Wikipedia:WikiProject on open proxies/Requests/Archives/39

207.241.232.35
close

Reason: An IP form the wayback machine. -322UbnBr2 (Talk &#124; Contributions &#124; Actions) 21:36, 29 December 2020 (UTC)
 * I see no reason to bother checking this - the IP is indeed registered to the Internet Archive, but that isn't a reason to check if it's a proxy. No enwiki edits either. GeneralNotability (talk) 01:39, 4 January 2021 (UTC)
 * You can edit from it, though.

155.254.28.142
close

Reason: Suspicious edits This IP made a few iffy edits including content blanking. Normchou  💬 01:10, 3 January 2021 (UTC)
 * Ths IP is flagged as a proxy by ipcheck; it has a report at scamalytics.com. EdJohnston (talk) 01:16, 3 January 2021 (UTC)
 * Actually the whole 155.254.16.0/20 is a webhost, apparently running VPNs. --MarioGom (talk) 01:26, 3 January 2021 (UTC)
 * Worse, they spelled a la carte wrong on their website. Will work on a colo block here. GeneralNotability (talk) 01:45, 4 January 2021 (UTC)
 * Colo-blocked, didn't see anything recent on the unblocked ranges that belong to the same hosting provider. Closing. GeneralNotability (talk) 01:56, 4 January 2021 (UTC)

IP185.246.88.119
close

Reported at WP:Sockpuppet investigations/Ineedtostopforgetting. The Ipcheck tool says it could be a proxy or a VPN.

EdJohnston (talk) 05:16, 6 January 2021 (UTC)
 * nmap says that it's serving an SSL cert for SurfShark, a known VPN provider. Will block. GeneralNotability (talk) 02:22, 8 January 2021 (UTC)

213.184.101.9
close

Reason: Suspicious edits DoebLoggs (talk) 10:23, 14 January 2021 (UTC)


 * @DoebLoggs, could you clarify what you mean by "suspicious edits"? I only see a single vandal edit coming from that IP. Best, Blablubbs | talk 21:57, 20 January 2021 (UTC)
 * thanks for replying. Actually it's the first time I file a report at this venue and I'm not experienced on how this page works. I just noticed that the IP above is marked as a possible proxy or VPN by checking it through the Proxy Checker website. Feel free to ignore my request if you think it is not appropriate and please accept my apologies in that case. --DoebLoggs (talk) 11:57, 21 January 2021 (UTC)
 * Not seeing anything that indicates this is an open proxy (not even IPQS, which thinks everything is a VPN). Closed. GeneralNotability (talk) 00:10, 25 January 2021 (UTC)

135.181.0.0/16
close

Webhost (Hetzner). Also used by webproxy services; 135.181.35.237 is serving an SSL cert for hideproxy.me on port 443. Blablubbs | talk 20:27, 25 January 2021 (UTC)


 * I also found some other unblocked Hetzner ranges; most are already gblocked, but one is unblocked and has edits coming from it:
 * (this one has edited)
 * Blablubbs | talk 20:37, 25 January 2021 (UTC)
 * Blocked the reported range and the other unblocked range. GeneralNotability (talk) 14:34, 10 February 2021 (UTC)
 * Blablubbs | talk 20:37, 25 January 2021 (UTC)
 * Blocked the reported range and the other unblocked range. GeneralNotability (talk) 14:34, 10 February 2021 (UTC)
 * Blablubbs | talk 20:37, 25 January 2021 (UTC)
 * Blocked the reported range and the other unblocked range. GeneralNotability (talk) 14:34, 10 February 2021 (UTC)

5.175.40.0/21
close

Reason: Suspicious edits. Range from a Spanish VPS hosting company: axarnet.es (Infortelecom on WHOIS). MarioGom (talk) 00:44, 9 February 2021 (UTC)
 * Rangeblocked. GeneralNotability (talk) 03:31, 26 February 2021 (UTC)

