 (UTC)) What? How could you come up with such a wild conclusion that I work there? Meanwhile did you actually read this? 124.217.189.34 (talk) 20:56, 21 January 2021 (UTC)


 * Domain Five Enterprises is a subsidiary of an ISP in the business of non-ISP....so you don't work for Domain Five Enterprises but have access to that ip range, did you prove yourself the range has became an open proxy? I never heard of insurance company provide their end-user customer internet access. Matthew hk (talk) 12:30, 22 January 2021 (UTC)


 * Also, yes i made a mistake to mixed up HGC with its former parent company Hutchison Telecommunications Hong Kong Holdings. On top of the ip was blocked so that they cannot self defence anymore, it would be nice to explain how they are able use the ip range. Are they the customer of 3 (telecommunications), or they really somehow turned that range to private use. Matthew hk (talk) 11:43, 23 January 2021 (UTC)


 * For admin . Please read also Sockpuppet investigations/14.0.180.170/Archive. I don't know why the ip has a misconception of not opening an account is good for them, but their off site canvassing (and meatsock and sock) from lihkg and telegram group is out of control and there should be some way to deal with it. Matthew hk (talk) 12:06, 22 January 2021 (UTC)


 * Link on discussion in lihkg (https://lihkg.com/thread/2373493/page/1}) which contains a screenshot of such telegram group....Not sure the group is for zh-wiki or also for en-wiki..... Matthew hk (talk) 12:43, 22 January 2021 (UTC)

Not all VPNs are open proxies. Many of them are subscription-only, i.e. closed proxies. And with the Hong Kong national security law in force, more and more editors from HK will have legitimate reasons to edit through proxies. Hence while a sockpuppetry case may be relevant (Sockpuppet investigations/14.0.180.170 etc) I don't think an open proxy investigation is a helpful path to pursue. Deryck C. 13:14, 23 January 2021 (UTC)
 * If the ip at first stated they are using 3 mobile broadband and have no idea why in whois record marked as Domain Five Enterprises, then it is not likely an open proxy (or close proxy, since it is an ISP). Now it still can't tell why the ip range is marked as "Domain Five Enterprises", a non-ISP subsidiary of a telecom company. Matthew hk (talk) 23:20, 23 January 2021 (UTC)

I haven't looked too deeply, but glancing at the ISPs, I don't really see any indication that these are webhosts (though granted, I can find very little other English-language information on "Domain Five Enterprises Ltd."). Frankly, given the active SPI, this strikes me as a little forum-shoppy. There's certainly evidence of disruption coming from those ranges, but I don't really see that as grounds for a check – given that they all geolocate to the same area, I think it's more likely we're dealing with either meatpuppetry or simply someone with access to a bunch of different ranges. (Soft-)Blocking these ranges or semiprotecting affected articles on those grounds is of course still a reasonable idea, but that's out of scope for WPOP. Blablubbs | talk 13:14, 24 January 2021 (UTC)
 * I don't see a case for performing a proxy check here. Closing. Disruptive IP ranges may be dealt with at venues like WP:ANI if needed. GeneralNotability (talk) 02:16, 26 January 2021 (UTC)

172.58.4.10
close

Reason: See WP:AIV and history of Kevin McCarthy (California politician); WP:IPSOCK. Firestar464 (talk) 11:02, 4 February 2021 (UTC)
 * , see below. Blablubbs | talk 15:01, 6 February 2021 (UTC)
 * Also, this range is T-Mobile's mobile phone range, which is generally mostly dynamic. Any proxy has probably gone away already. -- zzuuzz (talk) 15:37, 8 February 2021 (UTC)

96.18.179.66
close

Reason: Blanked Open proxies and claims to be one in their contributions  Pahunkat (talk) 21:47, 9 November 2020 (UTC)
 * 1) Just checked again with more time and it seems unlikely this is an open proxy Pahunkat (talk) 22:21, 9 November 2020 (UTC)
 * notaproxy Does not appear to be an open proxy, none of the likely ports are open, the various proxy checkers don't say it's one. If someone's claiming it's an open proxy, possibly IPsharkk or similar. GeneralNotability (talk) 13:30, 10 November 2020 (UTC)
 * There is definitely at minimum P2P activites coming from the IP, they may have shown on proxy lists in the past, there are two RDNS entries and the edits themselves claiming being an OP. -- Amanda  (aka DQ) 07:34, 16 November 2020 (UTC)

