Wikipedia talk:Sockpuppet investigations/Archive 20

Login to Wikipedia as me
I recently received a message from wiki@wikimedia.org on my email and said that someone attempted to log in my account from a new device, could CU to identify on that user?  S A 1 3 B r o  (talk) 14:52, 24 October 2017 (UTC)
 * Hi, if the notification you received stated that someone attempted to log in then your account itself isn't compromised. I believe there was a phab ticket about adding the attempting IP to the message. This information is logged, but currently checkusers don't have access to it -- There'sNoTime (to explain) 15:03, 24 October 2017 (UTC)
 * This has happened to me and a couple of other admins (Yamla and JamesBWatson), while the attempted login itself doesn't give me the ip, this chap also tried to reset my password, and from that I got the IP which happens to be the notorious sock farm of Virajmishra -- he usually targets those who've blocked/reverted/warned him or declined his unblock requests. &mdash; Spaceman  Spiff  15:39, 24 October 2017 (UTC)
 * Not only the spamming Virajmishra, the other user Benjaminzyg9402 also, and he is very aggressive. He used his sock account for vandalizing Wikipedia, after he get checkuser block by BU Rob13, then he cross-wiki abuse on Meta site for vandalism, while get global locked by Tegel. Later on, he created another sock farm accounts for making this nonsense edits, this, this, vandalizing PlyrStar93 and my userpage on Meta site. My account are strong password, he can't be ability to invade.  S A 1 3 B r o  (talk) 17:08, 24 October 2017 (UTC)

Email
Are there any CU's around at the moment that I could email about off-wiki evidence in a case I'm clerking? Sir Sputnik (talk) 16:18, 24 October 2017 (UTC)
 * Sure. -- zzuuzz (talk) 16:52, 24 October 2017 (UTC)

New parameters
Might it be useful to have new SPI case parameters for "Behavioural evidence needs evaluation" and/or "Clerk assistance requested"? GABgab 19:56, 27 October 2017 (UTC)

Case move mix up
There appears to be a double redirect situation with U|Alex Shih's move of this SPI. I'm not sure how to untangle the archives etc.-- Jezebel's Ponyo bons mots 22:10, 27 October 2017 (UTC)
 * I think I've got that all straitened out. Since I'm still fairly new at this, you might want to double check my work to make sure I haven't missed anything. Sir Sputnik (talk) 22:50, 27 October 2017 (UTC)
 * Thank you!-- Jezebel's Ponyo bons mots 22:53, 27 October 2017 (UTC)

Massive UPE sockfarms
As I'm sure you all know by now, we have a number of intersecting undisclosed paid editing sock/meatfarms operating on Wikipedia; see my comment here which contains a small list of intersecting SPI cases. It's not clear whether these are all one person or organization, or several which are nearly co-located, or perhaps several unique operators who happen to use the same VPNs and open proxies. Their behaviour is remarkably similar: they've developed a tactic to evade anti-spam mechanisms which I won't describe in detail here but it's easy to identify, and part of the tactic is abandoning the accounts used for these edits such that blocks are ineffective. My theory is that whoever originally developed this tactic has shared it with other independent paid spammers, sort of a how-to guide to spamming Wikipedia, which would have the effect of making paid Wikipedia services generally more effective and increasing the likelihood of people seeking editing-for-hire services. Customers posting ads seeking these services on sites like Fiverr could even provide the instructions to new editors themselves. That would explain (IMO) why there are occasionally new cases which match the behaviour exactly but aren't technically connected to older reports.

I suggest that connecting these disparate spammers to each other is pointless, and equally pointless is identifying them individually, thus I suggest we stop doing it. Instead, we create an LTA-style container case (not necessarily under SPI). If any account matches the anti-anti-spam behaviour that these operators have shown, or whatever it morphs into, and a CU connects them to any other active accounts whether they're socks or not, then they're probably following this guide so we block them referencing the container case, and nuke their contribs. Removing the pages these editors get paid to write is the most important part: as long as they continue successfully creating articles, people will keep hiring them to do it.

I'm wondering if other clerks agree, and what our Checkusers think of the idea. Ivanvector (Talk/Edits) 16:38, 18 September 2017 (UTC)
 * As already noted, I strongly agree with the proposal, and suggest we develop a new socktag parameter for UPE cases; something like, "[User] is a [confirmed/proven/suspected] UPE sockpuppet". That way, we don't need to reference a single master if it's unclear whether 2+ cases should be considered one. FWIW, I'm not sure whether one spamming group would voluntarily share "proprietary" anti-anti-spam tactics with others, but you never know. I guess there might be some degree of communicating with/learning from one another. I also want to suggest that, since we really want to stay discreet wrt this tactic, that we consider adopting the LTA database proposal from earlier. GABgab 17:06, 18 September 2017 (UTC)
 * Could just as well be the clients sharing the details - would make it more likely that the pages they pay for don't get deleted. Ivanvector (Talk/Edits) 17:11, 18 September 2017 (UTC)


 * I'm still mulling this over but two things come to mind for consideration:
 * From Ivan's suggestion about LTA-like pages (containers) and GAB's pointing to the LTA proposal, that this might be brought into WP:LTA, under one roof so to speak without the creation of a different venue. This may very well be justified because this is a class of LTA editors. Perhaps a subcategory to further classify them may prove useful if this were adopted. If the off-wiki LTA proposal is revisited and adopted then UPEs would fall under that same umbrella without a different proposal being necessary. I'm putting this out there as food for thought.

— Berean Hunter   (talk)  17:59, 18 September 2017 (UTC)
 * One more thing about the UPE tag is that it might need to have a link back to the SPI case so other editors may follow it. Savvy editors may be able to follow without the links but we should make a clear path giving editors the breadcrumbs to track back to the cases. Checkuser blocks that don't leave a clear trail combined with a UPE tag that is too general won't prove as useful as the traditional tagging system.
 * We have a list of a couple of dozen paid editing companies. A number of them have multiple staff. This list should likely be improved and its existance more widely spread. Make it appear better in search engine results so people can more easily discover that they are hiring someone in breach of our rules. They work via multiple websites such as Fivver and Upworks plus their own websites.
 * Dealing with this issue is going to take a multi pronged approach. I support this proposal. Legal is willing to help aswell but does not want to overstep community policies. We also are looking at AI efforts to help with detection.
 * This RfC on meta I beleive will also help.
 * There are groups that are teaching others to become more effective undisclosed paid promotional editors. There are instruction manuals on how to get around our checks and balances. They, however, are mostly counting on us not being able to develop consensus around dealing with the issue, as many are not at all subtle as they know they do not need to be. Our TOU is currently entirely toothless.
 * Doc James (talk · contribs · email) 19:03, 18 September 2017 (UTC)


 * Comment Yes we need LTA, but what will the name of the LTA? The main sockmaster of this whole sockfarm is but Sockpuppet investigations/Benfold is currently a red link. Should we at least create that SPI and link all other connected SPIs with that one, even if we don't merge them? It would make things easier and then we can request a siteban. Capitals00 (talk) 07:29, 19 September 2017 (UTC)
 * My point is that trying to identify a master and then tie all of the other investigations to it is counterproductive. That's basically what I'm suggesting we stop doing. I also think that formalizing a siteban would be a poor use of resources: editors this committed to violating the TOS are not effectively members of the community anyway. Ivanvector (Talk/Edits) 12:23, 19 September 2017 (UTC)


 * It helps made G5 less controversial and thus speeds cleanup. Doc James  (talk · contribs · email) 16:30, 19 September 2017 (UTC)
 * It's this line of thinking I'm trying to get away from. G5 (presently) requires that we can identify a specific blocked account which was evading a block when they contributed a page. That means we have to do the SPI dance where we try to string together technical and behavioural connections to determine which of the many UPE sockfarms this new account belongs to, which frequently results in the sort of ridiculous cases like this one that flagged dozens of behaviourally-related accounts in groups that all probably belong to different individual masters, that sit open for two months because we don't know what to do with all of them. Ivanvector (Talk/Edits) 16:54, 19 September 2017 (UTC)


