Wikipedia:WikiProject on open proxies/Requests/Archives/43

69.248.29.230
closed

Reason: First IP was previously blocked by Checkuser:, and both IPs appear to act in coordination by supporting each other reverts. My very best wishes (talk) 01:51, 13 June 2021 (UTC)
 * Ugh., these are indeed proxy IPs (as is the other one they showed up with to revert a third time), but they're residential proxies - blocking them will not be particularly effective. I've semi'd Radio Free Europe. GeneralNotability (talk) 02:02, 13 June 2021 (UTC)

194.195.112.0/20
closed

Linode range. Seed4me VPN on 194.195.117.201 (DNS: in.seed4.me). MarioGom (talk) 22:27, 12 June 2021 (UTC)


 * Blocked by . Closing. MarioGom (talk) 18:17, 14 June 2021 (UTC)

103.192.173.0/24
close

Intergrid range. The ASN is mostly blocked already. VPN.AC from 103.192.173.92 to 103.192.173.102. See DNS au2.vpn.ac. MarioGom (talk) 22:29, 12 June 2021 (UTC)
 * ✅. – please hardblock the /24 for two years. Intergrid does colocation, but the presence of VPN nodes is a red flag. The remaining unblocked ranges in the ASN are sublet and requires no action at this time. Thanks. --Blablubbs&#124;talk 21:14, 14 June 2021 (UTC)
 * ✅ --Malcolmxl5 (talk) 12:23, 15 June 2021 (UTC)

107.150.94.0/24
closed

Packet Exchange range. Many ranges already blocked. NordVPN and SurfShark:


 * 107.150.94.3 · whois · spur · shodan · NordVPN · tr50.nordvpn.com
 * 107.150.94.11 · whois · spur · shodan · Surfshark · tr-ist.prod.surfshark.com
 * 107.150.94.21 · whois · spur · shodan · Surfshark · tr-ist.prod.surfshark.com
 * 107.150.94.35 · whois · spur · shodan · NordVPN · tr41.nordvpn.com
 * 107.150.94.67 · whois · spur · shodan · NordVPN · tr42.nordvpn.com
 * 107.150.94.75 · whois · spur · shodan · NordVPN · tr43.nordvpn.com
 * 107.150.94.83 · whois · spur · shodan · NordVPN · tr44.nordvpn.com
 * 107.150.94.91 · whois · spur · shodan · NordVPN · tr45.nordvpn.com
 * 107.150.94.99 · whois · spur · shodan · NordVPN · tr46.nordvpn.com
 * 107.150.94.107 · whois · spur · shodan · NordVPN · tr47.nordvpn.com
 * 107.150.94.115 · whois · spur · shodan · NordVPN · tr48.nordvpn.com
 * 107.150.94.123 · whois · spur · shodan · NordVPN · tr49.nordvpn.com

--MarioGom (talk) 22:37, 12 June 2021 (UTC)
 * Range softblocked, ID'd VPN endpoints hardblocked. GeneralNotability (talk) 22:13, 15 June 2021 (UTC)

Biterika Group
closed



WHOIS says those IPs belong to Biterika Group LLC, a Web hosting provider. Some 188.130.x.x IPs were used to spam activilla.com (WikiProject Spam/LinkReports/activilla.com). Kleinpecan (talk) 01:12, 15 June 2021 (UTC)


 * The IPs in the spam report are private proxies (verifiable with shodan). Possibly part of some paid proxy service or maybe in-house by the spammers. MarioGom (talk) 10:13, 15 June 2021 (UTC)
 * Thank you both. Softblocked the ranges, hardblocked the individual IPs. GeneralNotability (talk) 22:05, 15 June 2021 (UTC)

185.125.227.0/24
closed

Whole range in McAffee (not colo). Most IPs are used for the McAffee VPN service. spur flags, and it can also verified by SSL certs on ports 443 and 8081 (check shodan). MarioGom (talk) 17:59, 13 March 2021 (UTC)


 * More on neighbour ranges: --MarioGom (talk) 15:07, 14 March 2021 (UTC)

, which is covered by
 * Looks more like "corporate gateway" than "open proxy/VPN" to me, I'd like a 2O on how to handle this from a more experienced proxy-blocker. GeneralNotability (talk) 01:27, 15 March 2021 (UTC)
 * For those looking into it, here's their VPN products: McAfee Web Gateway Cloud Service (nominally the reported range) and McAfee Safe Connect VPN. The later seems to be for end users, but I don't know if they share endpoints. --MarioGom (talk) 08:48, 15 March 2021 (UTC)
 * I can confirm now that McAffee Safe Connect VPN (end-user offering) is identified as TunnelBear (see other reports), while the range reported here is exclusively about Web Gateway Cloud Service (corporate VPN). --MarioGom (talk) 22:36, 17 March 2021 (UTC)
 * Not an experienced (proxy-)blocker by any stretch of the imagination, but just a thought since this has been open for a while: Do we know if the gateway service sends XFF headers? In that case, I'd say soft blocks are probably the way to go – otherwise, I think both soft and hard should be fine given that it is functioning as an anonymiser, even if not intentionally. --Blablubbs&#124;talk 09:46, 10 May 2021 (UTC)
 * A cursory check on their support forums gives me the impression that these may send correct XFF, incorrect XFF or no XFF at all depending on each customer's setup. A soft block may be due? MarioGom (talk) 10:20, 15 May 2021 (UTC)
 * Examining this again, I think the way to go is to treat this as a "benevolent" colo and softblock accordingly. – please softblock the following, two years each:
 * (mx logic, a McAfee branch
 * (mx logic, a McAfee branch
 * (mx logic, a McAfee branch


 * Thanks. --Blablubbs&#124;talk 10:36, 7 June 2021 (UTC)

107.150.94.0/24 (again)
closed

This is a follow up to a previous report. Since the action was softblock on the range and hardblock on the individual IPs, I'm updating here with a more exhaustive list of VPN nodes per Spur.