110.138.151.51
close

Reason: Suspicious edits Beyond My Ken (talk) 16:19, 21 February 2021 (UTC)
 * Only two edits in the past 10 years, not seeing much to indicate this is an open proxy/VPN. It appears to be a residential IP, although Spur does flag it as a 'botnet proxy' type endpoint. ƒirefly  ( t · c ) 13:07, 25 February 2021 (UTC)
 * , I concur that this one is pretty to be an open proxy. However, given the behavioural similarities with the IP reported below which has a vastly different geolocation (and this page history more generally), I'd call it  that it is a different sort of proxy (beans!) that we won't be able to positively confirm, with the other options being meatpuppetry or strange coincidence. Blablubbs | talk 13:20, 25 February 2021 (UTC)
 * yes I wondered about that (assuming we’re thinking of the same thing) based on the Spur result... ƒirefly  ( t · c ) 13:34, 25 February 2021 (UTC)
 * I think we're all thinking the same thing. Not seeing a lot of value in blocking right now though - very hard to confirm that it's a proxy, only one edit, going to close.

2.57.169.0/24
close

Webhost range. While Equinix offers colocation, this /24 seems to be exclusively used by ExpressVPN per WHOIS and spot checks with the spur API. Blablubbs | talk 20:59, 15 February 2021 (UTC)
 * Blocked by stwalkerster. GeneralNotability (talk) 03:51, 28 February 2021 (UTC)

ProtonVPN
close



















Unblocked ProtonVPN IPs (JSON data), grouped by colo. MarioGom (talk) 19:13, 28 February 2021 (UTC)
 * Thanks for doing the legwork on this. Hardblocked the lot and handed out some colo blocks.

IP173.237.207.37
closed

Reason: Suspicious edits. The WHOIS tool says the range is operated by Netriplex, a web server company. The name 'Lightwavenetworks' is returned for this single IP by Ipcheck, which gives a 'fraud score' of 100. Another part of the same /16 range, is currently blocked by User:ST47 as a colocation webhost. This single IP is one of the IPs recently reported in WP:Sockpuppet investigations/Ineedtostopforgetting. Scamalytics says this this IP is a fraud risk, that it's a VPN and that it's open on port 443. EdJohnston (talk) 20:57, 3 February 2021 (UTC)
 * Whois tells me the /24 belongs to SurfShark, which it does, so I've blocked it as such. There doesn't seem to be anything else currently active on the wider /20, and I haven't pursued that. -- zzuuzz (talk) 21:15, 3 February 2021 (UTC)
 * Lightwave offers webhosting and colocation, so it probably makes sense to hit the wider twenty as well as everything here with blocks. Blablubbs | talk 11:29, 28 February 2021 (UTC)
 * Thanks all. Handed out a bunch of colo blocks, closing. GeneralNotability (talk) 01:56, 10 March 2021 (UTC)

192.145.116.0/24 and others
closed

Reason: NordVPN. The first two ranges with active exit nodes. The other two found while looking up the AS. MarioGom (talk) 16:45, 13 February 2021 (UTC)
 * Good spot. Blocked 'em all. GeneralNotability (talk) 02:34, 10 March 2021 (UTC)

180.244.233.35
close

Previously blocked for 2 weeks in 2020 as an open proxy. Only vandalism from this address since block expired. I just blocked it again for 3 months as an open proxy due to the previous block rationale, but then couldn't find a previous record of that IP address here. ~Anachronist (talk) 20:05, 19 February 2021 (UTC)
 * . Neither the IP listed nor the entry node from the block log appear to be currently functioning as open proxies – if the bot had been able to connect to this one through a different entry IP, it would have reblocked. There are proxies that we can not detect by looking at individual IPs (and spur is flagging), but I don't see any signs of this one functioning as an open proxy at this time. --Blablubbs | talk 14:35, 3 March 2021 (UTC)
 * Closing per Blablubbs. GeneralNotability (talk) 02:35, 10 March 2021 (UTC)

2400:adc1:1b6:e300:d4f0:aca:b6ed:4e43
close

Reason: Suspicious edits Beyond My Ken (talk) 16:20, 21 February 2021 (UTC)
 * Closing because I'm lazy - I really don't want to go proxy-hunting on a IPv6 /64 over two edits.