 * Maybe I'm overthinking this. I suppose we could already say that all of these accounts are behaviourally linked: they all use sockpuppets to game WP:NPP for obviously promotional purposes, for example. We could have a container case for those accounts (Benfold, if that is indeed the oldest account). They're behaviourally close enough to be meatpuppets, anyway. That at least would help us deal with this particular form of disruption, which is widespread because of how successful it's been up to this point. I think that this would fall within our discretion under current policies, but I'd be willing to draft an RfC for a wider audience if not. Ivanvector (Talk/Edits) 16:54, 19 September 2017 (UTC)
 * That sounds reasonable. Based on behavioral evidence we can and should link them (per sockpuppet / meatpuppet). Doc James  (talk · contribs · email) 17:39, 19 September 2017 (UTC)
 * Doc James got it right. That's the problem we are facing. G5 have been frequently declined because sock was 1) not blocked during the creation 2) not blocked on sockmaster during creation. Then we have to nominate these promotional and non-notable articles of these many sockmasters for deletion and then nominate categories or templates. But it is taking months and most people have no time for that. I had to ask to delete the articles because other admin won't find these few articles passing G5, and this cannot be done every time. Capitals00 (talk) 18:08, 19 September 2017 (UTC)


 * I've been asking for somethign like this to be done many socks ago. The most recent example I have is Sockpuppet investigations/Scholarscentral where we now have two known groups spread across two continents (because of an acquisition), now just judging from the edits, it'd be difficult to figure out which of the two groups one belongs to. In this particular case G5 isn't a problem because the motions of a community site ban have been completed, however, in many such cases where we can't place a new spamming account with an old group, it wastes a lot of time. GAB recently tagged Bettersmiley which was linked to multiple accounts, and that's a classic example of this situation. cheers. &mdash; Spaceman  Spiff  23:07, 19 September 2017 (UTC)
 * Nah, the Bettersmiley incident was a misfire with the SPI script. But yes, technical issues blur the lines so much that behavior is generally the best "tell" (even if CU is critical for hitting large sockfarms). GABgab 02:41, 27 September 2017 (UTC)
 * Speaking here as one of the NPP regulars who also frequents SPI: I agree with 's proposal. This would make it a lot easier for our regular reviewers to spot things they might be uncertain of. I sometimes get private questions from reviewers who are not familiar with the SPI process as to how to deal with a suspected large farm, etc. and many of even our more experienced reviewers are nervous to file an SPI. Making this a documented LTA or something similar would be useful from our end of the workload. I'll also post a notice of this conversation at WT:NPR so more of the people who frequent that page are aware of this. TonyBallioni (talk) 02:47, 2 October 2017 (UTC)
 * Sure--Why not? The ideas of a container case will obviously come as a huge improvement in saving time and other valuable resources of the editorial community over discovering exact SPI/match etc. before launching an investigation! Winged Blades of Godric On leave 08:04, 2 October 2017 (UTC)
 * Yes clearly desirable. It should help everybody here who's involved with the problem. The important thing is identifying that it was puppetry, not exactly which was the first or master account. A s a by-product, collecting this information should help make the extent of the problem clearer to those who may still not think UPE a  threat to the integrity of WP.  DGG ( talk ) 18:55, 3 October 2017 (UTC)
 * Yes we need to formalize our response to these organized efforts to undermine our integrity. Just a few minutes ago I saw a declined PROD for one of their creations. It is not sustainable to work through AfD on toxic waste dumped on us on this scale. ☆ Bri (talk) 19:29, 3 October 2017 (UTC)
 * Like Ivanvector said, these users arent part of the community. Well, they are not even "wikipedia editors". They are getting paid. For these reasons, they dont care what we do at all. They will create new a/c, and will edit again. Salting can work upto a certain limit only. Only for new creations. It doesnt solve issues related to removal, and/or addition of content for promotional use.
 * We need to decrease the bureaucracy a little. There have been examples of paid editing where an a/c gets in good standing, makes actually good contributions, and other (temporary/short term/lets run it as long as it goes) accounts do the paid editing.
 * But exluding "history", or not connecting the users would make it difficult to spot these editors in long term. Although, if they are following some sort of guidance, the behaviour will be easily spottable due to similarities. But the trouble is, they are getting paid. So finding loopholes in enwiki, or gaming the system become their profession. They will try their best (a few have must have achieved) to bypass our attempts.
 * I partially support Ivanvector here. We shouldnt waste time on connecting individuals, but we should keep their traits documented; so that in case of recurrence they can spotted easily. — usernamekiran (talk)  00:22, 4 October 2017 (UTC)
 * well he is a sockmaster with over 1,000 socks and has been a very disruptive editor. I mean, mass socking since 2013, you know how it sounds like. We really need an LTA and it should be named after the oldest account which is Benfold. Otherwise G5 it will remain very hard to get his promotional and useless content deleted. Capitals00 (talk) 06:34, 4 October 2017 (UTC)
 * Yes, I am not opposing to LTA casepages. But what I think is, we a limited manforce. If there are more hands at work, with specialisations, then it would be different. The way we currently document the cases is time-consuming. And that, or any process doesnt matter to the socks, they are only busy with creating more accounts (paid or vandals). What I am trying to say here is, if you (Capitals00) come across two editors who can be related, and CU finds these accounts connected; then I think they should be blocked, the oldest of these two should be tagged as master, their habits/traits should be documented. And thats it. We shouldnt waste our time/resources to find if these two accounts are connected to any previously blocked accounts. If somebody already knows the traits/or comes across similar behaviour, then linking them is a different thing. But we should spend time specifically for finding it. I am not sure if I am putting my thoughts in words clearly lol. — usernamekiran (talk)  12:47, 4 October 2017 (UTC)


 * I want to support this, but to be clear, the reason for blocking these accounts is that they'll share technical evidence that demonstrates that there are engaging in anti-anti-spam activities, rather than basing it on on-wiki behavioural evidence? I'm happy with the former, but I'd be opposed to the latter. - Bilby (talk) 06:40, 4 October 2017 (UTC)
 * Why? WP:DUCK is often used and there is no doubt about the "massive UPE sockfarm". Maintaining purity of process sounds good but the cost is that those who resist the massive exploitation will be ground down and possibly overwhelmed by red tape. What evidence is there to suggest the proposal would lead to the loss of good content? Johnuniq (talk) 07:00, 4 October 2017 (UTC)
 * I'm ok with WP:DUCK, and use it. My concern might well be moot, so if this is based on technical rather than on-wiki behavioural evidence then I'm ok with it. That's my only real query at the moment. - Bilby (talk) 12:00, 4 October 2017 (UTC)
 * The behavioural evidence is that multiple accounts are involved in targeted promotional activities. We don't need to be any more specific than that. Ivanvector (Talk/Edits) 12:54, 4 October 2017 (UTC)
 * I'll try and work out exactly what this plan is, then, without a response. It doesn't seem to be very well articulated, so I wish this was explained a little clearer. - Bilby (talk) 14:19, 4 October 2017 (UTC)
 * Ok, so if I get this right, if an editor behaves as if they are a paid editor, but we can't work out which paid editor they are, we conduct a CU. My assumption here is that you don't need further evidence that they are socking to justify the CU, whereas normally you would need to show that the editor is likely to be a sock of someone in particular in order to justify the CU. Is this correct? Then the plan is "and a CU connects them to any other active accounts whether they're socks or not." That's the bit I'm lost on. What does this line mean? If a CU connects the account to another editor, how would that indicate something other than the editor being a sock? - Bilby (talk) 14:29, 4 October 2017 (UTC)
 * It's a particular set of actions designed to evade our new content filters which requires operating at least two accounts. However, I posted a link above to a list of the 7 cases I could think of at that moment which have this behaviour in common, but which as far as we know from technical evidence are each operated by separate individuals, despite what and some others have been saying in this thread, and it's apparent that there are new entrants not related to previous cases. It's that confusion that holds up process: normally CU is used to connect a suspected sock account to an older, previously confirmed account, so we need to know beforehand which previous account to check against, and then afterwards we need to know which of the many closely-related cases to file under. I'm suggesting here that we disregard the sockmaster, and for any future case where this pattern of behaviour is apparent, we simply block any account that's part of a CU-confirmed group even if that group isn't technically related to any other case, and file the report in some common place (the "container case" I mentioned before). This would also cover accounts which clearly match the behaviour even if they appear technically unrelated.
 * However, since you made me think about it again, I'm not seeing now how this is really different from how we handle SPI and CU generally, except for the filing bit. I'd also like to have an endorsement to apply G5 to any matching account's new pages, because G5 as worded might not quite cover it. Ivanvector (Talk/Edits) 15:21, 4 October 2017 (UTC)