 * NORD_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * SURFSHARK_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN
 * NORD_VPN

--MarioGom (talk) 12:46, 16 June 2021 (UTC)
 * – given the density of VPN nodes and in line with my "if there's VPNs on the range, hardblocks are probably the best way to go" rule, please hardblock the /24 for two years. --Blablubbs&#124;talk 12:48, 16 June 2021 (UTC)
 * Alternatively, the more cautious option would be a reinforcement hardblock on 107.150.94.0/25, which would cover the IPs above. --Blablubbs&#124;talk 12:50, 16 June 2021 (UTC)
 * Lazy mode engaged, range is now hardblocked. GeneralNotability (talk) 03:02, 17 June 2021 (UTC)

94.140.11.0/24
close

Full range in NordVPN, see whois. MarioGom (talk) 22:10, 29 June 2021 (UTC)
 * ✅ plus
 * (NORDVPN-L12)
 * (NORDVPN-L1)
 * (NORDVPN-L20190921)
 * Two other ranges in the ASN are already blocked. – please hardblock all ranges for 2 years each. Thanks. --Blablubbs&#124;talk 22:25, 29 June 2021 (UTC)
 * Yes check.svg Done !ɘM γɿɘυϘ ⅃ϘƧ  22:27, 29 June 2021 (UTC)

BulletVPN
closed
 * mak01.bulletvpn.com
 * auc03.bulletvpn.com
 * auc01.bulletvpn.com
 * seo01.bulletvpn.com
 * lax02.bulletvpn.com
 * lax03.bulletvpn.com
 * qda01.bulletvpn.com
 * tll01.bulletvpn.com
 * cai03.bulletvpn.com
 * pun01.bulletvpn.com
 * pun02.bulletvpn.com
 * tor02.bulletvpn.com
 * tor01.bulletvpn.com
 * ann01.bulletvpn.com
 * cai02.bulletvpn.com
 * ist01.bulletvpn.com
 * cal01.bulletvpn.com
 * por02.bulletvpn.com
 * por01.bulletvpn.com
 * cph02.bulletvpn.com
 * col01.bulletvpn.com

