Wikipedia:WikiProject on open proxies/Requests/Archives/40

TouchVPN
close
 * Residential range (AT&T)
 * Range: 2.58.194.0/24 Zenex 5ive (hosting often used by VPNs) rangefinder
 * Range: 31.7.56.0/21 Private Layer INC rangefinder
 * Range: 45.90.104.0/24 Zenex 5ive (see above)
 * Range: 45.91.72.0/22 LONCONNECT LTD (no idea what is this, within larger Cogent block)
 * Range: 81.17.16.0/20 Private Layer INC (see above)
 * Range: 83.229.32.0/24 G-Core Labs rangefinder (this particular range does not appear in rangefinder, see whois)
 * Range: 91.245.255.0/24 M247-Hong-Kong
 * Range: 2.58.194.0/24 Zenex 5ive (hosting often used by VPNs) rangefinder
 * Range: 31.7.56.0/21 Private Layer INC rangefinder
 * Range: 45.90.104.0/24 Zenex 5ive (see above)
 * Range: 45.91.72.0/22 LONCONNECT LTD (no idea what is this, within larger Cogent block)
 * Range: 81.17.16.0/20 Private Layer INC (see above)
 * Range: 83.229.32.0/24 G-Core Labs rangefinder (this particular range does not appear in rangefinder, see whois)
 * Range: 91.245.255.0/24 M247-Hong-Kong
 * Range: 2.58.194.0/24 Zenex 5ive (hosting often used by VPNs) rangefinder
 * Range: 31.7.56.0/21 Private Layer INC rangefinder
 * Range: 45.90.104.0/24 Zenex 5ive (see above)
 * Range: 45.91.72.0/22 LONCONNECT LTD (no idea what is this, within larger Cogent block)
 * Range: 81.17.16.0/20 Private Layer INC (see above)
 * Range: 83.229.32.0/24 G-Core Labs rangefinder (this particular range does not appear in rangefinder, see whois)
 * Range: 91.245.255.0/24 M247-Hong-Kong
 * Range: 45.91.72.0/22 LONCONNECT LTD (no idea what is this, within larger Cogent block)
 * Range: 81.17.16.0/20 Private Layer INC (see above)
 * Range: 83.229.32.0/24 G-Core Labs rangefinder (this particular range does not appear in rangefinder, see whois)
 * Range: 91.245.255.0/24 M247-Hong-Kong
 * Range: 83.229.32.0/24 G-Core Labs rangefinder (this particular range does not appear in rangefinder, see whois)
 * Range: 91.245.255.0/24 M247-Hong-Kong
 * Range: 83.229.32.0/24 G-Core Labs rangefinder (this particular range does not appear in rangefinder, see whois)
 * Range: 91.245.255.0/24 M247-Hong-Kong
 * Range: 83.229.32.0/24 G-Core Labs rangefinder (this particular range does not appear in rangefinder, see whois)
 * Range: 91.245.255.0/24 M247-Hong-Kong
 * Range: 83.229.32.0/24 G-Core Labs rangefinder (this particular range does not appear in rangefinder, see whois)
 * Range: 91.245.255.0/24 M247-Hong-Kong
 * Range: 91.245.255.0/24 M247-Hong-Kong

TouchVPN. I've lost the DNS for these, but I can retrieve them again if needed. Spur identifies them and only the first 2 are on a residential range. MarioGom (talk) 08:39, 18 March 2021 (UTC)
 * Hardblocked most of the individual IPs, softblocked the colos, hardblocked Private Layer since they look more than a little sketchy. GeneralNotability (talk) 02:21, 22 March 2021 (UTC)

175.158.49.123
close

Reason: A new IP that has been adding improper categories to articles, e.g.. Normchou  💬 17:22, 22 March 2021 (UTC)


 * This is ❌. Spur and IPQS are flagging and there has been problematic activity originating from this IP in the past, but I think we might be looking at a shared IP that has some problematic hosts behind it. The traffic from both the individual IP and the range is consistent with the geolocation, which is an additional indicator that whoever is using it is not on a proxy. Closing. Blablubbs&#124;talk 19:15, 22 March 2021 (UTC)

IPVanish
close
 * (full range is IPVanish, see Mudhook Marketing Inc on whois, global block expiring this year)
 * Range: 194.88.143.0/24 (kgovps)
 * Range: 194.88.142.0/23 (HostRoyale)
 * The even IPs are IPVanish, the missing odd IPs in the middle are WLVPN, which is the same parent company (NetProtect). I didn't scan the scan the /24 range though.
 * Range: 194.88.143.0/24 (kgovps)
 * Range: 194.88.142.0/23 (HostRoyale)
 * The even IPs are IPVanish, the missing odd IPs in the middle are WLVPN, which is the same parent company (NetProtect). I didn't scan the scan the /24 range though.
 * Range: 194.88.143.0/24 (kgovps)
 * Range: 194.88.142.0/23 (HostRoyale)
 * The even IPs are IPVanish, the missing odd IPs in the middle are WLVPN, which is the same parent company (NetProtect). I didn't scan the scan the /24 range though.
 * The even IPs are IPVanish, the missing odd IPs in the middle are WLVPN, which is the same parent company (NetProtect). I didn't scan the scan the /24 range though.