 * Support Potentially high impact with very low risk of adverse effects. Rentier (talk) 11:42, 4 October 2017 (UTC)
 * Yes. That UPE farms have outmanoeuvred our process demonstrates that it is time for our process to evolve. It seems unnecessary to require linkage of accounts whose behaviour alone outs them as promo-only throwaways. Ivanvector's proposal should streamline things for SPI. The related RfC at meta does not seem to be heading toward strong consensus for support; we should do what we can on our end. Snuge purveyor (talk) 20:47, 4 October 2017 (UTC)
 * In case I wasn't clear enough, unqualified support. The SPI team needs new options to deal with complex UPE cases. GABgab 19:05, 5 October 2017 (UTC)
 * Unqualified support. Spam is spam, regardless of where it comes from. The only things that matter are that the UPE "articles" get deleted and the spammers get blocked. MER-C 10:03, 7 October 2017 (UTC)
 * Comment-This is absolutely the wrong venue for this discussion. A clear proposal, and I mean CLEAR, should be posted to a more central venue like the Village Pump. I agree with Billy above, that I support the proposal if it means technical evidence without spending additional resources to confirm or investigate links to past accounts, but do not support some vague "behavioral evidence only, which I will not detail" .... It is not even clear from reading the OP what the actual proposal being supported is, as everyone has written rather long comments rather then support for a specific proposal. Seraphim System  ( talk ) 15:23, 7 October 2017 (UTC)


 * Also, the community is more hurt by and more deeply effected by the broken RfA process. This is a lot of attention given to an issue only WMF cares about, and WMF should go to court and request a desist order and possibly damages. How hard is it that? Anyone can overcomplicate something. Seraphim System  ( talk ) 16:02, 7 October 2017 (UTC)
 * It's not a wrong venue.And, no, as much as WMF cares about paid-editing et al, the community deeply cares too! Otherwise, we have been surely co-habiting two different Wikipedia-verses. What the heck else is the matter against which, and  have been standing up against for so long? And, well your last proposal...... Winged Blades of Godric On leave 07:37, 8 October 2017 (UTC)


 * There's a few things off here from a CheckUser perspective, but most importantly, we should not be combining cases where the technical details are unrelated if we can avoid that. It makes it very difficult to perform a check. It's rather vital that we know which accounts to compare against when checking; we cannot be expected to read an archive of all paid editing socking accusations to find relevant behavior or to check every past paid editing sock to find the needle in the haystack where the technical data matches. ~ Rob 13 Talk 13:08, 15 October 2017 (UTC)
 * thanks for commenting, I think you're the first CheckUser to do so. I missed your ping, you left it during the time that pings were down for a few days. I appreciate the insights from the CheckUser perspective, and I think what you're saying is essentially that my original proposal is unworkable from a technical perspective. My aim is to make things simpler for administrators dealing with undisclosed paid editing, but not at the expense of clarity of technical data. More below. Ivanvector (Talk/Edits) 12:37, 19 October 2017 (UTC)


 * Support I would also like to propose that UPE sockfarms that are using proxies are treated the same way e.g. Japanelemu, Action1212, Special guy from Antarctica & Liborbital from this month. It's obvious that none of these are new users and that they will already have been blocked and CUd before and so we should treat them as such. SmartSE (talk) 20:27, 17 October 2017 (UTC)
 * I think the proxy suggestion is good in principle, but might be more difficult to put into practice. GABgab 21:28, 17 October 2017 (UTC)
 * GAB Do you mean that because it is hard to be sure whether or not they are being used? SmartSE (talk) 08:19, 18 October 2017 (UTC)
 * More in the sense that proxies may not always be an indicator of previous socking (please correct me if I'm wrong). GABgab 14:30, 18 October 2017 (UTC)
 * GAB I find it impossible to believe that a new user would be using socks and proxies to create perfectly formed articles. It's this combination which should be nuked. SmartSE (talk) 22:45, 24 October 2017 (UTC)


 * Support, would potentially speed up the process, particularly in terms of WP:DUCKing meatpuppets that aren't formally socks. Brandmeistertalk  09:29, 19 October 2017 (UTC)
 * This proposal is unworkable - see BU Rob13's comment a few lines above and my reply. My intention in starting this thread is to discuss how we might better organize cases of undisclosed paid editing, but as Rob (I think) points out, combining cases in this manner is going to make it more difficult to connect users on the technical side, which is the opposite of what we want to do. As far as that goes, I think it's back to the drawing board on this one. If the clerks are to take anything out of this, I think it's that we ought to be less reluctant to merge cases when there is overlapping technical information and evidence of undisclosed paid editing. But creating a single "container" case isn't going to work. Ivanvector (Talk/Edits) 12:37, 19 October 2017 (UTC)
 * I'd be completely fine with merges with substantial technical overlap. It's just a full container case that would be an issue. ~ Rob 13 Talk 13:04, 19 October 2017 (UTC)
 * Yeah, it is as some of the other clerks and patrolling admins put it, while it seems like a good idea, a lot of it will be messy and a technical nightmare to deal with. We didn't exactly need consensus for this but more of a discussion on feasibility and there isn't much. -- QEDK ( 愛  •  海 ) 15:00, 19 October 2017 (UTC)

UPE taskforce

 * What I'm increasingly convinced we need is a task force working on paid editing issues, including the handling of private/personal information related to paid editing. This idea was endorsed by the community at this discussion. I may become more active in trying to get that proposal "on the map" in the near future. ~ Rob 13 Talk 21:43, 19 October 2017 (UTC)
 * User:BU Rob13 This is an idea I strongly support. How should we go about creating such a group? Should the community define a broad outline (such as elections versus appointments, number of positions, terms, etc). And than allow the group to determine some of the finer workings? I would be happy to push for some support from the WMF (such as legal insurance, etc).  Doc James  (talk · contribs · email) 22:26, 19 October 2017 (UTC)
 * Insurance, yes, and strong passwords or 2FA for anybody on this taskforce. ☆ Bri (talk) 22:37, 19 October 2017 (UTC)
 * Are functionaries required to have 2FA? As board members we are. Doc James  (talk · contribs · email) 22:42, 19 October 2017 (UTC)
 * Currently, the group for private information is ArbCom, which gets its role from the WMF. I think that's where the paid editing group must originate (either ArbCom or the WMF, but with the blessing of both). We're going to need to require members to be identified to the Foundation and sign the agreement on access to non-public information, for instance, and that requires some WMF input. I have many thoughts on this. Hold tight for a bit, and I'll email you shortly. I do think I have a road map to a solution. (As for 2FA, I was never told I had to have it when I became a functionary, but it was heavily implied I would be beat upside the head if I did not. I enabled it promptly.) ~ Rob 13 Talk 01:50, 20 October 2017 (UTC)
 * Agree with you that flipping the switch for this new group will either come from arbcom or the WMF. Either will likely want to see community consensus and a plan. We have a sort of community consensus now... Next is the plan. Doc James  (talk · contribs · email) 05:14, 20 October 2017 (UTC)
 * I endorse this course of action FWIW. I don't think I'd be of much use participating in said task force apart maybe from on-wiki housekeeping, but a focused approach to dealing with UPE issues will take a lot of the present burden off of SPI. Ivanvector (Talk/Edits) 12:31, 20 October 2017 (UTC)