104.219.234.142
close

Reason: This IP belongs to a web-host provider (DataWagon, LLC) and it's linked to CollabVM where it can easily be abused by just using a collaborative virtual machine. AsphereOfficial (talk) 05:41, 14 November 2020 (UTC)
 * I've colo-blocked the /24 (anon-only, account creation blocked) and have asked a couple other admins for a second opinion on whether to block the other ranges owned by this company. GeneralNotability (talk) 15:28, 15 November 2020 (UTC)
 * The larger /21 is still DataWagon as noted on whois. Either way, the service does not seem to offer colocation, just rack services, so I would switch to full webhostblock. -- Amanda  (aka DQ) 07:34, 16 November 2020 (UTC)
 * , thanks, changed the block to the /21 as a webhostblock. GeneralNotability (talk) 14:43, 21 November 2020 (UTC)

31.168.172.141
close

Reason: Suspicious edits. That is, these IPs were obtained via CU in a subject area full of socks--though none were found on these two. Drmies (talk) 23:47, 20 November 2020 (UTC)
 * Investigating now. IPQS says suspected proxy/VPN, which doesn't mean much, but proxycheck.io says possible proxy as well. GeneralNotability (talk) 01:36, 21 November 2020 (UTC)
 * They both are VPN endpoints for privateinternetaccess.com, so not open proxies but ✅ VPN (though WHOIS says they're assigned to a normal ISP). Working on a wider scan to see if anything else on that range is from the same group. GeneralNotability (talk) 02:05, 21 November 2020 (UTC)
 * Looks like it's just those two (nothing else on their /20 is serving an SSL cert for privateinternetaccess.com). Both blocked one year as anonymizing VPNs. GeneralNotability (talk) 14:39, 21 November 2020 (UTC)

72.140.224.197 and others
close

Reason: Quick BG: Vijay is an Indian actor in Tamil-language films. At several Vijay-related articles lately, there has been an uptick in edits trying to inflate the actor or his films' gross values. This might be related to LTA sock operator Bothiman, who was a known Vijay lickspittle. Most recently 72.140.224.197 was blocked. This apparently geolocates to Canada. (See also ). Then recently at Puli (2015 film), edits from 176.119.25.52, a French IP that is also interested in Vijay articles. And prior to that, 61.222.202.195, a Chinese IP that is also interested in Vijay articles. Seems fishy. If anyone could take a look, I'd appreciate it. Thanks, Cyphoidbomb (talk) 21:05, 14 December 2020 (UTC)
 * , the 72. and 176. currently host websites, with the first two obviously being run by the same people; the same seems to be the case for the 61. IP, but I can't access it. Pretty sure they're all proxies. Can take a closer look in a bit. Blablubbs | talk 21:27, 14 December 2020 (UTC)
 * Okay, had a second look at the 72.x one, which hosts some sort of spamsite. It belongs to a rogers-hosted datacentre (host: unallocated-static.datacentres.rogers.com nameservers dnsX.datacentres.rogers.com) and has an open port 8080 which, when proxied through, sends us to a different spamsite. Other IPs from that datacentre range have edited as well. I'm mostly here to lurk and learn, but I'll take a poorly educated guess and say that it's a proxy and should probably be (range-)blocked. Blablubbs | talk 22:01, 14 December 2020 (UTC)
 * Also noting that the other two are both flagged by multiple proxy APIs. Blablubbs | talk 22:09, 14 December 2020 (UTC)
 * Thanks for the info! This high-level technical stuff is beyond my brain's abilities, so I'll have to wait for someone to do the dirty work. Cyphoidbomb (talk) 23:31, 14 December 2020 (UTC)
 * I noticed blocked 176.119.24.0/21. I wonder if that was related to this query or an independent discovery. Cyphoidbomb (talk) 14:20, 15 December 2020 (UTC)
 * It was due to this report. ST47 (talk) 19:17, 15 December 2020 (UTC)
 * Then thanks! Cyphoidbomb (talk) 21:04, 15 December 2020 (UTC)