ZenNet
close

If you select "Thailand" in ZenNet VPN once you created and logged to a dummy trial account there, you'll end up on that range. Aside from WP:No open proxies, there's an unconfirmed rumor going around that the Myanmar junta might start a big editing operation in attempt to sway opinion undeservedly into their favor, which I think would include some of those proxies that would help them hide better. Just to be safe, please block it preferably with the "anon-only" on.John haxor (talk) 11:36, 8 March 2021 (UTC)

Reason: (add your reason here) John haxor (talk) 11:36, 8 March 2021 (UTC)


 * ✅ VPN. Didn't look at the entire range, but a spotcheck shows that this is definitely a webhost running proxies – per WHOIS, the actual range is 119.59.96.0/19. Blablubbs | talk 11:45, 8 March 2021 (UTC)
 * Thanks for looking, good night.John haxor (talk) 11:58, 8 March 2021 (UTC)
 * /19 is blocked both locally and globally. Closing. GeneralNotability (talk) 02:37, 10 March 2021 (UTC)

46.19.136.0/21
closed

Leaky webhost (Private Layer Inc) with a couple of IPsocks bouncing around on it over the years and some hosts owned by VPN providers. There's a bunch of other unblocked ranges belonging to the same VPS provider, some of them with edits coming out of them. Blablubbs | talk 00:30, 9 March 2021 (UTC)


 * 46.19.137.116, the most recently active IP, is an AirVPN node for example, serves a cert for *.airservers.org on port 89; haven't looked at the others – thanks for the tip. Blablubbs | talk 00:45, 9 March 2021 (UTC)
 * The following are also ✅ proxy endpoints as they serve easily-identifiable SSL certs.


 * - matches AirVPN. Not blocked.
 * - matches AirVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.
 * - matches RapidVPN. Not blocked.

Probably worth hardblocking the lot and colo-blocking the range. ƒirefly ( t · c ) 12:28, 9 March 2021 (UTC)


 * , as far as I can tell the ISP doesn't offer colocation, so a hardblock for the range should be fine. Blablubbs | talk 12:30, 9 March 2021 (UTC)
 * That also works! ƒirefly  ( t · c ) 12:34, 9 March 2021 (UTC)
 * Range hardblocked. GeneralNotability (talk) 00:43, 11 March 2021 (UTC)

45.123.119.51 and 94.127.213.38 - Likely Bothiman socking
closed

Hey all, please see this previous report for more context, because it appears to involve an editor who has used multiple proxies to edit articles related to Indian Tamil-language actor Vijay. In December 2020 here, an editor added some information on who so-and-so character was based on. That IP range was webhost blocked. Here at the same article, we have similar content being added by Anon. Also, since the IP geolocates to Turkey, that makes me suspicious as well. So I think this IP is related to that batch. Regards, Cyphoidbomb (talk) 15:48, 4 March 2021 (UTC)