I'm also definitely in favour of a taskforce of some kind. In particular, I'm getting a bit fed up of noting the behavioural indicators of UPE in public since this will obviously lead to them learning not to get caught so easily in the future. Dealing with UPE is quite different to standard COI too and it would free up COIN to deal more with good-faith contributors seeking assistance, as well as the less clear cut COI issues. SmartSE (talk) 20:16, 24 October 2017 (UTC)
 * Agreed with Smartse on all counts, though I think this is likely best to come from ArbCom as a subcommittee similar to 's suggestion in the RfC. I think the committee would have justification given the RfC outcome to act on this. We already have a history of subcommittees comprised of community representatives and arbs from the old audit subcommittee, and I think this could work similarly. Its clearly within arbcom's mandate because it deals with matters unsuitable for public discussion for privacy, legal, or similar reasons. TonyBallioni (talk) 22:28, 24 October 2017 (UTC)
 * I can guarantee the arbitrators will not lead a subcommittee on this issue themselves. They don't have the time and it isn't the job they signed up for. ~ Rob 13 Talk 19:16, 25 October 2017 (UTC)
 * Agreed, nor was I really thinking that they should. I was just noting that having it under their aegis would probably be the easiest way to deal with it, even if it is something that they delegate to a different group. They're currently the body tasked and mandated with dealing with private information, and any committee/commission would likely need to include functionaries, who are already appointed by arbcom. It would also be able to audit the work of those serving, which I think is important for privacy reasons. My main reason for thinking it'd be best to fall under arbcom is that its also likely to be the method that people are going to be most willing to accept: its a lot easier to get buy-in when operating within existing structures than by creating entirely new ones. TonyBallioni (talk) 20:04, 25 October 2017 (UTC)


 * has mentioned WP:DUCK, I would mention that it has been greatly avoided in this whole case. For example, a sock was blocked for making same disruptive edits as socks of this sockfarm, but then unblocked after he whined on his talk page, and he returned to his disrupting editing. He was re-blocked only after he admitted off wiki that he is a sock belonging to this sockfarm. Then there is another case where the very new account only shared same distinctive edits, traits, subjects/articles/templates (mostly riots in India), a "possible" technical connection per CU, and even an AFD, however the inactive account still remains unblocked. I can't be too sure though because it is possible that may have overlooked this diff. We should really establish this fact that these accounts have great interest in Indian riots. Capitals00 (talk) 04:26, 5 November 2017 (UTC)


 * Support - as the one editors who has led the field for years for  improvement  of NPP until I  semi-retired from  it  recently for  a change  of focus on  Wikipedia, I  will go  with  anything that  improves sock and UPE investigation. Kudpung กุดผึ้ง (talk) 03:06, 8 November 2017 (UTC)


 * I've split this out into a separate subsection as it is a different tack to the original thread. It seems that we're all in agreement about the need to take this forward, so I think we should begin to flesh out the details on how it would actually work. While there are similarities to the proposal Rob linked to I think it needs to be much broader than dealing only with private information. My main reason to support this is that while we are becoming increasingly capable of detecting UPE, if we detail how we go about it in public and the evidence that we find convincing then we are just providing UPEs with a list of how to avoid detection. It's a cat and mouse game that we're increasingly losing because of the relative ease at which socks can avoid detection through CU. These are the main questions that I think we need to scope out first before taking the proposal to the wider community: SmartSE (talk) 13:49, 8 November 2017 (UTC)

Why?
Undisclosed paid editors are becoming increasingly sophisticated and can use various techniques to avoid detection. We have a number of tools available to spot articles created by UPEs but sharing the evidence publicly only provides them with information on what they should avoid. I obviously won't go into details, but have noticed some UPEs have definitely learnt to avoid one hallmark that I've often used to distinguish UPEs. The use of throwaway accounts and techniques to avoid being linked together by checkusers is also on the increase. A private venue would allow members to evaluate these contributions and potentially spot behaviouarl editing patterns that conclusively link such accounts. To a large extent, this is already occurring in private emails, but establishing a taskforce would centralise discussions and also provide greater oversight between members. SmartSE (talk) 13:49, 8 November 2017 (UTC)

Who?
This is likely to be the most difficult issue to iron out. I expect the majority of members would be admins or functionaries, but we would not want to limit ourselves to this, so would need a process by which other trusted users could become members. One sensible limit would be to only allow access to users already active in COI/UPE now in order to stop anyone trying to game access to the taskforce. We need to be sure that we are acting in line with the wider community's views on UPE. SmartSE (talk) 13:49, 8 November 2017 (UTC)
 * It's likely that WMF would require participants to have passed RfA. As I understand it that is their minimum for trusted access to non-public information. Ivanvector (Talk/Edits) 16:53, 8 November 2017 (UTC)
 * Ok well we may want to think about how to separate out the private information side of things from general UPE. Correct me if I'm wrong, but the private material is relatively rare compared to the rest. I can think of quite a few highly trusted users who work on UPE who aren't admins and it I don't see why to exclude them. SmartSE (talk) 17:01, 8 November 2017 (UTC)
 * You have OTRS, which includes private information as well, and that doesn't require an RfA, and technically CU doesn't either, just public vetting equivalent to RfA (so our functionary selection process allows non-admins, we just don't appoint them in practice). I think one of the issues here would be that it has been proposed for there to be a  that would be like  . If that were to be made a thing, I think you'd face similar opposition to non-admin members of this group that you saw during the last round of functionary appointments. I would personally be open to it because I can think of multiple editors who I trust implicitly on this who are not admins, but getting both community and ArbCom buy-in for it might be difficult. TonyBallioni (talk) 21:09, 8 November 2017 (UTC)

What?
I envisage something similar to the CU wiki being used to discuss suspicious accounts or articles where there is insufficient evidence to start SPIs or discussions at COIN, or where we believe they are already sophisticated long-term abusers and we do not want to disclose how they are detected in public. Once a consensus is reached that within the taskforce that it is UPE, then cleanup would occur into public at conventional venues. I'm also hopeful, given numerous discussions, that we can begin to automate detection of UPE using machine learning or using tools similar to NPPbrowser. If such tools were to exist, I can't see how they could be publicly accessible and still function and so limiting access to members of the taskforce would be one option. SmartSE (talk) 13:49, 8 November 2017 (UTC)
 * I have been thinking about something like that recently and this really sounds like a good idea to deal with the problem that is yet to be resolved. Capitals00 (talk) 16:23, 8 November 2017 (UTC)

Article histories
When reviewing an article that has been worked on by UPE sock farms, one of things that is inefficient, is identifying which edits were made by socks. This makes it harder to evaluate if edits by a new account are similar to the socks.

I am wondering, if after an account has been identified as a member of a sock farm (including these massive UPE nests), if there is some way to show contribs by socks in article histories.