Unblocked BulletVPN nodes. MarioGom (talk) 20:43, 24 May 2021 (UTC)
 * , doing range checks. --Blablubbs&#124;talk 11:59, 11 June 2021 (UTC)
 * An hour well spent . All ✅. – see below.
 * 103.131.95.105 is web.com.ph. It does colocation, please hardblock for two years given the VPN node. Alternatively, a single-ip hardblock and a softblock on the /24 would do the trick as well.
 * The 103.16. ones are rimuhosting (DS/VPS only) on a HD net (DS/Colo) range. Please hardblock the following rimu ranges for two years:
 * In addition, please softblock the following hd net ranges for two years:
 * 110.10.178.233 looks like a mixed range. Please hardblock for a year
 * The 162.217. IPs are syn LTD, which looks like DS only. Please hardblock the following for two years:
 * (ultrapacket)
 * (ultrapacket)
 * (hostroyale)
 * (SYN/Hostworld)
 * (baxet/justhost.ru
 * (baxet)
 * 185.113.140.190 is inno4web. Offers colocation, but please hardblock given the VPN node.
 * 185.113.140.190 and 185.155.99.51 are fairyhosting/OU web solutions/WHS EE, we've recently had some other ranges of that provider here. There's a blocked subrange, but I realised we can widen this. Please hardblock for two years.
 * 196.46.191.250 is Citynet Egypt. Please hardblock (CityNet Telecom. Egypt. Dedicated Servers.) and place a softblock on  (there may be colo subranges on it), both for two years.
 * 202.38.172.119 and 202.38.172.157 are Ria InfoSolutions Private Limited aka datagalaxy.in. They also offer colocation. Please either hardblock and place a soft block on  or hardblock the /22.
 * 38.117.105.115 and 38.117.105.139 are Ravand Cybertech. Please hardblock given the presence of VPNs. In addition, please block the following, soft or hard as you prefer:
 * 41.215.240.133 is Citynet again. Please hardblock for two years.
 * 41.106.2.23 has a less than helpful WHOIS output, but seems to be on a residential range. Please hardblock for a year.
 * 5.188.36.119 is gcore. Please hardblock and  hard, two years each.
 * is Hurricane Electric. Never quite sure what to do with that one, so please just hardblock the individual IP for a year unless you know more about HE than I do.
 * 69.163.36.194 and 69.163.33.26 are directspace, sublet to corepacket. Given the presence of VPN nodes, please hardblock for two years. In addition, please block  either soft or hard.
 * 91.210.59.0/24 is SSD-VPS aka adeo datacentre. Very empty website, which usually means "dodgy webhost". Please block the following for two years:
 * 96.47.10.96 is data102. Please hardblock for two years given the VPN node.
 * Thanks. --Blablubbs&#124;talk 12:53, 11 June 2021 (UTC)
 * Whew. Think that's all of them. GeneralNotability (talk) 01:34, 3 July 2021 (UTC)
 * (hostroyale)
 * (SYN/Hostworld)
 * (baxet/justhost.ru
 * (baxet)
 * 185.113.140.190 is inno4web. Offers colocation, but please hardblock given the VPN node.
 * 185.113.140.190 and 185.155.99.51 are fairyhosting/OU web solutions/WHS EE, we've recently had some other ranges of that provider here. There's a blocked subrange, but I realised we can widen this. Please hardblock for two years.
 * 196.46.191.250 is Citynet Egypt. Please hardblock (CityNet Telecom. Egypt. Dedicated Servers.) and place a softblock on  (there may be colo subranges on it), both for two years.
 * 202.38.172.119 and 202.38.172.157 are Ria InfoSolutions Private Limited aka datagalaxy.in. They also offer colocation. Please either hardblock and place a soft block on  or hardblock the /22.
 * 38.117.105.115 and 38.117.105.139 are Ravand Cybertech. Please hardblock given the presence of VPNs. In addition, please block the following, soft or hard as you prefer:
 * 41.215.240.133 is Citynet again. Please hardblock for two years.
 * 41.106.2.23 has a less than helpful WHOIS output, but seems to be on a residential range. Please hardblock for a year.
 * 5.188.36.119 is gcore. Please hardblock and  hard, two years each.
 * is Hurricane Electric. Never quite sure what to do with that one, so please just hardblock the individual IP for a year unless you know more about HE than I do.
 * 69.163.36.194 and 69.163.33.26 are directspace, sublet to corepacket. Given the presence of VPN nodes, please hardblock for two years. In addition, please block  either soft or hard.
 * 91.210.59.0/24 is SSD-VPS aka adeo datacentre. Very empty website, which usually means "dodgy webhost". Please block the following for two years:
 * 96.47.10.96 is data102. Please hardblock for two years given the VPN node.
 * Thanks. --Blablubbs&#124;talk 12:53, 11 June 2021 (UTC)
 * Whew. Think that's all of them. GeneralNotability (talk) 01:34, 3 July 2021 (UTC)
 * 41.215.240.133 is Citynet again. Please hardblock for two years.
 * 41.106.2.23 has a less than helpful WHOIS output, but seems to be on a residential range. Please hardblock for a year.
 * 5.188.36.119 is gcore. Please hardblock and  hard, two years each.
 * is Hurricane Electric. Never quite sure what to do with that one, so please just hardblock the individual IP for a year unless you know more about HE than I do.
 * 69.163.36.194 and 69.163.33.26 are directspace, sublet to corepacket. Given the presence of VPN nodes, please hardblock for two years. In addition, please block  either soft or hard.
 * 91.210.59.0/24 is SSD-VPS aka adeo datacentre. Very empty website, which usually means "dodgy webhost". Please block the following for two years:
 * 96.47.10.96 is data102. Please hardblock for two years given the VPN node.
 * Thanks. --Blablubbs&#124;talk 12:53, 11 June 2021 (UTC)
 * Whew. Think that's all of them. GeneralNotability (talk) 01:34, 3 July 2021 (UTC)
 * 41.215.240.133 is Citynet again. Please hardblock for two years.
 * 41.106.2.23 has a less than helpful WHOIS output, but seems to be on a residential range. Please hardblock for a year.
 * 5.188.36.119 is gcore. Please hardblock and  hard, two years each.
 * is Hurricane Electric. Never quite sure what to do with that one, so please just hardblock the individual IP for a year unless you know more about HE than I do.
 * 69.163.36.194 and 69.163.33.26 are directspace, sublet to corepacket. Given the presence of VPN nodes, please hardblock for two years. In addition, please block  either soft or hard.
 * 91.210.59.0/24 is SSD-VPS aka adeo datacentre. Very empty website, which usually means "dodgy webhost". Please block the following for two years:
 * 96.47.10.96 is data102. Please hardblock for two years given the VPN node.
 * Thanks. --Blablubbs&#124;talk 12:53, 11 June 2021 (UTC)
 * Whew. Think that's all of them. GeneralNotability (talk) 01:34, 3 July 2021 (UTC)
 * 96.47.10.96 is data102. Please hardblock for two years given the VPN node.
 * Thanks. --Blablubbs&#124;talk 12:53, 11 June 2021 (UTC)
 * Whew. Think that's all of them. GeneralNotability (talk) 01:34, 3 July 2021 (UTC)
 * 96.47.10.96 is data102. Please hardblock for two years given the VPN node.
 * Thanks. --Blablubbs&#124;talk 12:53, 11 June 2021 (UTC)
 * Whew. Think that's all of them. GeneralNotability (talk) 01:34, 3 July 2021 (UTC)