IPVanish round. MarioGom (talk) 10:26, 23 March 2021 (UTC)
 * Hardblocked both ranges. GeneralNotability (talk) 01:08, 26 March 2021 (UTC)

89.187.179.57
close

Proton VPN. Must be a proxy as I made this report while using it.--- Possibly (talk) 19:44, 26 March 2021 (UTC)


 * , this range has been hardblocked both globally and locally since December – are you sure you have your VPN turned on? Blablubbs&#124;talk 21:23, 26 March 2021 (UTC)
 * There's always the chance that it was malfunctioning, but it said it was active and that I was connected via 89.187.179.57. A checkuser can confirm this by looking at the IP for my first edit here. .--- Possibly (talk) 22:00, 26 March 2021 (UTC)
 * I added another from Proton that also allows me to edit (108.62.49.129)... very curious. whatismyipaddress.com also confirms 108.62.49.129 is my IP.--- Possibly (talk) 22:03, 26 March 2021 (UTC)
 * And this edit made with a third Proton VPN IP, also confirmed via whatismyipaddress.com: 209.58.142.158. Obviously I have hit the magic bit or something.--- Possibly (talk) 22:10, 26 March 2021 (UTC)
 * , uh, yeah, all of those are hardblocked. I'm going to whistle up a checkuser to see if you're actually going through those IPs. GeneralNotability (talk) 00:59, 27 March 2021 (UTC)
 * good idea. --- Possibly (talk) 01:08, 27 March 2021 (UTC)
 * I'm looking. EdJohnston (talk) 02:19, 27 March 2021 (UTC)
 * All the rangeblocks appear to be working as designed. Note that a hardblock of an IP doesn't keep you from logging in, it only keeps you from making any edits through that IP. User:Possibly, my guess is that the tools you are using do not report correctly the actual IP you are using to edit Wikipedia. I reviewed one of the IPs in detail and all I could see were user sign-ins (which are not blocked), and edits by people who were IP-block exempt. EdJohnston (talk) 02:33, 27 March 2021 (UTC)
 * Thanks. I still think something funny is happening, because this reply is coming to you from 185.230.126.3, which is a Sencca Ohio IP via Proton VPN. I'm in Montreal. --- Possibly (talk) 02:38, 27 March 2021 (UTC)
 * Not from what I can see. EdJohnston (talk) 02:42, 27 March 2021 (UTC)
 * Thanks. As far as I can tell, Proton is routing Wikipedia traffic directly, even if the VPN is on. Good for them. 184.162.187.170 (talk) 03:00, 27 March 2021 (UTC) yes that was me with VPN on.--- Possibly (talk) 03:01, 27 March 2021 (UTC)
 * - per my understanding of the local checkuser policy, we cannot publicly reveal an account's IP even by the accountholder's request (this is a difference from the global policy). I would have suggested trying to edit logged out to see what IP you're actually connecting to Wikipedia with, but it looks like you've already done that. Ivanvector (Talk/Edits) 12:49, 27 March 2021 (UTC)
 * I'm going to close this - every reported IP is both locally and globally blocked, this looks more like some kind of weird routing/VPN issues on Possibly's end. GeneralNotability (talk) 21:56, 27 March 2021 (UTC)

ExpressVPN (II)
close
 * This is LeaseWeb, all IPs that edited are ExpressVPN.
 * 45.41.128.0/18 is Web2Objects, which is quite obscure but always related to different VPN providers.
 * The /29 is ExpressVPN per whois and spur.
 * 64.140.160.0/20 is WebNX.
 * The /29 is ExpressVPN per whois and spur.
 * 64.140.160.0/20 is WebNX.

New ExpressVPN batch. MarioGom (talk) 08:21, 27 March 2021 (UTC)
 * Blocks applied. GeneralNotability (talk) 01:26, 31 March 2021 (UTC)

103.2.198.0/24
close


 * Host: aus-melbourne.privacy.network (Private Internet Access)
 * Range: 103.2.198.0/24 Servers Australia Pty. Ltd serversaustralia.com.au

Unblocked Private Internet Access (VPN service) IPs. MarioGom (talk) 13:38, 27 March 2021 (UTC)


 * Other IPs in the range that edited recently are PIA too. MarioGom (talk) 13:40, 27 March 2021 (UTC)
 * Hardblocked the range, there were enough VPN endpoints in there. GeneralNotability (talk) 21:43, 27 March 2021 (UTC)

95.175.104.51
close

95.175.104.51 (talk) 12:19, 30 March 2021 (UTC)

Reason: (This is a VPN address and it should been blocked. Please check the whole ip range of this.) 95.175.104.51 (talk) 12:19, 30 March 2021 (UTC)