 * ✅ proxy. Same deal as last time – 45.123.119.0/24 belongs to Serverfield, a dedicated server provider. The same goes for most of the ranges here, most of which should be good to block (some of them seem to be assigned to different colo hosts and some have no meaningful WHOIS output at all, so they will require manual review). Blablubbs | talk 15:53, 4 March 2021 (UTC)
 * Thanks for looking. If you were to speculate, what is this editor doing? Are they paying for a service, like with a VPN, or ___? I honestly have no idea how this works, but I'm interested in what their process might be. Thanks, Cyphoidbomb (talk) 16:04, 4 March 2021 (UTC)
 * , it's a good question – and I'm not sure I know the definitive answer to the question what exactly is going on here. What I can tell you is that we're looking at webhosts, some of which are affiliated with dodgy-ish VPN providers. Spur, which is usually pretty good at provider identification, flags three of the ones in your first report as touchvpn and urbanvpn and GN previously found an SSL certificate for geosurf on one of them (this isn't necessarily mutually exclusive, many VPN providers operate under multiple names simultaneously). What's interesting is the fact that they are acting as more than just proxies; some of them are hosting an identical spamsite, with seemingly random nonsense in the header and embedded Youtube videos (you can visit http://45.123.119.51:8080 to look at it – maybe disable Javascript first, depending on your level of paranoia), so they are likely operated by the same people. I assume they're using one or multiple "free" VPN services of doubtful trustworthiness. Blablubbs | talk 16:27, 4 March 2021 (UTC)
 * And yet another addendum: It looks like I was correct about the shadyness of the VPN – UrbanVPN is run by biscience, which "passively collect[s] and measure[s] online behavioral activities". They also run Geosurf, and likely some others. and I are looking into that. Blablubbs | talk 14:58, 6 March 2021 (UTC)


 * Just added 94.127.213.38 for checking. Jordanian IP is suspicious for a Vijay article. Inflating financial figures using poor reference. Also wanted to note that both of these IPs were spotted by . Cyphoidbomb (talk) 16:14, 4 March 2021 (UTC)
 * 94.127.213.38 doesn't appear to be a proxy to me. It belongs to Orbit Telecom / Batelco Jordan, which appears to be a Bahrainian/Jordanian ISP (rather than a hosting service). It's not showing any of the usual signs of suspicious activity (in network terms), so I'm going to go out on a limb and suggest this one is  ƒirefly  ( t · c ) 16:54, 4 March 2021 (UTC)
 * Struck following Blablubbs sage detective work below. ƒirefly  ( t · c ) 17:37, 4 March 2021 (UTC)
 * Interesting. This one breaks with the pattern; the range is sublet from this large Jordanian ISP, but I can find essentially nothing about the given owner, "Orbit Telecom Technology Co. Ltd". Might or might not be a webhost. The device using that IP is certainly not a normal host, but I can't give you anything concrete. But that, combined with behaviour (e.g. use of "crore" here and continued edit-warring on the same article which strongly implies this is the same person), makes this pretty for me. Looking at the article history, I also found:, which is an unblocked Japanese webhost (the specific IP is flagged as UrbanVPN again), plus:, which is a Croatian webhost, plus:, which also appears to be a proxy (Korea likes hosting those), plus: (datacentre, Phillippines), plus: this Israeli proxy, plus two Thai IPs that are likely based on geolocation.And there's probably more. The non-proxy IPs are dynamic, Asianet, and geolocate to Kerala. This person has access to a large number of different proxies; I'd consider semiprotecting the article. For the ones above, someone may want to hit the (range)block button. Blablubbs | talk 17:24, 4 March 2021 (UTC)
 * As an addendum, the Croatian one is croweb.host and belongs to SurfsharkVPN – I've seen Surfshark use that webhost before, so someone may want to have a look at the wider range. --Blablubbs | talk 17:30, 4 March 2021 (UTC)
 * Addendum 2: The Israeli one follows the same proxy pattern outlined above and the /24 appears to belong to a webhost (CLOUDWEBMANAGE/O.M.C./Kamatera). See also the other ranges on the ASN. --Blablubbs | talk 12:20, 6 March 2021 (UTC)
 * 176.222.34/24 now. I think it'll be good fishing given that my optimistic check of 176.222.34.121 found another Surfshark endpoint. ƒirefly  ( t · c ) 18:01, 4 March 2021 (UTC)
 * The following are all ✅ SurfShark endpoints by virtue of the SSL cert they helpfully serve on port 443. ƒirefly  ( t · c ) 18:15, 4 March 2021 (UTC)
 * - blocked already.
 * - blocked already.
 * - blocked already.
 * - blocked already.