37.111.139.70
closed

The IP comes from Telenor Pakistan which does not host any Open proxies or VPN service. Let me remind you, open ports does not mean open proxy. may i have your words to explain from where you got the impression that its a proxy? 37.111.129.108 (talk) 12:49, 2 June 2021 (UTC)
 * whois is from Telenor Pakistan. 37.111.129.108 (talk) 12:58, 2 June 2021 (UTC)


 * , : Both of these IPs seem to be from the same device, possibly a mobile connection (or equivalent such as 4G broadband). This device appears to be running a residential proxy. This is usually because you have a malicious application in your mobile phone which is turning the device into a proxy for others to use. I would suggest you to review your device for potentially dodgy applications. MarioGom (talk) 17:30, 2 June 2021 (UTC)


 * All blocked as proxies, but from what I can see, I'd call this highly, unless there's some open proxy node behind the IP that I can't see (or has more data available than I do). There are proxy signatures here, but not the type I'd expect to see used on Wikipedia (beans, but cf. ). --Blablubbs&#124;talk 11:15, 10 June 2021 (UTC)

105.235.71.132
closed

Reason: Edit warring through yet another proxy on page Radio Free Asia. This is almost certainly the same person as the IP 94.64.198.226 reported just above here. I suspect that could be also one of named accounts who edited this page through proxy. As a note of order, all edits by this IP must be reverted because this is not a legitimate account/editing. My very best wishes (talk) 16:39, 12 June 2021 (UTC)


 * Very likely peer-to-peer proxy. Same as with this previous report. It is already blocked, although the long block will be ineffective in this case. Since the page is now semi-protected, I'd suggest closing this. MarioGom (talk) 22:05, 13 June 2021 (UTC)

114.141.194.0/24
close

"Wholesale Services Provider", see website. Many ranges already blocked. CyberGhost VPN, more info below:


 * 114.141.194.2 · whois · spur · shodan · CyberGhost · blade1.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.3 · whois · spur · shodan · CyberGhost · blade2.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.4 · whois · spur · shodan · CyberGhost · blade3.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.5 · whois · spur · shodan · CyberGhost · blade4.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.6 · whois · spur · shodan · CyberGhost · blade5.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.7 · whois · spur · shodan · CyberGhost · blade6.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.8 · whois · spur · shodan · CyberGhost · blade7.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.9 · whois · spur · shodan · CyberGhost · blade8.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.10 · whois · spur · shodan · CyberGhost · blade9.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.11 · whois · spur · shodan · CyberGhost · blade10.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.12 · whois · spur · shodan · CyberGhost · blade11.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.13 · whois · spur · shodan · CyberGhost · blade12.auckland-rack402.nodes.gen4.ninja
 * 114.141.194.14 · whois · spur · shodan · CyberGhost · blade13.auckland-rack402.nodes.gen4.ninja

--MarioGom (talk) 22:33, 12 June 2021 (UTC)
 * Done. GeneralNotability (talk) 01:18, 3 July 2021 (UTC)

PureVPN (II)
close


 * al-ikev.ptoserver.com
 * al-ipsec.pointtoserver.com


 * cy2-ikev.ptoserver.com
 * cy2-tcp.ptoserver.com


 * per spur/shodan
 * fi2-auto-ikev.ptoserver.com
 * per spur
 * per spur/shodan, ns1057.dnspure.com
 * per spur/shodan
 * per spur/shodan
 * per spur/shodan
 * per spur/shodan
 * per spur/shodan
 * per spur
 * fi2-auto-tcp.ptoserver.com
 * per spur
 * fi2-tcp.ptoserver.com
 * per spur


 * per spur
 * gr2-auto-udp.ptoserver.com
 * per spur
 * per spur
 * per spur


 * gr2-tcp.ptoserver.com
 * gr2-udp.ptoserver.com


 * id2-auto-ikev.ptoserver.com
 * id2-auto-tcp.ptoserver.com
 * id2-auto-udp.ptoserver.com


 * it2-auto-ipsec.ptoserver.com
 * it2-auto-udp.ptoserver.com


 * lv-ipsec.ptoserver.com
 * per spur
 * lv2-auto-tcp.ptoserver.com
 * per spur
 * per spur


 * lv2-udp.ptoserver.com


 * per spur
 * my2-ovpn-tcp.ptoserver.com
 * my2-auto-tcp.ptoserver.com
 * my2-auto-udp.ptoserver.com
 * my-ikev.ptoserver.com
 * my2-auto-ikev.ptoserver.com


 * nl2-auto-ipsec.ptoserver.com


 * no-ikev.ptoserver.com


 * no2-auto-udp.ptoserver.com
 * no2-auto-tcp.ptoserver.com
 * no2-ovpn-tcp.pointtoserver.com
 * no2-ovpn-tcp.ptoserver.com
 * no2-ovpn-udp.pointtoserver.com
 * no2-ovpn-udp.pointtoserver.com
 * no2-ovpn-udp.pointtoserver.com
 * no2-ovpn-udp.pointtoserver.com
 * no2-ovpn-udp.pointtoserver.com
 * no2-ovpn-udp.pointtoserver.com
 * no2-ovpn-udp.pointtoserver.com
 * no2-ovpn-udp.pointtoserver.com


 * ru2-ovpn-tcp.pointtoserver.com


 * ru-ipsec.pointtoserver.com


 * ru2-ovpn-tcp.pointtoserver.com


 * per spur
 * sk-ipsec.ptoserver.com
 * sk2-auto-udp.ptoserver.com
 * sk2-auto-tcp.ptoserver.com