 * Example this ip 95.175.104.30. --95.175.104.30 (talk) 12:39, 30 March 2021 (UTC)


 * And this 95.175.104.196. --95.175.104.196 (talk) 12:41, 30 March 2021 (UTC)
 * Thanks for, uh, reporting yourself, I guess? Hardblocked the /24, belongs to Freedome. GeneralNotability (talk) 02:07, 31 March 2021 (UTC)

Phantom Avira VPN
close
 * ch.phantom.avira-vpn.com
 * pl.phantom.avira-vpn.com

Unblocked Phantom Avira VPN servers. MarioGom (talk) 08:40, 2 April 2021 (UTC)
 * Blocked both. GeneralNotability (talk) 23:20, 3 April 2021 (UTC)

Flow VPN
close



Here's all the unblocked Flow VPN addresses. I think it has been used by a UPE sockfarm and it was mostly unblocked. Let me know if you would prefer a report about the parent ranges. MarioGom (talk) 16:42, 5 April 2021 (UTC)


 * Ooops. I've noticed there's some stale data in this report. I'll clean it up with better verification. MarioGom (talk) 16:46, 5 April 2021 (UTC)


 * Done. Removed IPs that were positively fingerprinted in the past but which do not present the fingerprint right now. MarioGom (talk) 16:51, 5 April 2021 (UTC)
 * Bagged the lot. GeneralNotability (talk) 18:43, 10 April 2021 (UTC)

SurfShark (II)
closed
 * SurfShark


 * The /18 range is kirz.com, I'm not sure if it's blockable.
 * The /18 range is kirz.com, I'm not sure if it's blockable.
 * The /18 range is kirz.com, I'm not sure if it's blockable.
 * The /18 range is kirz.com, I'm not sure if it's blockable.
 * The /18 range is kirz.com, I'm not sure if it's blockable.


 * Parent range seems to be residential.
 * Parent range seems to be residential.
 * Parent range seems to be residential.
 * Parent range seems to be residential.
 * Parent range seems to be residential.


 * M247 with many SurfShark IPs
 * M247 with many SurfShark IPs


 * M247, almost every IP is SurfShark
 * M247, almost every IP is SurfShark


 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure
 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure
 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure
 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure
 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure
 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure
 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure
 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure
 * Range: 95.57.207.192/28 apparently colocation provider, but can't be sure


 * Range: 95.111.252.0/23
 * Range: 95.111.240.0/20 (Contabo, VPS/DS)
 * Range: 95.111.252.0/23
 * Range: 95.111.240.0/20 (Contabo, VPS/DS)
 * Range: 95.111.252.0/23
 * Range: 95.111.240.0/20 (Contabo, VPS/DS)


 * Range: 103.39.132.0/22 ([emaxglobal.com emaxglobal])
 * Range: 103.39.132.0/22 ([emaxglobal.com emaxglobal])
 * Range: 103.39.132.0/22 ([emaxglobal.com emaxglobal])
 * Range: 103.39.132.0/22 ([emaxglobal.com emaxglobal])
 * Range: 103.39.132.0/22 ([emaxglobal.com emaxglobal])


 * M247, many SurfShark IPs across the range
 * M247, many SurfShark IPs across the range


 * Range: 192.158.224.0/21 (host4yourself.com)
 * Range: 192.158.224.0/20 (vivid-hosting.net)
 * Range: 192.158.224.0/21 (host4yourself.com)
 * Range: 192.158.224.0/20 (vivid-hosting.net)
 * Range: 192.158.224.0/21 (host4yourself.com)
 * Range: 192.158.224.0/20 (vivid-hosting.net)


 * Range: 217.148.143.0/24 (M247)
 * Range: 217.148.143.0/24 (M247)
 * Range: 217.148.143.0/24 (M247)
 * Range: 217.148.143.0/24 (M247)
 * Range: 217.148.143.0/24 (M247)
 * Range: 217.148.143.0/24 (M247)
 * Range: 217.148.143.0/24 (M247)
 * Range: 217.148.143.0/24 (M247)
 * Range: 217.148.143.0/24 (M247)

Another SurfShark round. MarioGom (talk) 16:57, 27 March 2021 (UTC)
 * Blocked. GeneralNotability (talk) 01:46, 18 April 2021 (UTC)

211.72.35.152
closed

According to Spur, this is a SockHub proxy. It is a malware network. If you check details on Shodan, it clearly appears to be a compromised web server (e.g. many ports open, including a MySQL server) on a residential network. It seems it runs an open shadowsocks proxy. MarioGom (talk) 08:24, 13 April 2021 (UTC)
 * Spur's not showing that for me, and there are indeed a lot of ports but I don't see anything clearly proxyish. Closing. GeneralNotability (talk) 01:51, 18 April 2021 (UTC)

83.136.106.119
close
 * (Uvpn, see Spur)
 * (SeFlow hosting)