This could be done by
 * a) renaming the account from "X" to "X, sock of Y", or
 * b) have some flag show up in the history. The history current shows the following fields: time/date, username, size of edit, byte delta, and edit note.   Am suggesting "sock" be added, maybe after the username.

Option a) could be done as part of the blocking process. I realize b) would require deeper changes in the underlying software and would have to be implemented elsewhere.

Or maybe there are other ways, or maybe nobody else thinks this would be very useful.

Thoughts? Jytdog (talk) 20:27, 21 October 2017 (UTC)
 * Is there a way to apply the current edit-tagging system to achieve option b? ☆ Bri (talk) 20:56, 21 October 2017 (UTC)
 * A bot could tag the edits (e.g. added a tag for this edit (although I cannot remove that one like I wanted to ). —&thinsp;JJMC89&thinsp; (T·C) 01:31, 22 October 2017 (UTC)
 * Yes, just use these tags and search for filters such as removal of AFD/CSD tags, suspected recreation or cut-and-paste move, etc. GABgab 01:35, 22 October 2017 (UTC)
 * None of those "sock". Jytdog (talk) 01:37, 22 October 2017 (UTC)
 * True, but it's a very good way to catch socks. GABgab 01:38, 22 October 2017 (UTC)
 * Yes but I am talking about trying to look for similarities/differences between new account X and past socks on a specific article. The gadget that does strike-outs is the best answer i have seen. nonspecific for socks but narrows things down considerably. Jytdog (talk) 01:47, 22 October 2017 (UTC)
 * Yes, but an admin could create a sock tag. A bot could then add that tag to sock edits. —&thinsp;JJMC89&thinsp; (T·C) 05:19, 22 October 2017 (UTC)
 * In the Gadgets section of your preferences, look for the "strike out usernames that have been blocked" option. After it's enabled, all blocked editors' usernames will be struck out in page histories. Sro23 (talk) 20:57, 21 October 2017 (UTC)
 * Hm that is a helpful thing. Not dead on but very helpful. Thanks! Jytdog (talk) 21:34, 21 October 2017 (UTC)
 * The gadget wording should be changed from "have been blocked" to "are currently blocked." Binksternet (talk) 04:43, 22 October 2017 (UTC)
 * Also note that if you have that gadget enabled, blocked users' usernames are struck, and indef-blocked usernames are struck and in italics.. Subtle difference that might be useful.
 * In addition to that, you could add User:The Voidwalker/histFilter.js to your common.js, which adds a button to your page history view so that you can filter to see only edits by blocked accounts. I'll warn you in advance that it's not very pretty, though. If you don't know how to add things to your common.js, just ask. Ivanvector (Talk/Edits) 15:51, 24 October 2017 (UTC)

Cross-wiki activity
I have off-wiki evidence and internal evidence that English Wikipedia has picked up on another Wiki with a similarly-named account. Unfortunately I don't speak the other wiki's language and don't know how to approach them. Is there an avenue for this?

By the way their off-wiki advertising asserts that they are placing backlinks to give the clients' websites (which are English it appears, at least one in the US state of Indiana) "high DA and UR authority" so this is an SEO operation aimed at Google search, more than it is aimed at actually contributing constructively to the other wiki. ☆ Bri (talk) 18:41, 8 November 2017 (UTC)


 * There might be somewhere better, but Steward_requests/Checkuser is certainly one option. SmartSE (talk) 20:47, 8 November 2017 (UTC)
 * Just email the functionaries team and they'll deal with it. It's a thumbrule for most sensitive issues. -- QEDK ( 愛  •  海 ) 14:09, 9 November 2017 (UTC)
 * Thanks for the tips. I've gone with the functionaries option. Also have for the spam blacklist. ☆ Bri (talk) 18:53, 9 November 2017 (UTC)

Sock category deletion request
Please see Wikipedia:Miscellany for deletion/Category:Wikipedia sockpuppets of 118 alex. — Berean Hunter   (talk)  12:14, 15 November 2017 (UTC)

User compare report
The template that populates new SPI reports includes a link that looks like this:
 * User compare report Auto-generated every hour.

The thing is, these are not auto-generated every hour. The links are currently 404'D!! but I don't recall there being an update time included in the auto-generated reports, so how "fresh" they are is anyone's guess. Since we have the editor interaction tool directly below it, do we still need a link to this report? Do any clerks still use it? I don't, per aforementioned unreliability. Ivanvector (Talk/Edits) 20:39, 15 November 2017 (UTC)
 * Yeah, I've never been able to get it to work. GABgab 23:20, 15 November 2017 (UTC)
 * I generally use it when works. Unfortunately, that's rare enough that I probably wouldn't miss it if weren't there anymore. Sir Sputnik (talk) 00:21, 16 November 2017 (UTC)
 * Here's the directory of those that seem to be updated (addendum: I've been told that an API change caused the error but has now been fixed). Although not on the SPI team, I find it somewhat difficult to parse the information. Additionally, the interaction timeline is in alpha at Community health initiative/Interaction Timeline which will probably make the need for the compare report even less. Nihlus  00:42, 16 November 2017 (UTC)
 * The only memory I have of this is that it used to work. I have checked out the new alpha feature and it seems cool and usable, the old User compare was minimalistic as hell and worked pretty fast. Let's see how it crops out. -- QEDK ( 愛  •  海 ) 12:34, 16 November 2017 (UTC)
 * Alright, wait and see, I can handle that. The alpha interaction timeline tool does look promising. Ivanvector (Talk/Edits) 13:43, 16 November 2017 (UTC)

Checking an editor without a known sock puppet?
I came across an editor - specifically with a low volume of errorless edits (5) and had what I think is surprisingly good use of "reference name" and "cite news". Is this something that should be looked at? My initial thought looking at the edits is that this editor probably made a lot more edits to be to so facile - i.e. uses another account. MartinezMD (talk) 01:53, 16 November 2017 (UTC)
 * Well, the first tip is to assume good faith. Unless the editor shows particularly disruptive tendencies, it's best to not suspect them of anything (yet). -- QEDK ( 愛  •  海 ) 12:34, 16 November 2017 (UTC)
 * What QEDK said. There are lots of reasons someone might abandon an account and start a new one, or even use more than one at the same time. As long as they don't tick one of the boxes under WP:ILLEGIT, there's (edit: usually) no problem. Ivanvector (Talk/Edits) 13:44, 16 November 2017 (UTC) edited by Ivanvector (Talk/Edits) 16:26, 16 November 2017 (UTC)
 * Thanks for clarifying. MartinezMD (talk) 16:01, 16 November 2017 (UTC)

Auto-categorizing?
New categories for suspected and confirmed puppeteers regularly appear on Database reports/Uncategorized categories, where someone needs to manually add them to Category:Wikipedia sockpuppets or Category:Suspected Wikipedia sockpuppets. Could someone please modify the script that creates these categories, to do the categorization automatically, with the username as sort key? Thanks! — swpb T go beyond 19:22, 16 November 2017 (UTC)
 * They should be created with, which handles that. —&thinsp;JJMC89&thinsp; (T·C) 05:52, 17 November 2017 (UTC)
 * Also the categories are created manually, not by script. Unless there's a script I could have been using all this time .... Ivanvector (Talk/Edits) 16:59, 20 November 2017 (UTC)
 * I'll sometimes create these manually. In the past, I've found that they tend to be created by AWB users quickly thereafter, though. TonyBallioni (talk) 17:00, 20 November 2017 (UTC)