 * th2-auto-ipsec.ptoserver.com


 * tw2-auto-udp.ptoserver.com

Notes:
 * 46.243.224.0/24 per whois data is wholly assigned to PureVPN-NET.
 * 178.170.136.0/24 per whois data is wholly assigned to PureVPN-NET.
 * 85.208.3.0/24 whois data may be misleading. This /24 has many PureVPN nodes and every IP has a srv-dN.inioscloud.com hostname. Website (http://inioscloud.com/ https://www.kotisivut.com/) and hostnames suggest that the whole /24 is a web host.
 * 5.172.204.192/26 offers all kinds of server hosting and colocation services (https://www.lancom.gr/). If you check ISP Range Finder, be careful, since results are mixed with CityLanCom LTD. Many other ranges in the ISP are already blocked. So I guess either the /24 or /26 are good for a block.
 * 178.21.169.0/24 is also Lancom LTD as the previous one. This /24 is clearly marked in whois as Cloud-Customers. So a webhost block should be good.
 * 103.16.199.0/24 provides servers and connectivity (https://jalanet.co.id), I'm not really sure about this one. Maybe hard blocks for the individual IPs?
 * 92.38.175.0/27 per whois data is wholly assigned to pointtoserver (PureVPN alias), but the /24 would also be good to block since we're already blocking most G-Core Labs S.A. ranges.
 * 213.21.192.0/20 seems to be a ISP/backbone (Versia), not good to block. It might be better to hard block the individual IPs.
 * 141.101.134.0/24 also on Versia but this whole /24 subrange is assigned to PureVPN-NET per whois.
 * 103.28.90.0/24 and 103.28.91.0/24 is primarily hosting (https://www.gbnetwork.my/), other ranges already blocked for hosting VPNs.
 * 79.142.64.0/22 is already under a soft block. Please do hard block the individual IPs.
 * 141.101.146.0/24 per whois data is wholly assigned to PureVPN-NET.
 * 185.125.170.0/24 whois data is a bit weird. 185.125.170.40/29 and 185.125.170.160/28 are assigned to GZSYSTEMS (PureVPN alias) while 185.125.170.24 to 185.125.170.30 are outside those subranges and are PureVPN too. I guess the /24 is good for a hard block.
 * 94.242.48.0/20 is a FishNet ASN, Veesp datacenter subrange.
 * 46.243.220.0/24 per whois data is wholly assigned to PureVPN-NET.
 * 206.123.128.0/19 per whois email is assigned to pointtoserver (PureVPN alias).
 * 149.7.226.0/24 second opinion needed.
 * 116.206.126.0/24 cloud service per whois. Didn't look in depth.
 * 128.1.63.0/24 per whois data is subrange is Zenlayer Managed Hosting.