 * Blocked most of them., not seeing strong evidence of 123.215.16.234 being a proxy - what's your thinking there? GeneralNotability (talk) 00:48, 14 March 2021 (UTC)
 * , at the time I had looked, Shodan had results with open proxy ports if I recall correctly, but I found nothing when taking another look just now – if you go on a Google dive, you'll find the IP being bounced around on dodgy Russian forums and the like (including in this list on Github), and then there's the behaviour. Looks like this one may have rotated in the meantime (and it hasn't edited in a bit), so I think leaving it unblocked is probably okay too. The Jordanian one (94.127.213.38) could probably use a block though. Blablubbs | talk 00:59, 14 March 2021 (UTC)
 * Okay. Blocked the Jordanian one (short block - this is more a "behavioral evidence" VPN block than "technical evidence" VPN block). Closing. GeneralNotability (talk) 02:39, 14 March 2021 (UTC)

StrongVPN
close

Unblocked Strong VPN ranges per spur and whois. --MarioGom (talk) 12:11, 6 March 2021 (UTC)
 * Blocked the lot. `GeneralNotability (talk)

103.237.168.0/23
close
 * colo: vastspace
 * UrbanVPN

Colo range + UrbanVPN individual IP. MarioGom (talk) 13:44, 6 March 2021 (UTC)
 * Rangeblocked + individually blocked the one proxy. GeneralNotability (talk) 18:29, 13 March 2021 (UTC)

SurfShark
closed
 * (webhost)
 * (webhost)
 * (webhost)

SurfShark (see spur report). I didn't look at the rest of the range yet. MarioGom (talk) 15:57, 11 March 2021 (UTC)


 * 103.108.117.0/24 is a webhost (CHL Technology), possibly resellers (of WebHostingBingo). 103.108.117.116 to 103.108.117.119 and 103.108.117.147 to 103.108.117.152 are SurfShark (per SSL certs on port 443 and spur.us).
 * 107.161.144.0/22 is Lightwave Networks. 107.161.145.3 to 107.161.145.7; and 107.161.145.9 to 107.161.145.11 are SurfShark. --MarioGom (talk) 18:17, 11 March 2021 (UTC)
 * 103.108.117.0/24 hardblocked as a webhost. 107.161.144.0/22 softblocked as a colo, individual VPN endpoints hardblocked. Thanks for the report. GeneralNotability (talk) 00:54, 14 March 2021 (UTC)

38.146.55.0/24
closed
 * (Hide My Ass)
 * (RapidVPN)
 * (RapidVPN)
 * (Hide My Ass)
 * (HotSpot VPN)
 * (HotSpot VPN)
 * (HotSpot VPN)

Colo for VPN and residential proxies. This belongs to EndOffice / Charles River Opetation. The range is within a /8 Cogent block, so it looks as a residential range for many providers. Most servers seem to be VPN, callback proxies or bad actors. The individual IPs I listed are only a sample. I would recommend hard-blocking the /24 range, but if that's not possible, I'll list all individual VPN IPs. MarioGom (talk) 16:01, 12 March 2021 (UTC)
 * Hardblocked the /24. GeneralNotability (talk) 00:58, 14 March 2021 (UTC)

178.239.198.0/24
close

Express VPN. See spur and whois (VPN-CONSUMER-NETWORK / vpnconsumer.com). MarioGom (talk) 17:52, 12 March 2021 (UTC)
 * Blocked. GeneralNotability (talk) 02:41, 14 March 2021 (UTC)

195.123.208.0/21
close
 * (Anonymousvpn)
 * (Seed4me)
 * (Seed4me)
 * (Seed4me)

The /21 range is a colo provider (ITLDC). Various VPN providers (non-exhaustive list). MarioGom (talk) 17:59, 12 March 2021 (UTC)
 * Hardblocked the range since the previous blocks on it were also hardblocks (and both were by checkusers, so they might well know more about that range than we do). GeneralNotability (talk) 02:50, 14 March 2021 (UTC)