Active Uvpn node. The /24 should be ok to block. MarioGom (talk) 19:58, 15 April 2021 (UTC)
 * Done. GeneralNotability (talk) 02:06, 18 April 2021 (UTC)

101.99.64.65
close

Astrill VPN node (see Spur). MarioGom (talk) 17:37, 17 April 2021 (UTC)
 * This is shinjiru, a webhosting provider. I went through – the entire ASN is good to whack, it's all this provider. – please block the lot. While they do offer colocation, they also host VPNs and there has been abuse of these ranges by socks see (Sockpuppet investigations/Lesbianadvocate), so I'd go with hardblocks (especially because positions on whether to soft- or hardblock mixed webhost/colo ranges seem to vary widely in the first place). Blablubbs&#124;talk 23:20, 19 April 2021 (UTC)
 * Done. GeneralNotability (talk) 02:14, 20 April 2021 (UTC)

WorldVPN
close
 * nl8.ocservvpn.com
 * za1.ocservvpn.com
 * it6.ocservvpn.com
 * it7.ocservvpn.com
 * it1.ocservvpn.com
 * us22.ocservvpn.com
 * us16.ocservvpn.com
 * us25.ocservvpn.com
 * us54.ocservvpn.com
 * us35.ocservvpn.com
 * us37.ocservvpn.com
 * us86.ocservvpn.com
 * us85.ocservvpn.com
 * us18.ocservvpn.com
 * us24.ocservvpn.com
 * us38.ocservvpn.com
 * us13.ocservvpn.com
 * us30.ocservvpn.com
 * us29.ocservvpn.com
 * us19.ocservvpn.com
 * us32.ocservvpn.com
 * us11.ocservvpn.com
 * us64.ocservvpn.com
 * us63.ocservvpn.com
 * us62.ocservvpn.com
 * us61.ocservvpn.com
 * us52.ocservvpn.com
 * ua2.ocservvpn.com
 * ua3.ocservvpn.com
 * ru2.ocservvpn.com
 * ru1.ocservvpn.com
 * it4.ocservvpn.com
 * it9.ocservvpn.com
 * it5.ocservvpn.com
 * it2.ocservvpn.com
 * it3.ocservvpn.com
 * ru3.ocservvpn.com

Unblocked WorldVPN IPs. It seems there are also many ranges worth blocking here. MarioGom (talk) 17:17, 22 April 2021 (UTC)
 * Done. SQL Query me!  21:11, 23 April 2021 (UTC)

154.5.245.195
close

Ipqualityscore believes this is a proxy. Spamhaus thinks it is a compromised device. Safari and Chrome, when asked to search for this IP, believe the site has a bad security certificate.

EdJohnston (talk) 00:50, 28 April 2021 (UTC)


 * I'd call this based on a mix of various factors. Compromised device (more specifically, compromised router) seems like a good guess. Blablubbs&#124;talk 07:19, 28 April 2021 (UTC)
 * Also shodan labels it as VPN, although that does not include which service. MarioGom (talk) 18:11, 28 April 2021 (UTC)
 * I would be inclined to hardblock for six months based on this feedback. EdJohnston (talk) 22:03, 28 April 2021 (UTC)
 * That sounds reasonable to me. Blablubbs&#124;talk 22:07, 28 April 2021 (UTC)
 * Blocked six months. EdJohnston (talk) 22:24, 28 April 2021 (UTC)
 * Excellent. Closing. --Blablubbs&#124;talk 22:27, 28 April 2021 (UTC)