 * I've added another to the list, 121.127.11.235. This one geolocates to Algeria, and just dumped a bunch of promotional awards at at an award article for Vijay. Cyphoidbomb (talk) 23:18, 15 December 2020 (UTC)
 * , it's this Filipino data centre (range). The IP also hosts a website landing page; open port 8080 – I can tunnel through it, but get empty replies from the target servers. I'll again go out on a semi-educated limb and say that this is a proxy. Blablubbs | talk 13:09, 16 December 2020 (UTC)
 * Colo-blocked 121.127.0.0/19 with a soft block, scanning all of the IPs listed here to see if they need individual open proxy blocks. GeneralNotability (talk) 00:28, 17 December 2020 (UTC)
 * : Poking at its open Squid port revealed that it's GeoSurf, which is a VPN provider. Hardblocked.
 * : I have no idea what's going on with that host or why it's claiming to be serving an out-of-date Microsoft Update cert. Hardblocked as a webhost.
 * : Even weirder than the last one. Some kind of webhost? Hardblocked too.
 * Still waiting on nmap for the 61. IP before I can close this. GeneralNotability (talk) 02:39, 17 December 2020 (UTC)
 * Not sure if you're still looking at these, but I just added another one, 61.221.12.80. It geolocates to Spain, but is somehow interested in puffing up Vijay articles. Same MO as the others. Cyphoidbomb (talk) 22:06, 21 December 2020 (UTC)
 * , sorry, forgot to close this out. Your latest proxy is yet another GeoSurf proxy, so not open but a proxy just the same. I've hardblocked it. Closing. — Preceding unsigned comment added by GeneralNotability (talk • contribs) 00:15, 22 December 2020 (UTC)

174.95.181.23
close

Reason: Suspicious edits Beyond My Ken (talk) 17:53, 22 December 2020 (UTC)
 * This does not seem to be an open proxy. ProcrastinatingReader (talk) 01:52, 27 December 2020 (UTC)
 * Concur with Proc, this appears to be a router of some sort, doesn't seem to be an open proxy - only open port I saw was for a config GUI. GeneralNotability (talk) 02:43, 4 January 2021 (UTC)
 * Thanks. Beyond My Ken (talk) 01:53, 21 January 2021 (UTC)

142.114.15.168
close

Reason: Suspicious edits Beyond My Ken (talk) 17:57, 22 December 2020 (UTC)
 * This does not seem to be an open proxy. ProcrastinatingReader (talk) 01:52, 27 December 2020 (UTC)
 * Same deal as 174.95.181.23, doesn't appear to be an open proxy. GeneralNotability (talk) 02:44, 4 January 2021 (UTC)
 * Thank you. Beyond My Ken (talk) 01:54, 21 January 2021 (UTC)

IP 91.250.240.141
close

Reason: Suspicious edits. Per a complaint at WP:AN3 about reverts at 2022 Winter Olympics. I blocked two months on suspicion after seeing the results of the toolforge proxy checker. Probably a better quality of confirmation should be attempted. This IP is in a /24 range operated by the provider, HostRoyale. An online service called scamalytics.com says "We consider HostRoyale Technologies Pvt Ltd to be a potentially very high​ fraud risk ISP.." EdJohnston (talk) 17:13, 23 December 2020 (UTC)
 * Definitely open on 443 and 8443. /24 blocked by ST47. ProcrastinatingReader (talk) 01:52, 27 December 2020 (UTC)
 * Closing per above - blocked as a colo. GeneralNotability (talk) 01:36, 4 January 2021 (UTC)

74.127.203.23
close

Reason: This user confessed to being a VPN on this diff, and IPQS shows that the IP is likely a VPN, but I'd like someone more experienced in this field to help me determine if this IP is truly a VPN. JJP...MASTER![talk to] JJP... master? 00:24, 29 December 2020 (UTC)
 * Everything I checked on TCP was firewalled, so I don't think this is likely to be an open proxy. Could be a P2P proxy, but it's hard to pick those out. GeneralNotability (talk) 01:59, 5 January 2021 (UTC)

193.85.188.238
close

Reason: Suspicious edits in beauty pageant space w/ prolific socking. Host name mail.bohemiacargo.cz looks like it's potentially a mail server being used as a proxy. Bri.public (talk) 22:35, 30 December 2020 (UTC)
 * (there are some odd HTTP ports open, but none of them appear to be open proxy ports), and given that its area of interest is in Czech pageantry I don't see good reason to block. Could be some weird internal routing, or maybe someone at bohemiacargo.cz is editing from a mail server. GeneralNotability (talk) 02:36, 4 January 2021 (UTC)

173.11.1.217
close

Reason: Found via IPProxyCheck Firestar464 (talk) 07:40, 6 February 2021 (UTC)
 * , see below. Blablubbs | talk 15:01, 6 February 2021 (UTC)

96.35.172.222
close

Reason: Found via IPProxyCheck Firestar464 (talk) 07:41, 6 February 2021 (UTC)
 * . I'm bulk-declining the recent requests by ; none of these ISPs strike me as likely candidates for hosting open proxies – IPQS is the only provider that's flagging, but it flags basically everything that has ever been connected to the internet and that flag isn't grounds for a check on its own. The only suspicious one based on another API I use is 172.58.4.10, but that's already proxyblocked for one year; the other two IPs haven't edited since 2010. Blablubbs | talk 15:01, 6 February 2021 (UTC)