199.33.68.0/22
closed

NetProtect per whois. This serves IPVanish (flagged by spur), StrongVPN, SaferVPN as well as whitelabel VPN for other companies. To the best of my knowledge, they do not provide colo, so the whole range should be trated as VPN. MarioGom (talk) 17:49, 13 March 2021 (UTC)
 * Hardblocked. GeneralNotability (talk) 02:48, 14 March 2021 (UTC)

173.239.210.0/24
closed
 * (VPN)
 * (colo)

Full range seems to be HotSpot VPN. Attributed individual IPs with spur.us. Shodan also flags as VPN and shows their UDP 500 port. The parent range 173.239.192.0/18 is colo. -- MarioGom (talk) 18:08, 13 March 2021 (UTC)
 * Hardblocked the /18 based on past blocks. GeneralNotability (talk) 01:22, 15 March 2021 (UTC)

104.244.208.0/22
close
 * incx.net



Colo range crowded with SurfShark IPs (example on shodan). MarioGom (talk) 23:11, 15 March 2021 (UTC)
 * Softblocked the range, hardblocked the individual IPs you reported. GeneralNotability (talk) 01:45, 17 March 2021 (UTC)

101.51.139.179
close

http://www.freeproxylists.net/101.51.139.179.html Reason: Open proxy which can be found as a free proxy list Kaseng55 (talk) 05:58, 16 March 2021 (UTC)


 * The IP is already blocked as an open proxy. --MarioGom (talk) 08:32, 16 March 2021 (UTC)

212.19.134.0/24
close

The /24 is a colo range hosted in Kazakhstan, the individual IP is being used by an LTA and is flagged as Seed4me VPN by Spur and has an open SSH port per Shodan. Blablubbs | talk 16:42, 17 March 2021 (UTC)
 * Now gblocked, closing. Blablubbs | talk 19:03, 17 March 2021 (UTC)

202.143.108.0/22
close

Everything on the range that has recently edited is Surfshark. 202.143.111.214 is also accessible as a Shadowsocks node and currently CU-blocked, see here. Blablubbs | talk 17:41, 17 March 2021 (UTC)
 * Hardblocked the range...which, I'd like to note, belongs to "Digital world data online company". Seems legit. GeneralNotability (talk) 00:14, 18 March 2021 (UTC)

WiTopia
close
 * (see whois)
 * (see whois)
 * (see whois)
 * (vpn.denver.witopia.net)
 * (see whois)
 * (see whois)
 * (vpn.zurich.witopia.net)
 * (vpn.cairo.witopia.net)

WiTopia VPN ranges and IPs. MarioGom (talk) 22:34, 17 March 2021 (UTC)


 * ✅ - All blocked. SQL Query me!  00:37, 18 March 2021 (UTC)

Intergrid
close

Webhost ranges: The first appears to be entirely Hotspot VPN, the second is this VPS provider and the third is a CDN. The rest of the ASN is either hardblocked or sublet to corporations. Blablubbs | talk 13:51, 15 March 2021 (UTC)

TouchVPN servers in other Intergrid ranges:

--MarioGom (talk) 23:51, 17 March 2021 (UTC)
 * Bagged the lot. GeneralNotability (talk) 02:16, 18 March 2021 (UTC)