103.120.228.44
close

Reason: Suspicious editing as only editor with substantial additions at Steve Starks, after it was created by a sockfarm that is known for using residential proxies (see COIN and SPI evidence) Bri.public (talk) 17:49, 28 April 2021 (UTC)
 * . --Blablubbs&#124;talk 17:50, 28 April 2021 (UTC)
 * This was a bit of a rabbit hole. Technical indicators and APIs say "probably not", but my gut says "probably yes", so I'll have to leave you with . To explain what I mean by that: While this IP isn't being flagged anywhere, the behaviour does make it look suspicious, as does the ISP. The ASN belongs to "HONG KONG BRIDGE INFO-TECH LIMITED, HK", and the actual range is owned by "UNION FU WAH DIGITAL TECHNOLOGY LIMITED". The former seems to be a webshop selling networking equipment to business customers (you'll have to skip the cert error or believe me on that). For both, there is very little information – I talked to a Chinese speaker who didn't find much else either. The ISPs we are looking at are solidly in the "dodgy" category – other hosts on the ASN that have edits coming out of them are almost certainly webhosts and might be running proxies, but I can't give you anything more than that on the ISP front. This specific device is a MikroTik router; they are cheap, ubiquitous, and have a good number of security issues. The edits coming out of the IP don't really seem consistent with the geographical location, and the sockfarm link is intriguing, even though this is not the type of proxy that this sockfarm is known to be on. From a purely technical standpoint however, I don't see anything that would make it clear farm this is indeed a proxy, and it might well not be; I'm closing this without action – if you're confident in the behavioural link, I'd consider taking this to SPI instead; the IP looks rather static, so it would likely be good for a long block. --Blablubbs&#124;talk 18:47, 28 April 2021 (UTC)
 * Thanks, I think I'll bring it up at WP:COIN where there are two active threads for Lesbianadvocate. - Bri.public (talk) 19:16, 28 April 2021 (UTC)
 * By the way Blablubbs, there's another HK IP that you might want to look at: - Bri.public (talk) 19:25, 28 April 2021 (UTC)
 * , the COIN link was helpful, so I now do have something for you; perusing the articles, I found and ✅ (via Spur) two Astrill VPN IPs: and . This might make more articles G5able (the farm has used Astrill in the past).  – please block both 1 year each. Not sure about the /24 they're on, so leaving that alone. Will look at the other one as soon as I find time. --Blablubbs&#124;talk 19:27, 28 April 2021 (UTC)
 * You might want to check the history of Mark Parkinson, I see at least suspicious but many more including one logged-in editor who Bbb23 CU-blocked - Bri.public (talk) 19:58, 28 April 2021 (UTC)
 * Yet another they go right down the list of the LA sockfarm's list of monitored articles. - Bri.public (talk) 22:10, 28 April 2021 (UTC)
 * , 45.64.242.170, 49.130.129.54, 45.64.240.194 are very (I don't like giving "nope" results because there will always be proxies we miss and residential ones can complicate things). They all belong to the same mobile provider, and the two that have edited in January are on the same /24. At least two have run residential proxies recently, but they're either shared or highly dynamic (or both), so I wouldn't put too much stock in that (beans beans beans but I will say that this is not an unexpected result), and with regard to residential proxies, they are functionally stale. They are certainly not Astrill (an entirely different type of proxy), which would be inconsistent with this farm. I think it's more likely that this is a) the farm loutsocking while not on proxy or b) MEAT, e.g. a separate branch of the same operation. I'll leave this open in case you come across any others. Best, Blablubbs&#124;talk 22:37, 28 April 2021 (UTC)
 * Blocked the two ✅ IPs above, they seem to be most of the recent activity on the range - checked a couple older edits from the /24 and they aren't showing as proxies. GeneralNotability (talk) 23:07, 28 April 2021 (UTC)

66.244.236.246
close

Ipcheck says this IP is identified as: papers1.tricubemedia.com “TriCube Media is a New Media company based out of Medicine Hat, Alberta offering web design and development as well as business building and branding services."
 * See http://www.tricubemedia.com for what this company is.
 * More information is at https://ca.linkedin.com/company/tricube-media

“At TriCube Media we offer a wide range of services such as web design and development, internet advertising, company branding and collateral design, multimedia presentations and more. We have all the tools needed for any size job, whether you are a small local business or a large company.”

Evidently this IP is not operated as an ISP serving end users, it is most likely a web host. The underlying ISP is Shaw Communications Inc. My guess is that this is a misconfigured business computer that is being used in unauthorized fashion as an open proxy. What spur.us says is:
 * "66.244.236.246 proxies traffic for residential or call-back proxy networks. The owner of 66.244.236.246 is likely unaware of this activity. There are not many devices that use 66.244.236.246. Our API or data feeds identify VPN, proxy and malware associations with 66.244.236.246."

Reason: Suspected open proxy. EdJohnston (talk) 01:37, 29 April 2021 (UTC)
 * I'm going to call it very that the people using this IP on WP are on proxy. It is true that the device(s) behind the IP tunnel(s) traffic for some callback networks, but those specific networks are not the type that are frequently going to be used for proxying on Wikipedia. The actual IP is indeed owned by Tricube though (sublet from Shaw's business branch), and I'll go out on a limb and say that if there are accounts on them that are editing in a COI-ish manner and don't have big disclosure notices on their userpages, they should probably be indeffed. IP, if you're reading, you should probably uninstall some apps. Closing. --Blablubbs&#124;talk 11:09, 29 April 2021 (UTC)

Some Astrill VPN nodes
close

Yet another Astrill VPN server used by Lesbianadvocate sockfarm. MarioGom (talk) 19:08, 29 April 2021 (UTC)
 * Added one more. MarioGom (talk) 19:09, 29 April 2021 (UTC)
 * And one more. MarioGom (talk) 19:10, 29 April 2021 (UTC)
 * And one more. Sorry for the premature report. I'll file a separate report once I get another full batch. MarioGom (talk) 19:17, 29 April 2021 (UTC)
 * And two more. I think that will be it at the moment. MarioGom (talk) 19:39, 29 April 2021 (UTC)
 * . IPs are all Astrill, going to go look for blockable webhosts. --Blablubbs&#124;talk 20:18, 29 April 2021 (UTC)
 * 134.73.239.70 is already blocked, I think, labeled as a colo...? - Bri.public (talk) 20:25, 29 April 2021 (UTC)
 * A quick ASN dive found the following three blockable webhost ranges, some riddled with proxies:
 * (UltraNet d.o.o.)
 * (szervernet – that ASN is worth a look but I don't have the time to go through right now)
 * (Frantech aka buyvm)
 * Please hardblock all individual IPs and the ranges for two years each. Yep, already caught up in a rangeblock, but probably still good to note it here. --Blablubbs&#124;talk 20:35, 29 April 2021 (UTC)
 * Hardblocked the IPs, rangeblocked the hosts, too lazy to hit the full Szevernet ASN. GeneralNotability (talk) 21:58, 29 April 2021 (UTC)