Unblocked PureVPN nodes that I missed in the initial report. MarioGom (talk) 11:40, 15 May 2021 (UTC)
 * . I'll tackle this – might take a while. --Blablubbs&#124;talk 09:30, 7 June 2021 (UTC)
 * All ✅. : See below. I'll go through them one by one.
 * is good for a two-year hardblock. The ISP also offers residential connections, so not an ASNblock candidate.
 * is also good for a hardblock.
 * For, the WHOIS does imply that there may be residential usage here. Fortunately, the listed IPs all fit neatly into , so I'd recommend a one-year hardblock for that (shorter than usual given the residential weirdness), and leaving the /24 alone. I also found (FI-INIOS-CLOUD1 per WHOIS), please hardblock that for a year as well.
 * is indeed a webhost range, as is the underlying 24 (5.172.204.0/24). The provider also offers colocation. Going with my usual "if there's proxies on a colo range, hardblock it" rule, please hardblock the /26 for two years, and the /24 for the same duration, soft or hard as you prefer.
 * Same deal for – "Cloud" in the WHOIS, proxies on the range. Please hardblock it for two years.
 * 103.16.199.0/24 is Jalanet (website, google translate), which doesn't appear to do colocation (and deserves to be punished for running its website without HTTPS)  . Please hardblock the following, two years each:
 * 92.38.175.0/27 is definitely PureVPN, but it doesn't look like G-Core does colocation, so is good for a two-year hardblock. It's already globally blocked, but please reinforce locally.  Everything on the ASN is blocked, might be one for ASNBlock.
 * For 213.21.192.0/20, I concur about Versia. There's technically a tiny subrange (213.21.198.16/29) here, but let's just do single IP blocks. Please hardblock the following, two years each:
 * , the other Versia range, is all PureVPN. Please hardblock it for two years.
 * The 103.28. ones are gbnetwork. Per my "proxies on range" rule of thumb, please hardblock (which encompasses the ranges listed) for two years. I also found, which is Secure Internet LLC per WHOIS, abuse contact is admin@pointtoserver.com (i.e. PureVPN). Please hardblock that as well. In addition, please block the following, soft or hard as you prefer:
 * (gbnetwork)
 * (gbnetwork)
 * (ebb.my
 * (gbnetwork)
 * is confirmed. Please hardblock that for two years or harden the block on the /22.
 * Concur for and ; a two year hardblock seems warranted. The ISP is terrahost Norway, which also does colocation. Please also block the following, either soft or hard as you prefer
 * is good for a two-year hardblock, doesn't look like veesp does colocation. is also good to block.
 * PureVPN only, good to hardblock
 * dito (Secure Internet LLC again)
 * Enahost also does virtual desktop stuff, but all blocks in the ASN are hard and there seem to be problematic, so let's continue that tradition. Please hardblock for two years. There's more on the ASN, but I'll leave that alone right now.
 * Can't say much about Bangmod, but it looks like they mostly do webhosting. ASN might be worth a look.
 * is Zenlayer. Please hardblock that, and place a block on the underlying /16, soft or hard as you prefer.
 * Thanks. --Blablubbs&#124;talk 10:24, 7 June 2021 (UTC)
 * Working on this at the moment, just a heads up to any other admins - TNT 😺 01:02, 3 July 2021 (UTC)
 * ✅ All above suggested blocks on CIDRs actioned - TNT 😺 01:30, 3 July 2021 (UTC)
 * Many thanks, closing. --Blablubbs (talk) 12:42, 4 July 2021 (UTC)
 * is good for a two-year hardblock, doesn't look like veesp does colocation. is also good to block.
 * PureVPN only, good to hardblock
 * dito (Secure Internet LLC again)
 * Enahost also does virtual desktop stuff, but all blocks in the ASN are hard and there seem to be problematic, so let's continue that tradition. Please hardblock for two years. There's more on the ASN, but I'll leave that alone right now.
 * Can't say much about Bangmod, but it looks like they mostly do webhosting. ASN might be worth a look.
 * is Zenlayer. Please hardblock that, and place a block on the underlying /16, soft or hard as you prefer.
 * Thanks. --Blablubbs&#124;talk 10:24, 7 June 2021 (UTC)
 * Working on this at the moment, just a heads up to any other admins - TNT 😺 01:02, 3 July 2021 (UTC)
 * ✅ All above suggested blocks on CIDRs actioned - TNT 😺 01:30, 3 July 2021 (UTC)
 * Many thanks, closing. --Blablubbs (talk) 12:42, 4 July 2021 (UTC)
 * Working on this at the moment, just a heads up to any other admins - TNT 😺 01:02, 3 July 2021 (UTC)
 * ✅ All above suggested blocks on CIDRs actioned - TNT 😺 01:30, 3 July 2021 (UTC)
 * Many thanks, closing. --Blablubbs (talk) 12:42, 4 July 2021 (UTC)

IPVanish (II)
closed

IPVanish (AKA Mudhook Marketing, see whois). They can be consolidated as:

--MarioGom (talk) 22:26, 29 June 2021 (UTC)
 * Done. GeneralNotability (talk) 01:14, 3 July 2021 (UTC)

109.111.209.163
close

Reason: Off a one month block and vandalising again (see also edit filter). Popped up on WIMIA as a "Confirmed proxy server". Proxychecker ticks proxy/VPN (IPQualityScore only). Spur says it "has been used as a VPN or Proxy to anonymize traffic" but low traffic. Web address in hostname (metronet-uk.com) resolves to M247, a company that offers dedicated servers, cloud hosting, data centres and colocation among other things. --Malcolmxl5 (talk) 14:51, 7 July 2021 (UTC)


 * No luck with Spur's API. While almost everything in M247 proper (AS9009) are proxies, this IP belongs to a different AS, which I think is residential. Looking at Shodan, port 80 runs Squid (possibly a proxy), port 443 serves a certificate for ivybridge.devon.sch.uk. This could be a school, school gateway, school proxy or something like that, which is consistent with the edits to Ivybridge. A school block on the individual IP might be more appropriate than a proxy block. MarioGom (talk) 22:29, 8 July 2021 (UTC)


 * Nice work, MarioGom, thanks. Certainly looks like a school so I’ll put a SharedIPedu template on the talk page and keep an eye on it. I’ll close this request now. --Malcolmxl5 (talk) 22:47, 8 July 2021 (UTC)

93.190.93.133
close

Spur flags this as Hide My Ip VPN. --Malcolmxl5 (talk) 10:31, 14 July 2021 (UTC)


 * @Malcolmxl5: ✅. The ISP is a mixed colo/webhosting provider, looks like there are quite a few blockable ranges here but I unfortunately don't have time for a deeper check right now. The IP is good to hardblock, I'd go for a year. Blablubbs (talk) 10:38, 14 July 2021 (UTC)
 * ✅ --Malcolmxl5 (talk) 10:54, 14 July 2021 (UTC)

Ivacy VPN
closed
 * hk-ovpn-udp2.dns2use.com
 * my2-ovpn-udp.dns2use.com
 * ru2-ovpn-tcp.dns2use.com
 * vlbr-usvc1.dns2use.com