ExpressVPN
closed
 * Host: usa-washingtondc-ca-version-2.expressnetw.com
 * Range: 45.41.180.0/24 LeaseWeb rangefinder
 * Host: usa-losangeles-1-ca-version-2.expressnetw.com
 * Range: 104.237.53.168/29 ExpressVPN (see whois)
 * Range: 104.237.48.0/20 WebNX rangefinder
 * Host: usa-losangeles-1-ca-version-2.expressnetw.com
 * Range: 64.185.230.168/29 ExpressVPN (see whois)
 * Range: 64.185.224.0/20 WebNX
 * Host: australia-sydney-2-ca-version-2.expressnetw.com
 * Range: 45.133.4.0/24 GSL Networks Pty LTD rangefinder
 * Host: israel-ca-version-2.expressnetw.com
 * Range: apparently residential
 * Host: usa-dallas-ca-version-2.expressnetw.com
 * Range: 154.6.16.0/20 Express VPN (see whois)
 * Range: MaxiHost (dedicated servers, within wider Cogent range), rangefinder
 * Host: australia-sydney-2-ca-version-2.expressnetw.com
 * Range: 45.133.4.0/24 GSL Networks Pty LTD rangefinder
 * Host: israel-ca-version-2.expressnetw.com
 * Range: apparently residential
 * Host: usa-dallas-ca-version-2.expressnetw.com
 * Range: 154.6.16.0/20 Express VPN (see whois)
 * Range: MaxiHost (dedicated servers, within wider Cogent range), rangefinder
 * Host: usa-dallas-ca-version-2.expressnetw.com
 * Range: 154.6.16.0/20 Express VPN (see whois)
 * Range: MaxiHost (dedicated servers, within wider Cogent range), rangefinder

Express VPN. Use the DNS for verification, these are hard to fingerprint otherwise. MarioGom (talk) 21:02, 17 March 2021 (UTC)
 * Think I bagged them all - hardblocks for the VPNs and VPN ranges, softblocks for the colos. Closing.

207.148.91.158
close

This IP is a VPN and it can be found at VPN Gate as a free VPN address. https://www.vpngate.net/en/ Reason: A free VPN address. It belongs to VPN Gate. Kaseng55 (talk) 18:04, 18 March 2021 (UTC)
 * IP is already rangeblocked both globally and locally – nothing else is needed, so I'm closing., could I ask you to only report IPs that aren't already blocked? Thanks and best, Blablubbs | talk 18:06, 18 March 2021 (UTC)

109.93.20.87
close

Reason: (add your reason here) Beyond My Ken (talk) 11:23, 18 March 2021 (UTC)


 * . Blablubbs | talk 11:24, 18 March 2021 (UTC)
 * . Didn't run any deep checks here. Dynamic mobile IP, nobody is flagging, plus it looks like the same person has used other IPs on the /19 before, which is a good indication that we're dealing with a legitimate connection here. Blablubbs | talk 11:30, 18 March 2021 (UTC)
 * Thanks. Beyond My Ken (talk) 14:18, 18 March 2021 (UTC)

Zenex webhost ranges
close

All ranges belong to the same webhost; this one does not appear to offer colocation. One other range and a /29 within 2.58.192.0/24 are already blocked. Everything that has edited appears to be allocated to VPN providers (HotspotVPN and TouchVPN, for the latter note the interesting SSL Cert here). : Please hardblock all. Blablubbs | talk 14:36, 20 March 2021 (UTC)
 * ✅ SQL Query me!  15:14, 20 March 2021 (UTC)

PureVPN
close
 * (th1.pointtoserver.com)
 * (tw1.pointtoserver.com)
 * (th1.pointtoserver.com)
 * (tw1.pointtoserver.com)
 * (th1.pointtoserver.com)
 * (tw1.pointtoserver.com)
 * (th1.pointtoserver.com)
 * (tw1.pointtoserver.com)
 * (th1.pointtoserver.com)
 * (tw1.pointtoserver.com)
 * (th1.pointtoserver.com)
 * (tw1.pointtoserver.com)
 * (th1.pointtoserver.com)
 * (tw1.pointtoserver.com)

PureVPN. Check whois for PureVPN-NET, pointtoserver.com or ptoserver.com (their DNS for exit nodes) or GZ Systems Limited (parent company). MarioGom (talk) 00:30, 14 March 2021 (UTC)