158.140.187.211
close

Reason: I just blocked this individual IP. Geolocate said it was likely a proxy.  Eve rgr een Fir  (talk) 03:03, 30 April 2021 (UTC)
 * . --Blablubbs&#124;talk 09:40, 30 April 2021 (UTC)
 * , my read is CGNAT with a couple of residential or zombie proxies behind it (in other words: a standard residential IP from Indonesia), does that agree with what you see? GeneralNotability (talk) 13:12, 30 April 2021 (UTC)
 * Gosh, I'm sorry, I had a reply typed out and closed the tab at some point. Yep, I agree. Based on the services involved, I'll call this highly . High-price UPE firms might use them, but probably not this type of vandal. --Blablubbs&#124;talk 13:14, 30 April 2021 (UTC)
 * Forgot to ping; see above. Blablubbs&#124;talk 13:16, 30 April 2021 (UTC)
 * No response, but closing since we seem to agree here. --Blablubbs&#124;talk 15:59, 2 May 2021 (UTC)

182.54.236.190
close

An apparent webhost ("Virtual Private Server (VPS) Hosting Services") owned by GPLHost LLC. Giving several positive results for VPN or proxy at IPcheck. 182.54.236.0/24 previously blocked as a webhost. --Malcolmxl5 (talk) 18:34, 3 May 2021 (UTC)
 * This is a ✅ UrbanVPN node. : Please hardblock for 3 years. --Blablubbs&#124;talk 10:46, 5 May 2021 (UTC)
 * ✅ --Malcolmxl5 (talk) 10:55, 5 May 2021 (UTC)
 * Thanks, closing. --Blablubbs&#124;talk 11:02, 5 May 2021 (UTC)

93.177.116.0/23
close

Fine VPN. See Spur and Whois. Please, hardblock the range. MarioGom (talk) 20:40, 1 May 2021 (UTC)
 * ✅, and I concur. : Please hardblock the range for three years. The rest of the ASN is already dealt with. --Blablubbs&#124;talk 10:36, 5 May 2021 (UTC)
 * ✅ --Malcolmxl5 (talk) 21:59, 5 May 2021 (UTC)
 * Thanks. Closing. --Blablubbs&#124;talk 23:28, 5 May 2021 (UTC)

162.253.133.103+
close

5 IPs with similar behavior on the same article, whois points to a "rent-a-mac" colocation host (https://macminivault.com) and/or CyberLynk, some IPs blocked on other wikis as open proxies. ~ANM🐁 T·C 02:21, 4 May 2021 (UTC)
 * . --Blablubbs&#124;talk 10:15, 5 May 2021 (UTC)
 * These are indeed all macminivault ranges, and all sublet from Cyberlink. MMV is essentially a dedicated server provider and should be hardblocked as such, though I do not think that this is necessarily a deliberate attempt at anonymisation. Cyberlink does both Colocation and Webhosting. : The following are macminivault ranges and should be hardblocked:
 * The following are other cyberlink ranges that have edits coming out of them, including abusive ones. If someone has the time to do the entire ASN (see here) that's good as well. Whether you hand out soft- or hardblocks is a matter of preference (if they are hard, the above ranges can be left alone, otherwise those subranges will have to be reinforced as separate hardblocks):
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)
 * The following are other cyberlink ranges that have edits coming out of them, including abusive ones. If someone has the time to do the entire ASN (see here) that's good as well. Whether you hand out soft- or hardblocks is a matter of preference (if they are hard, the above ranges can be left alone, otherwise those subranges will have to be reinforced as separate hardblocks):
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)
 * --Blablubbs&#124;talk 10:35, 5 May 2021 (UTC)
 * Bagged macminivault and Cyberlynk. GeneralNotability (talk) 23:33, 5 May 2021 (UTC)

ZenMate
closed

Reason: ZenMate proxy. Anon-block may be more preferable at the moment. 146.70.13.8 (talk) 09:37, 5 May 2021 (UTC)


 * ✅ VPN (Zenmate/Cyberghost) per SSL fingerprint. There are multiple such hosts on the range, which appears to be as opposed to a /16. The range is infested and M247 is VPN-heavy, so I don't see the need to stick with an anon-block;  please hardblock the /24 for 3 years. Cc  You may want to gblock this one as well. --Blablubbs&#124;talk 10:13, 5 May 2021 (UTC)
 * Hardblocked the range. gblocked, too. Closing. GeneralNotability (talk) 23:28, 5 May 2021 (UTC)