-- MarioGom (talk) 20:52, 24 May 2021 (UTC)
 * , looking for blockable ranges. --Blablubbs&#124;talk 11:16, 11 June 2021 (UTC)
 * ✅ all single IPs., see below
 * 103.109.103.59 is koddos, which also does colocation. Please block the following for two years, soft or hard as you prefer (I'd suggest hard because this one likes hosting VPNs, if you go with softblocks, please hardblock the individual IPs)
 * (suggest hard given the VPN node on it)
 * 103.28.90.32 is gbnetwork Malaysia. They technically do colocation, but there are a bunch of VPN ranges here, so hardblocks are warranted. Please hardblock the following for two years:
 * (pointtoserver.com/PureVPN)
 * (pointtoserver.com/PureVPN)
 * 91.218.115.221 is RU-SERVER-V-ARENDY/HOSTKEY-RU. The provider does not appear to offer colocation. Please hardblock for two years. ISPrangefinder has nothing, but somebody may want to have a look at this listing at some point.
 * 141.101.170.2 is on a /24 that's registered directly to PureVPN. The hosting provider is psychz. Most of it is blocked, there are some remaining ranges. Please hardblock the following for two years:
 * (PureVPN)
 * (HostUS
 * (HostUS)
 * In addition, please block (securityframe), soft or hard as you prefer, I'd suggest soft.
 * Thanks. --Blablubbs&#124;talk 11:43, 11 June 2021 (UTC)
 * Done. GeneralNotability (talk) 15:23, 16 July 2021 (UTC)
 * (pointtoserver.com/PureVPN)
 * 91.218.115.221 is RU-SERVER-V-ARENDY/HOSTKEY-RU. The provider does not appear to offer colocation. Please hardblock for two years. ISPrangefinder has nothing, but somebody may want to have a look at this listing at some point.
 * 141.101.170.2 is on a /24 that's registered directly to PureVPN. The hosting provider is psychz. Most of it is blocked, there are some remaining ranges. Please hardblock the following for two years:
 * (PureVPN)
 * (HostUS
 * (HostUS)
 * In addition, please block (securityframe), soft or hard as you prefer, I'd suggest soft.
 * Thanks. --Blablubbs&#124;talk 11:43, 11 June 2021 (UTC)
 * Done. GeneralNotability (talk) 15:23, 16 July 2021 (UTC)
 * (HostUS)
 * In addition, please block (securityframe), soft or hard as you prefer, I'd suggest soft.
 * Thanks. --Blablubbs&#124;talk 11:43, 11 June 2021 (UTC)
 * Done. GeneralNotability (talk) 15:23, 16 July 2021 (UTC)

31.41.45.190
closed

Reason: Webproxy, flagged by GetIPIntel and leads to https://proxylistpro.com/ Firestar464 (talk) 11:57, 17 June 2021 (UTC) "Technically I am using it to bypass a longish mobile IP range-block, which I am fairly certain is permitted since the block is not directed against me as a person" Isn't that block evasion? Create an account. That's how we do it here. Firestar464 (talk) 04:43, 19 June 2021 (UTC)
 * ✅, thank you for reporting. – please hardblock  (cishost) for two years. The ASN could potentially use a look as well. --Blablubbs&#124;talk 12:04, 17 June 2021 (UTC)
 * , a quick looks suggests that cishost is a colo/hosting provider, why am I hardblocking it? GeneralNotability (talk) 17:05, 17 June 2021 (UTC)
 * @GeneralNotability, I only saw webhost offerings; virtual dedicated servers, physical dedicated servers, hosting resale, domains and SSL certs. Did I miss something? --Blablubbs&#124;talk 17:29, 17 June 2021 (UTC)
 * So I think I can provide a bit of background, actually I already did here. So I don't think this is an open proxy per se, but it is anonymizing, probably a vpn or secure proxy. I'm not up to date on the latest policy but if merely being anonymizing is against it than this will fall afoul. Technically I am using it to bypass a longish mobile IP range-block, which I am fairly certain is permitted since the block is not directed against me as a person, and no I'm not creating an account period even if it would make editing easier because, you know, principles . It's not really a big deal both because I told myself I was going to limit my activity to a month or two at most, and because there's dozens of similar apps of which at a spot check about 3/4s are unblocked at any one time, that is assuming that any block would be aimed at the IP at not at myself of course. Anyway I should be around for the next hour or so to answer any questions, assuming that even if a block is required there's no urgency in implementing. Pinging and . Regards, 31.41.45.190 (talk) 19:29, 17 June 2021 (UTC)
 * Look, I need to get some shut-eye. Hopefully the information I've provided is adequate, because I think I've finally convinced myself to follow my own rules and try to forget about all this behind the scenes stuff for a bit no really . I'll be back around to help out eventually and yes I know it's all going to dissolve into grey goo sooner or later no matter what I do, but maybe I can assist in slowing things down a bit, and I'll make a note of this IP in case there are conversations to be had later. Regards, 31.41.45.190 (talk) 20:30, 17 June 2021 (UTC)
 * I'm seeing lots of good edits from this IP - no abusive contributions, which is a criterion for block requests. That might change of course if someone else gets to use the IP address but for now, I would be inclined to hold off blocking. --Malcolmxl5 (talk) 00:37, 18 June 2021 (UTC)
 * @Malcolmxl5, as far as I'm aware, all open proxies may be blocked on sight, regardless of whether there are abusive anonymous contributions or not (we have tonnes and tonnes of unblocked webhosts with no visible anon edits). I'm also sympathetic here, but the issue is that we have no way of telling whether others may be using this IP abusively while logged in (unless someone wants to CU it, but being a proxy is not grounds for a check on its own); we also don't know how many other hosts on the range are proxies – I can openssl my way through, but I usually prefer not doing that unless there's a highly compelling reason. We have also now publicised this node, meaning that the chances of future abuse (logged-in or logged-out) have increased substantially. My inclination would be to block regardless, and with sincere apologies to the IP editor currently on this proxy. --Blablubbs&#124;talk 12:42, 18 June 2021 (UTC
 * No apology necessary, I understand fully, however note the word may, not must, so admin discretion is permitted.I'm not particularly technically knowledgeable so take this FWIW, but I'm unsure how much this being publicised actually increases risk, trying to find one app among many other essentially identical apps is like looking for one particular needle in a needlestack. And given current geopolitics it may not even be directly accessible in the regions where the majority of contributors are located (not that eastern Europe has any shortage of LTAs, believe me I’ve had my run-ins with a few, just that the density is lower).Anyway, I endorse the block, but I’m also big on AvoidIllusion. We are lucky that most vandals are too dull to realise that downloading apps to evade a block is even an option. But those that do will just continue to switch between apps (or between options within apps) until they get bored, and given how many apps come and go on a weekly basis we are never going to block them all, or even a significant percentage of them; that is why page protection exists. Regards, 81.177.3.8 (talk) 19:51, 14 July 2021 (UTC)