85.10.51.92
close

Reason: Suspicious edits. The IP had no editing history before, but initiated a RfC on RSN today. Normchou  💬 03:24, 7 February 2021 (UTC)
 * ✅ VPN; serving SSL cert for Surfshark on port 443. Had a quick look at the /25: The same is the case for
 * Given that recently blocked another Surfshark IP that's on the same /20, but not /25, I'll have a look at the wider range too. It would probably also be a good idea for someone with the relevant buttons to block the ones above. Blablubbs | talk 12:15, 7 February 2021 (UTC)
 * Given that recently blocked another Surfshark IP that's on the same /20, but not /25, I'll have a look at the wider range too. It would probably also be a good idea for someone with the relevant buttons to block the ones above. Blablubbs | talk 12:15, 7 February 2021 (UTC)

Additional results:
 * (Softether VPN)
 * (Surfshark)
 * (Surfshark)
 * (Surfshark)
 * (Surfshark)
 * (IPVanish)
 * (vpnunlimitedapp.com)
 * (IPVanish)
 * (WLVPN.com)
 * (Surfshark)
 * (Surfshark)
 * (Surfshark)
 * (Surfshark)
 * (vpnunlimitedapp)
 * (vpnunlimitedapp)
 * (vpnunlimitedapp)
 * (windscribe)
 * (windscribe)
 * (surfshark)
 * (surfshark)
 * (surfshark)
 * (surfshark)
 * (surfshark)
 * (surfshark)
 * ExpressVPN
 * (Softether)
 * ExpressVPN
 * (Softether)
 * (Softether)

Blablubbs | talk 12:45, 7 February 2021 (UTC)
 * Nice work . I've hardblocked the IPs you called out. Based on the sheer number of proxies on the same range, I think this is a colo or the like, so I've also colo-blocked 85.10.48.0/20. GeneralNotability (talk) 15:47, 10 February 2021 (UTC)

128.174.151.220
close

Caught by IpProxyCheck

Reason: Suspicious edits Firestar464 (talk) 06:21, 11 February 2021 (UTC)


 * . University IP, no edits since 2014, noone except IPQS is flagging. Blablubbs | talk 10:14, 11 February 2021 (UTC)

172.93.147.64/29
closed

Reason: NordVPN. Possibly used by banned sockfarm. MarioGom (talk) 15:28, 13 February 2021 (UTC)
 * The entire /20 is nexeon, which seems to also offer colocation, so the reviewing admin may want to consider hitting that with a soft block while hardblocking the /29. Blablubbs | talk 15:35, 13 February 2021 (UTC)
 * ST47 blocked the /20 as a colo, I hardened the block on the /29. Closing. GeneralNotability (talk) 00:56, 25 February 2021 (UTC)

167.88.0.0/20
close

Reason: The /20 block is a hosting provider (Nexeon). The individual IPs are active NordVPN nodes. MarioGom (talk) 16:12, 13 February 2021 (UTC)
 * Hardblocked the ranges that WHOIS showed as belonging to NordVPN, the larger range is already softblocked. Closing.

209.216.92.203
close

Reason: Suspicious edits. This IP had little contributions in the past, but recently wrote on another user's talk page citing a number of community policies to make unfounded, WP:ASPERSIONS-ish accusations. . Normchou  💬 21:38, 17 February 2021 (UTC)
 * 209.216.92.0/24 is Ace Host. This specific IP is Surfshark VPN according to spur.us API. --MarioGom (talk) 18:28, 18 February 2021 (UTC)
 * ✅ VPN – serving Surfshark SSL cert on port 443. This one does offer colocation, but it might also be an option to just hardblock it anyway – otherwise a wider scan is probably needed. Blablubbs | talk 18:32, 18 February 2021 (UTC)

More SurfShark in this range:

--MarioGom (talk) 14:53, 19 February 2021 (UTC)


 * I've blocked the ranges in AS398779. SQL Query me!  17:48, 21 February 2021 (UTC)
 * Closing - rangeblocked by SQL. GeneralNotability (talk)

185.188.61.0/24
close

Reason: Suspicious edits. The /24 range is Comforhost. The individual IPs are SurfShark VPN (SSL certificates served on port 443). MarioGom (talk) 14:31, 19 February 2021 (UTC)


 * I've blocked ranges in AS43578, where appropriate. SQL Query me!  17:48, 21 February 2021 (UTC)
 * Rangeblocked by SQL, closing. GeneralNotability (talk) 00:49, 25 February 2021 (UTC)