TunnelBear (II)
close
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com
 * si.lazerpenguin.com

212.44.112.0/20 should be good for a block (DHH hosting). MarioGom (talk) 18:10, 6 May 2021 (UTC)
 * Yep, that 20 is full of Tunnelbear. : Please hardblock for two years. --Blablubbs&#124;talk 12:02, 7 May 2021 (UTC)
 * ✅ SQL Query me!  02:26, 10 May 2021 (UTC)

ExpressVPN (III)
closed
 * usa-losangeles-1-ca-version-2.expressnetw.com
 * usa-losangeles-1-ca-version-2.expressnetw.com
 * ukraine-ca-version-2.expressnetw.com
 * ukraine-ca-version-2.expressnetw.com
 * usa-losangeles-2-ca-version-2.expressnetw.com
 * usa-losangeles-2-ca-version-2.expressnetw.com
 * kyrgyzstan-ca-version-2.expressnetw.com
 * kyrgyzstan-ca-version-2.expressnetw.com

Unblocked ExpressVPN nodes. MarioGom (talk) 18:13, 6 May 2021 (UTC)
 * ✅ SQL Query me!  02:24, 10 May 2021 (UTC)

27.55.80.36,27.55.90.44
close

Reason: Saw on my Huggle session today that there were these two IPs that displayed similar behavior. I was wondering if it would be possible to check if they're related. CyanoTex (talk) 22:28, 9 May 2021 (UTC)
 * IPs are ❌; they are however related in the sense that they're on the same range . Closing. --Blablubbs&#124;talk 08:42, 10 May 2021 (UTC)
 * Thank you, Blablubbs.
 * I do suggest checking both of their edit histories, I couldn't help but notice a similar behavior between them. CyanoTex (talk) 11:57, 10 May 2021 (UTC)
 * , yes, they were most certainly used by the same person, but that does not make them proxies; some ISPs assign their IPs very dynamically, meaning that an individual user may go through a number of IP addresses in short periods of time. This is especially common for mobile internet connections, which is what we're looking at here. --Blablubbs&#124;talk 12:04, 10 May 2021 (UTC)

Witopia (II)
close
 * vpn.kiev.witopia.net
 * vpn.cairo.witopia.net

Unblocked Witopia exit nodes. MarioGom (talk) 18:09, 6 May 2021 (UTC)
 * . Checking for blockable ranges. --Blablubbs&#124;talk 11:26, 7 May 2021 (UTC)
 * The above are both ✅ Witopia VPN nodes. The range for the first one belongs to a webhost from the "dodgy" category that has some other VPN nodes on its ranges, including Astrill. Hardblocks seem warranted; : Please hardblock
 * two years each. The other ASN is more annoying, and I'd have to look into that some more, however,
 * is CityNet Telecom. Egypt. Dedicated Servers. per WHOIS. Please hardblock that range for two years as well. --Blablubbs&#124;talk 11:44, 7 May 2021 (UTC)}}
 * Hardblocked the lot. — Preceding unsigned comment added by GeneralNotability (talk • contribs) 00:23, 15 May 2021 (UTC)
 * two years each. The other ASN is more annoying, and I'd have to look into that some more, however,
 * is CityNet Telecom. Egypt. Dedicated Servers. per WHOIS. Please hardblock that range for two years as well. --Blablubbs&#124;talk 11:44, 7 May 2021 (UTC)}}
 * Hardblocked the lot. — Preceding unsigned comment added by GeneralNotability (talk • contribs) 00:23, 15 May 2021 (UTC)
 * is CityNet Telecom. Egypt. Dedicated Servers. per WHOIS. Please hardblock that range for two years as well. --Blablubbs&#124;talk 11:44, 7 May 2021 (UTC)}}
 * Hardblocked the lot. — Preceding unsigned comment added by GeneralNotability (talk • contribs) 00:23, 15 May 2021 (UTC)

37.236.140.19
close

Reason: Open Proxy per Proxy Api Checker -- LemonSlushie 🍋 (talk) (edits) 16:54, 10 May 2021 (UTC)
 * Spur says residential proxy, blocked for a month. GeneralNotability (talk) 00:25, 15 May 2021 (UTC)

HideMyAss
close


 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks
 * in.us.hma.rocks


 * ma.us.hma.rocks
 * ma.us.hma.rocks


 * wi.us.hma.rocks
 * wi.us.hma.rocks
 * wi.us.hma.rocks
 * wi.us.hma.rocks
 * wi.us.hma.rocks
 * wi.us.hma.rocks
 * wi.us.hma.rocks
 * wi.us.hma.rocks


 * se.hma.rocks
 * se.hma.rocks
 * se.hma.rocks


 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks
 * nz.hma.rocks

My initial assessments of ISPs and ranges:


 * is a hosting provider . It also provides rural internet access, but I doubt it's on this range. I would suggest blocking 198.134.104.0/21, which contains other VPNs, like Hotsport VPN on 198.134.107.198.
 * All ranges in should be good to block. See previous report for VPNs in this provider. Note that the reported range 154.3.222.0/24 seems to be missing from ISP range finger.
 * } could be good to block, or at least 204.15.110.0/23. Otherwise, block all individual IPs.
 * (dedicated servers, ), please, block 31.3.152.0/24 and all other ranges in the ASN.
 * (dedicated servers, colocation, ), please block 103.76.164.0/23 and any other range in the ASN.