Socks?
Hi, Apologies if this shouldn't really be here but I don't wanna file an SPI on the off chance I'm wrong, Would anyone say Acodomy and UnathiJ10 are socks of either one another or a larger farm?, Their contribs are near-identical however I could be barking up the wrong tree here, Thanks, – Davey 2010 Talk 01:04, 19 November 2017 (UTC)
 * This isn't our "friend", is it? ~ Rob 13 Talk 03:04, 19 November 2017 (UTC)
 * Good question. Taking a quick look, I'm not seeing anything myself at the moment that stands out., , what do you guys think? Sro, you seem to have a really good eye for our "friend." Amaury ( talk &#124; contribs ) 03:07, 19 November 2017 (UTC)
 * Looking at the articles edited, it doesn't seem to be Orchomen. But there are a lot of disruptive types that frequent the lesser TV channel (esp. Disney and Nick ones) articles, so it could certainly be another socker... --IJBall (contribs • talk) 03:10, 19 November 2017 (UTC)

Suspicious username
is a new account. I don't have any behavioral evidence to point towards a specific sock case, but the username sounds sufficiently like something a block-evading user would use (although of course it could also be entirely innocent) that I'm posting here. Also, their first edits seem rather knowledgeable for a new user, and they showed up at Neuroscience almost immediately after another new account edited there. --Tryptofish (talk) 00:22, 3 December 2017 (UTC)
 * I've blocked both accounts. My suspicion is that there's another account here, but I can't find it in the CU evidence so I've only blocked the other account ( for a week. Callanecc (talk • contribs • logs) 01:58, 3 December 2017 (UTC)
 * Thanks. --Tryptofish (talk) 19:21, 3 December 2017 (UTC)

Did I not open this SPI correctly?
Sockpuppet investigations/Carlo Galanti is the master, the suspected sockpuppet is Tony Strak. Tony S. is at the SPI under Carlo Galanti but the suspected puppet isn't showing up on the main SPI Project page... Shearonink (talk) 03:16, 13 December 2017 (UTC)
 * It looks like might have been off.  I don't know if that would have caused problems, but the SPI pages sometimes need to have their cache purged.  If you're not using the form at WP:SPI to open investigations, I'd suggest using that. NinjaRobotPirate (talk) 04:09, 13 December 2017 (UTC)
 * Well, it's all tagged and blocked now... I used the drop-down SPI menu, not sure what I did wrong - I can see that that line of code is missing but still...not sure what I missed. Thanks for following up though. Shearonink (talk) 04:20, 13 December 2017 (UTC)

Possible block evasion
An SPI opened and closed today included the blocking of an account name and, while looking at Category:Wikipedia articles with disclosed paid content, I noticed an account created today by the name  had added to two articles the same tags the blocked account had  (where the blocked account had been in a dispute with me). Perhaps worth looking into; pinging and, who were involved in the SPI. WWB Too (Talk &middot; COI) 18:37, 15 December 2017 (UTC)

Question about a new sock
The account User: CarloGalanti2 has been blocked as a sock of the master User:Carlo Galanti/Sockpuppet investigations/Carlo Galanti but this account isn't "officially" listed at the account's main SPI page, it is posted as a comment on the latest SPI. Is there a way to add the account to the List of Suspected Socks? (other than opening up another SPI, which would be redundant since the 2 account is already blocked). The SPI report on the latest bunch of Carlo's socks says "This SPI case is closed and will be archived shortly by an SPI clerk or CheckUser." so I am thinking I can't just go in and manually add the account-name to this particular report... Wouldn't it be useful to have the account-name somehow listed along with all of the other aliases at Sockpuppet investigations/Carlo Galanti/Archive? Thanks, Shearonink (talk) 17:33, 1 January 2018 (UTC)

Creating a case?
A small sock farm was identified at User_talk:Annakoppad. Would it be OK with clerks/admins here if I opened a case listing these, so that they are findable here later? Jytdog (talk) 02:38, 7 January 2018 (UTC) — Berean Hunter   (talk)  13:59, 8 January 2018 (UTC)
 * Jytdog, yes, of course.
 * Thanks, will do! Jytdog (talk) 00:11, 9 January 2018 (UTC)
 * In the words of the great clerk and legend, "When in doubt, file away." -- QEDK ( 桜  ❄  伴 ) 08:39, 9 January 2018 (UTC)

Has this process gone off-the-rails, or just this situation?
I am not sure if this is a "bad faith" situation by this user or just confusion with overreaction, or something else. It is disappointing the Clerk did not do due diligence before apparently flippant recommending a verdict. Also disappointingly, the most reassuring behavior is an "Inconclusive" comment to such a sketchy description. X1\ (talk) 21:30, 20 January 2018 (UTC)
 * X1\, please don't confuse suspicion based on evidence with bad faith. I posted evidence that an editor who deals with these situations felt was compelling.  I feel that the coincidences were sufficient to support a check user.  Given the check user came out inconclusive I think my suspicion was wrong.  It still seems odd to me that as a new editor you took more to clean up and working inside of the often byzantine mechanisms of Wikipedia. So while in the end I believe I was wrong I don't think I was wrong to be suspicious.  Regardless, I apologize for your trouble. Springee (talk) 22:30, 20 January 2018 (UTC)

CU needed flag is borked
...is disrupting SPI queue. Take a look at the chart. I didn't see an upstream template. If someone finds it, semi-protect it indefinitely. Someone has borked it up... — Berean Hunter   (talk)  15:07, 19 January 2018 (UTC) — Berean Hunter   (talk)  15:19, 19 January 2018 (UTC)
 * and, somehow, I think it is related to this. After purging my cache, I still see all of those CU needed requests in the SPI queue.
 * For some reason Template:Admin dashboard is a member of Category:Requests for checkuser. So far I haven't been able to locate a change that causes that. Ivanvector (Talk/Edits) 15:20, 19 January 2018 (UTC)
 * I'm pretty sure that it's because of this use of the checkuser needed template, that I removed in attempt to clear it from the SPI list. I then figured that because it is in the SPI list, it is showing up in every transclusion of the admin dashboard, but this edit didn't fix that, unfortunately. It did manage to temporarily break the bot, though. It's a catch-22: the template is showing up in the admin dashboard, but because it's there, it's showing up in the SPI list, and because it's in the SPI list, it's in the admin dashboard... I think. ​—DoRD (talk)​ 15:25, 19 January 2018 (UTC) Oh, and my edit to the template above was an attempt to remove it from Category:Requests for checkuser. ​—DoRD (talk)​ 15:26, 19 January 2018 (UTC)
 * Hmm, that makes sense, I had just narrowed down to Template:Admin dashboard/uaarfpp as being suspect, but couldn't find a transclusion of the template. Purging WP:RFPP might fix it? Ivanvector (Talk/Edits) 15:27, 19 January 2018 (UTC)
 * I have purged that, every admin dashboard template/subtemplate, and every page incorrectly included in the SPI list at least twice. ​—DoRD (talk)​ 15:28, 19 January 2018 (UTC)
 * Yeah, Template:Admin dashboard/uaarfpp is still reporting to be transcluding Template:Checkuser needed, but I can't find it anywhere on the page or on any of the pages it is transcluding. I've tried purging them all. Maybe we'll just have to wait. Ivanvector (Talk/Edits) 15:37, 19 January 2018 (UTC)
 * I've done some null edits, which always trump purging, and it's removed some transclusions. The bot will be around in about five minutes, so we'll see then. -- zzuuzz (talk) 15:47, 19 January 2018 (UTC)
 * That got rid of admin dashboard/uaarfpp, so maybe we're on the right track. ​—DoRD (talk)​ 15:52, 19 January 2018 (UTC)
 * Okay, with some combination of purges and null edits, the cat is now empty. ​—DoRD (talk)​ 15:59, 19 January 2018 (UTC)
 * Yup, it's fixed. I also null'd the remaining dashboards. Purging is not very helpful. -- zzuuzz (talk) 16:02, 19 January 2018 (UTC)
 * Now, is there some way to modify Checkuser needed to prevent this from happening again? Is there a way to have it not recursively add transcluded pages to the cat like it was doing here? ​—DoRD (talk)​ 16:17, 19 January 2018 (UTC)
 * For some reason I took a look at "uaarfpp" and it's making me laugh... How would one pronounce that..."yooarfp"? It's been a long week, it just struck me funny. Have a great weekend everybody & cheers! Shearonink (talk) 22:56, 25 January 2018 (UTC)