 * If they are not the block target, that is not evasion, no. --Blablubbs&#124;talk 09:39, 19 June 2021 (UTC)
 * See LoginsAreEvil. Regards, 81.177.3.8 (talk) 19:49, 14 July 2021 (UTC)


 * Not been used for four weeks so I’m happy to block this. Are we still going with a two year hard block for 31.41.40.0/21? --Malcolmxl5 (talk) 10:47, 14 July 2021 (UTC)
 * This is moscow3.proxylistpro.com and it is strictly an open proxy. The fact that it is web-based rather than HTTP or SOCKS or SoftEther is irrelevant. It's one more like the thousands of proxies that are routinely blocked upfront by our proxy bots. MarioGom (talk) 22:55, 16 July 2021 (UTC)
 * Blocked. GeneralNotability (talk) 01:14, 17 July 2021 (UTC)

M247 (91.245.x.x)
close

M247 with various VPN services. M247 ranges are usually catched by ASNBlock and hard blocked. But these are missing. MarioGom (talk) 17:59, 3 July 2021 (UTC)
 * All ✅. – please hardblock all the listed ranges for two years. Thanks. --Blablubbs (talk) 13:45, 15 July 2021 (UTC)
 * ✅ 91.245.254.0/24 and 91.245.255.0/24 are already blocked. --Malcolmxl5 (talk) 09:09, 16 July 2021 (UTC)

206.217.192.0/19
closed


 * Blocks: 31.24.224.0/21, 31.24.228.0/22, 37.123.112.0/21, 45.135.184.0/23, 45.135.185.0/24, 46.28.48.0/21, 67.213.208.0/20, 67.213.220.0/23, 83.170.64.0/18, 85.203.0.0/18, 85.203.22.0/24, 85.203.34.0/24, 88.202.176.0/20, 88.202.180.0/22, 88.202.184.0/21, 88.202.224.0/21, 91.109.240.0/21, 91.109.245.0/24, 91.109.246.0/24, 109.123.64.0/18, 174.127.64.0/18, 174.127.112.0/21, 176.67.160.0/20, 176.67.168.0/24, 185.2.136.0/22, 185.80.220.0/22


 * 206.217.216.3 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.4 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.6 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.7 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.8 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.9 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.10 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.11 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.12 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.13 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.14 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.15 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.16 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.17 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.18 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.19 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.20 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.21 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.22 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.23 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.24 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.25 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.26 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.27 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com
 * 206.217.216.28 · whois · spur · shodan · TorGuard · nl.torguardvpnaccess.com

UK2NET. Judging from previous blocks in the ASN (all of them with proxies), this is a common VPN host. The reported range hosts TorGuard from 206.217.216.3 to 206.217.216.28. According to Spur, 206.217.207.36 is Actmobile VPN. Possibly others too. MarioGom (talk) 21:17, 4 July 2021 (UTC)
 * Done. GeneralNotability (talk) 15:50, 16 July 2021 (UTC)

104.166.128.0/18
close


 * Blocks: 23.248.168.0/22, 36.255.96.0/23, 43.226.231.0/24, 45.43.38.0/23, 128.1.0.0/16, 128.1.144.0/20, 128.1.160.0/19, 128.1.192.0/18, 129.227.0.0/18, 129.227.104.0/21, 129.227.112.0/20


 * 104.166.144.19 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.20 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.21 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.22 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.23 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.24 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.35 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.36 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.37 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.38 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.39 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.40 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.51 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.52 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.53 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.54 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.55 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.56 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.67 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com
 * 104.166.144.68 · whois · spur · shodan · TunnelBear · ng.lazerpenguin.com

ZenLayer (frequent VPN colo), see previous blocks. This range hosts TunnelBear (see above) and TurboVPN (see enwiki contribs). The TurboVPN nodes are used by LTA. MarioGom (talk) 14:54, 16 July 2021 (UTC)
 * Yes check.svg Done !ɘM γɿɘυϘ ⅃ϘƧ  18:20, 16 July 2021 (UTC)