 * Per spur, at least the one IP on :that has edited is also pureVPN. Blablubbs | talk 14:05, 15 March 2021 (UTC)
 * Thanks, blocked all reported. GeneralNotability (talk) 23:32, 20 March 2021 (UTC)

Leaky Serverfield and Enzo ranges
close Ranges discovered while looking at the ASN for the Serverfield range I found in the Bothiman report. All on the same ASN, different providers – some colo, some DS only. I'm listing only the ones with edits, but all the ranges on the [https://isprangefinder.toolforge.org/index.php?db=enwiki&blockmsg=&template=Colocationwebhost&altblockmsg=%5B%5BNOP%7CNo+Open+Proxy%5D%5D%3A+Leaky+Webhost%3A+Contact+%5B%5Bm%3ASpecial%3AContact%2Fstewards%7Cstewards%5D%5D+if+you+are+affected&isp=Serverfield+Co.%2C+Ltd. ASN] are probably technically good for a webhost or colo block.Enzu Cloud and Colocation:

Serverfield (appears to be dedicated servers only):

Blablubbs | talk 01:15, 14 March 2021 (UTC)
 * See also the Windscribe report below for more VPN endpoints on Serverfield. MarioGom (talk) 21:09, 14 March 2021 (UTC)
 * Ranges are softblocked as colos, will hit individual endpoints in the follow-on reports. GeneralNotability (talk) 23:37, 20 March 2021 (UTC)

TunnelBear
closed

These are unblocked servers from TunnelBear. They can be retrieved with a DNS lookup on us.lazerpenguin.com. The ASN should be good for colo blocks (website:, ). MarioGom (talk) 15:05, 14 March 2021 (UTC)


 * Added Atlantic Metro to ASNBlock. SQL Query me!  00:43, 18 March 2021 (UTC)
 * Blocked the lot, working my way through softblocks on Atlantic Metro. GeneralNotability (talk) 01:55, 21 March 2021 (UTC)

Windscribe
closed
 * Host: ca.windscribe.com
 * Range: 199.204.208.0/24 dynamichosting.biz
 * Host: 31.7.57.242
 * Range: 31.7.56.0/21 Private Layer INC, ASN
 * Host: gr.windscribe.com
 * Range: 185.226.64.0/22 aweb.gr, ASN
 * Host: hk.windscribe.com
 * Range: 103.10.197.0/24 pacswitch.com, ASN
 * Host: is.windscribe.com
 * Range: 185.165.168.0/22 flokinet.is ASN
 * Host: kr.windscribe.com
 * Host: ph.windscribe.com
 * Range: 103.103.0.0/24 web.com.ph ASN
 * Host: pt.windscribe.com
 * Range: 185.15.20.0/22 PTisp ASN
 * Host: th.windscribe.com
 * Host: tn.windscribe.com
 * Range: topnet.tn (it seems a residential ISP)
 * Host: tr.windscribe.com
 * Range: 45.123.118.0/24 Serverfield ASN
 * Host: za.windscribe.com
 * Range: 129.232.167.208/29 xneelo.com ASN
 * Host: pt.windscribe.com
 * Range: 185.15.20.0/22 PTisp ASN
 * Host: th.windscribe.com
 * Host: tn.windscribe.com
 * Range: topnet.tn (it seems a residential ISP)
 * Host: tr.windscribe.com
 * Range: 45.123.118.0/24 Serverfield ASN
 * Host: za.windscribe.com
 * Range: 129.232.167.208/29 xneelo.com ASN
 * Host: tr.windscribe.com
 * Range: 45.123.118.0/24 Serverfield ASN
 * Host: za.windscribe.com
 * Range: 129.232.167.208/29 xneelo.com ASN
 * Range: 129.232.167.208/29 xneelo.com ASN

--MarioGom (talk) 21:06, 14 March 2021 (UTC)
 * Blocked the individual IPs, softblocked most of the colos. Closing. GeneralNotability (talk) 00:36, 23 March 2021 (UTC)