Old Tired Sockpuppet Investigations
There are now, by my count, 6 sockpuppet investigations that have had nothing done in 2018, and the last date for them is in 2017. This may be an accident because of the new year or something. Robert McClenon (talk) 15:29, 17 January 2018 (UTC)
 * There are still five old tired sockpuppet investigations. Robert McClenon (talk) 22:23, 25 January 2018 (UTC)
 * I could offer to add reports of dev/null to each of them to require that they be reviewed and closed, but if I made that offer, someone might not realize that it was just a bad joke, so I won't offer. Robert McClenon (talk) 22:23, 25 January 2018 (UTC)
 * I think the best thing someone could do is post concise evidence in the form of a few more diffs. If an open case lingers for more than a month, it's probably because a few admins looked at it, couldn't decide what to do, and moved on to easier ones.  Maybe someone disputes some element of Hungary's political history, and then some other editor comes around and says the same thing about Austria.  To someone knowledgeable about the history of Austria-Hungary, this might be incredibly obvious POV pushing and a clear sign of sock puppetry.  To me, it's just contextless diffs and a vague accusation, so I move on to something that I understand better, like genre warring on 1980s heavy metal bands. NinjaRobotPirate (talk) 04:17, 26 January 2018 (UTC)

What is the most neglected status?
Drum roll. The answer is ... "CU completed". I think we are fortunate at the moment to have a group of hard-working clerks (blatant flattery but true). And I know that many of the cases in this status are tough to close. And I also know that the CUs are the reason the category keeps growing. But (you knew there was a but) it would be great if clerks could tackle some of them. An example: Pleaschamp was opened on August 31. I posted a ping on December 2. And it's still there. I know we're all volunteers, including clerks, and I have no right to push, but ... maybe just a nudge?--Bbb23 (talk) 18:01, 4 February 2018 (UTC)

Colocation providers / webhosts
I've recently made lists of non-locally blocked IP ranges for AWS, Microsoft Azure, Google Cloud, OVH, and Digital Ocean. The method of finding ranges varies a little by provider, where possible I use lists published by the provider (google, amazon, azure) - elsewhere I list every IP range owned by the provider (docean, OVH). Are there any other common webhost-only / colocation-only providers that slip thru that could use blocking? SQL Query me! 14:36, 8 February 2018 (UTC)
 * You know that OVH can be a bit tricky, right? I'd be interested to hear what you can do with Powerhouse Management, AKA Giganews, AKA lots of other stuff, for example . Other problems at this time, though I don't guarantee they're colo-only, include M247, Psychz Networks (e.g. AS40676), Netzbetrieb (e.g. AS201011), and CDN77 (e.g. AS60068), IMO. -- zzuuzz (talk) 15:15, 8 February 2018 (UTC)
 * Hmm, No - wasn't aware of issues with OVH. I've been a customer of theirs for years, and can't see any services available outside of hosting (colo/web/vps/etc). What kind of issues are there? Also, if there are specific AS'es - usually it's pretty easy to see what ranges are associated with those. SQL Query me!  15:26, 8 February 2018 (UTC)
 * I don't remember specifics about OVH, but I think all that's labelled OVH is not all hosting, particularly when it comes to France. -- zzuuzz (talk) 15:56, 8 February 2018 (UTC)
 * I definitely remember issues with OVH ranges in France that included residential allocation not associated with their webhosting services.-- Jezebel's Ponyo bons mots 18:15, 8 February 2018 (UTC)
 * I have reached out to OVH to ask what ranges are French residential customers. Hopefully, they'll be happy to respond to me so I can unblock those ranges. SQL Query me!  04:46, 10 February 2018 (UTC)
 * Linode is a big one. Might be worth looking through Category:Cloud computing providers and Database reports/Range blocks.  I sometimes go through the database report and reblock any colo facility whose block is expiring. NinjaRobotPirate (talk) 15:31, 8 February 2018 (UTC)
 * User:SQL/Non-blocked Linode Ranges I've added Linode to the list generator. I'll look at some of the others in that category as well - thanks! SQL <sup style="font-size: 5pt;color:#999">Query me!  15:52, 8 February 2018 (UTC)
 * HostGator, DreamHost, Rackspace, SoftLayer, and 1&1 Internet are pretty popular. NinjaRobotPirate (talk) 18:33, 8 February 2018 (UTC)
 * I'd also point to SoftLayer and LeaseWeb as two other providers where one should exercise some caution. -- zzuuzz (talk) 18:50, 8 February 2018 (UTC)
 * Thanks, I've added hostgator, dreamhost, rackspace, and 1&1 (Combined everything into one place at User:SQL/Non-blocked webhost ranges for simplicity's sake). As zzuuzz mentions above, I think I'll avoid softlayer or leaseweb. SQL <sup style="font-size: 5pt;color:#999">Query me!  20:04, 8 February 2018 (UTC)

Script issues
I've been having trouble with the SPI helper script over the past few days. About half the time, the script's function either won't load in the "More" drop down or are unresponsive when clicked. Opening the case page in a new window seems to fix the problem. Has anyone else encountered this before? Sir Sputnik (talk) 16:32, 12 February 2018 (UTC)
 * I haven't, at least not recently and not that I can remember.--Bbb23 (talk) 18:07, 12 February 2018 (UTC)
 * No problem for me. Maybe you have a conflict of scripts. If you installed some new script recently, try disabling it.  Vanjagenije  (talk)  22:04, 12 February 2018 (UTC)

Bot malfunctioning
Is someone doing something with the ? Several cases are classified incorrectly. For example, this case is classified as "closed" in the main table, although it has been open for more than a month.  Vanjagenije  (talk)  22:03, 12 February 2018 (UTC)
 * A new error, it got confused when multiple case statuses on one case page were present; Fixed now, thanks! Amalthea  22:51, 12 February 2018 (UTC)