--MarioGom (talk) 17:37, 11 May 2021 (UTC)
 * --Blablubbs&#124;talk 09:59, 13 May 2021 (UTC)
 * There's quite a lot here. – see below
 * Everything in that I had a look at is a ✅ VPN. Please hardblock the range for two years.
 * appears to have legitimate (i.e. colo) connections on it. Please hardblock the individual IPs listed above for two years, the range soft for the same duration. The rest of the ASN should be good for softblocks, though a quick look indicates that there isn't much (logged-out) activity coming out of it.
 * Hoyos seems to offer regular business customer connections if I am reading the "Internet Services" section on their website correctly, though it might just be colo. 2O appreciated, otherwise please stick to the individual IPs.
 * Altus does both DS and colo, but it's full of proxies and problematic edits. The range mentioned above should be hardblocked as should some ranges that are complete VPNfests:
 * – in addition, please block the following, either soft or hard as you prefer.
 * The remaining intergrid ranges all appear to be sublet to businesses, I'm not comfortable endorsing blocks for all of those. However, please do hardblock for two years as well. Thanks. --Blablubbs&#124;talk 10:23, 13 May 2021 (UTC)
 * , think I hit everything - mind checking my work? GeneralNotability (talk) 00:44, 15 May 2021 (UTC)
 * Looks all good to me – thank you. :) Closing. --Blablubbs&#124;talk 09:00, 15 May 2021 (UTC)
 * The remaining intergrid ranges all appear to be sublet to businesses, I'm not comfortable endorsing blocks for all of those. However, please do hardblock for two years as well. Thanks. --Blablubbs&#124;talk 10:23, 13 May 2021 (UTC)
 * , think I hit everything - mind checking my work? GeneralNotability (talk) 00:44, 15 May 2021 (UTC)
 * Looks all good to me – thank you. :) Closing. --Blablubbs&#124;talk 09:00, 15 May 2021 (UTC)
 * The remaining intergrid ranges all appear to be sublet to businesses, I'm not comfortable endorsing blocks for all of those. However, please do hardblock for two years as well. Thanks. --Blablubbs&#124;talk 10:23, 13 May 2021 (UTC)
 * , think I hit everything - mind checking my work? GeneralNotability (talk) 00:44, 15 May 2021 (UTC)
 * Looks all good to me – thank you. :) Closing. --Blablubbs&#124;talk 09:00, 15 May 2021 (UTC)
 * The remaining intergrid ranges all appear to be sublet to businesses, I'm not comfortable endorsing blocks for all of those. However, please do hardblock for two years as well. Thanks. --Blablubbs&#124;talk 10:23, 13 May 2021 (UTC)
 * , think I hit everything - mind checking my work? GeneralNotability (talk) 00:44, 15 May 2021 (UTC)
 * Looks all good to me – thank you. :) Closing. --Blablubbs&#124;talk 09:00, 15 May 2021 (UTC)
 * The remaining intergrid ranges all appear to be sublet to businesses, I'm not comfortable endorsing blocks for all of those. However, please do hardblock for two years as well. Thanks. --Blablubbs&#124;talk 10:23, 13 May 2021 (UTC)
 * , think I hit everything - mind checking my work? GeneralNotability (talk) 00:44, 15 May 2021 (UTC)
 * Looks all good to me – thank you. :) Closing. --Blablubbs&#124;talk 09:00, 15 May 2021 (UTC)
 * The remaining intergrid ranges all appear to be sublet to businesses, I'm not comfortable endorsing blocks for all of those. However, please do hardblock for two years as well. Thanks. --Blablubbs&#124;talk 10:23, 13 May 2021 (UTC)
 * , think I hit everything - mind checking my work? GeneralNotability (talk) 00:44, 15 May 2021 (UTC)
 * Looks all good to me – thank you. :) Closing. --Blablubbs&#124;talk 09:00, 15 May 2021 (UTC)
 * The remaining intergrid ranges all appear to be sublet to businesses, I'm not comfortable endorsing blocks for all of those. However, please do hardblock for two years as well. Thanks. --Blablubbs&#124;talk 10:23, 13 May 2021 (UTC)
 * , think I hit everything - mind checking my work? GeneralNotability (talk) 00:44, 15 May 2021 (UTC)
 * Looks all good to me – thank you. :) Closing. --Blablubbs&#124;talk 09:00, 15 May 2021 (UTC)