CU request
I'm making a report here as Ponyo suggested. I'd like a clerk to open a case on meta, since I'm an anonymous user and can't open CU requests. My report is about a very very likely cross-wiki vandal using open proxies and abusing sockpuppets besides, recently, normal IPs. The proxies were used from december to january, in some wikis they were blocked. The suspected accounts have been created about one month ago after the proxy blocks and each one was used in different wikis, some of them have already been blocked for sockpuppetry. It's possible that other accounts and IPs belong to the same user, but I could find just the following: If for any of these 4 accounts was used the same IP as for another one, that would mean they were used by the same user, isn't it? These socks, as the proxies, were used to deceive and mislead other users, so that the person behind them couldn't be recognised nor detected, unless with a check like the one I'm asking for. I suspect this because these accounts and IPs were used in the same pages of several projects to do similar or even identical edits, some of them just useless, some inappropriate and some others disruptive. I'm providing here a few evidences about the nature and identicalness of edits by both the previous accounts and IPs belonging to the previous ranges: Some of the edits concern final accents in Italian names, while the others are just inappropriate and disruptive as shown here: Be that as it may, such a use of open proxies and abuse of sockpuppets is forbidden. The socks, once they've been proven to be socks, should be blocked like the proxies, but I think that also the other IP ranges should be locally blocked where they've been used in place of socks and proxies or the vandal wouldn't stop. This is the material I'd like to be brought to meta. I hope that after reading this detailed report and this list of evidences you'll be glad somebody signaled this issue. In case you need more information feel free to demand. Actually there's one more thing, even if at the moment I'm not asking to include it in the CU request. It's a little suspect, but it's not impossible that the user behind all that, that is the sockmaster, is an old registered Italian user I'm not naming right now. I suspect him because the dynamic IPs used are from Northern Italy, because that user from Northern Italy had already made similar edits, because a certain static IP which is linked to him had already made similar edits, and because of this single edit where the sign by that static IP was replaced by the sign by one of the other dynamic IPs: see here. As I've just said, I'm not including any other identities in the check for now, perhaps I'll do it if the check I'm asking for is positive. 151.48.208.208 (talk) 10:21, 7 February 2018 (UTC)
 * Socks: Baka Líte, Fulgencio Kokomeci, Myeuurn, Onpuryvgr.
 * Proxies: 66.160.128.0/18, 72.52.64.0/18, 74.82.0.0/18, 204.246.56.71.
 * IPs: 151.18.0.0/16, 151.34.0.0/13, 151.65.0.0/14, 151.82.0.0/16.
 * Proxy & IP: 66.160.178.43 & 151.34.19.233, 72.52.112.43 & 151.82.52.48, 74.82.17.89 & 151.36.36.227.
 * Proxy & account: 72.52.87.71 & Baka Líte, 74.82.17.89 & Myeuurn.
 * IP & account: 74.82.17.89 & Myeuurn, 151.36.44.150 & Onpuryvgr.
 * Myeuurn, 74.82.35.89, 66.160.178.60, 151.68.133.138, 151.36.44.150, 151.18.15.37.
 * I'm not sure that was suggesting that an enwiki clerk would file a report on meta for you, but in any case:
 * Anon users can open cases on enwiki by filing them per the instructions given on WP:SPI, but as Ponyo noted, a local case won't do much to combat disruption elsewhere.
 * As far as I can tell, there is no prohibition against anon users starting reports at SRCU, so you really should make your case there rather than here.
 * ​—DoRD (talk)​ 13:16, 7 February 2018 (UTC)
 * Exactly. As I noted on my talk page a case could be opened locally, but it would not help with the cross-wiki aspect of the case, which would be better handled at Meta.-- Jezebel's Ponyo bons mots 16:34, 7 February 2018 (UTC)
 * I misunderstood what you told me Ponyo. Okay, if it's as you both said, I'll try asking directly on meta. In case instead they shouldn't accept request from anonymous users nor from user who registered just for that, as I fear, would any of you take my report there? 151.48.208.5 (talk) 09:44, 8 February 2018 (UTC)
 * I can't see any Steward dismissing a report that is supported by strong evidence solely because it was made by an IP or new account.-- Jezebel's Ponyo bons mots 18:10, 8 February 2018 (UTC)
 * Actually it's exactly what's already happened to me when I tried last month: see here. I really would like one of you to bring my report there so that it'll be taken in consideration. I've told you all the information you need about the cross-wiki vandal, the problem I've reported is real, and if you need further details you have just to ask me. Or is there any problem for this request of mine? Tell me sincerely, please. 151.48.213.231 (talk) 11:51, 13 February 2018 (UTC)

Identical sandboxes in multiple accounts...
In cleaning up Database reports/Polluted categories, occasionally I'll run into multiple (in some cases as many as five) accounts with the same "article" in their sandbox (so User:ABC12Fake/sandbox is the same as User:Somethingdifferent/sandbox and User:Theotherone/sandbox which is *not* a copy of an existing article in article space. Does this represent enough for a SP Investigation? If not, is there somewhere else that it should be reported?Naraht (talk) 15:52, 20 February 2018 (UTC)
 * I assume those three are just examples and not actually pages you found? I would say yes, it's worth looking at. Especially if the duplicated article is about a person or business, it's probably undisclosed paid editing and may be related to an article that has already been deleted; the challenge is identifying the master to file a case. Post here or at AN/I, I guess? Although it could just as well be a school project, but we don't know if we don't investigate. Ivanvector (Talk/Edits) 16:06, 20 February 2018 (UTC)
 * Yes, they are just examples, it has been a week or more since I found one and I do a *lot* of edits "coloning" out categories, so I'm not sure that I could locate them again. :( They didn't seem like a school project, so I'll post here if I find that again. Note, I do also find a good number of cases where the same user has multiple sandboxes which are more or less identical, but that isn't for SPI, at worst, it is FAKEPAGE.Naraht (talk) 16:13, 20 February 2018 (UTC)

"Clerk assistance requested" status
While we have a template for this, it would be a good SPI status of its own. I'm sure it's technically feasible, but I wanted to hear others' thoughts. GABgab 23:05, 29 January 2018 (UTC)
 * What would be that status used for? Doesn't every open SPI case need clerk assistance?  Vanjagenije  (talk)  23:23, 29 January 2018 (UTC)
 * Since most open case can also be processed by a patrolling administrator, I think it might be useful to have a status for cases that require attention from a clerk specifically, where, for example, page moves or merges are required. We don't seem to have a consistent way of categorizing cases like this. At time of writing, there are four pending cases that require merges: three are marked for admin assistance, one is on hold. Sir Sputnik (talk) 00:14, 30 January 2018 (UTC)
 * Sir Sputnik - as usual - summed it up better than I could have. GABgab 01:04, 30 January 2018 (UTC)
 * Well, merging indeed needs admin assistance, as ordinary (non-admin) clerks can't do history-merge. This "clerk needed" status wouldn't be useful for cases needing merge.  Vanjagenije  (talk)  03:09, 30 January 2018 (UTC)
 * We are lucky to have many awesome admins who regularly patrol SPI, but in general we want want admin clerks specifically to do the merging. I see so many cases sit untouched for days because they require merging from an admin clerk and it's not like we have an abundance of those. I think a new status could be a good idea. Sro23 (talk) 19:56, 30 January 2018 (UTC)
 * Although most of the time when I use the template, it's addressed reasonably quickly, I agree that a new status would be useful.--Bbb23 (talk) 17:51, 4 February 2018 (UTC)
 * I guess the next step here is figuring out how to implement it. might have some thoughts as the person running the bot that updates the case table. Sir Sputnik (talk) 22:31, 7 February 2018 (UTC)
 * Three technical changes, as far as I can tell: SPIstatusentry and SPIstatusentry/color need to be extended, and the bot must be told of the new status and how it should sort. I'll look into it, should be quick to do, but may still need a day or two ... Amalthea  10:18, 8 February 2018 (UTC)
 * : adding a new status should now be easy to do, you need to add it in four places: SPI case status/core, SPIstatusentry, SPIstatusentry/color, SPIstatusentry/order. Amalthea  11:33, 12 February 2018 (UTC)
 * That all looks pretty straight forward., could one of you do the honours? Two of these templates are full protected. Sir Sputnik (talk) 16:45, 12 February 2018 (UTC)
 * I don't do windows templates.--Bbb23 (talk) 17:43, 12 February 2018 (UTC)
 * I'm not entirely sure how I'd go about adding this status. Apologies for my technical ineptitude. GABgab 17:09, 19 February 2018 (UTC)
 * I've gone ahead and added the new status myself, called 'CLERK', see documentation in Template:SPI case status. The wording I've added is really basic, the icon is the same as others use, the color might be a bit jarring ... please feel free to change as needed (or request the change on the talk page), that should really be straight forward now. Amalthea  18:45, 20 February 2018 (UTC)
 * Thank you! I just used the status for the first time. Great fun, and I like the color.--Bbb23 (talk) 23:16, 20 February 2018 (UTC)
 * This is very useful. Thank you, . ~ Rob 13 <sup style="margin-left:-1.0ex;">Talk 18:43, 22 February 2018 (UTC)

Tools?
Are there any tools that automate creation of a new SPI? -- RoySmith (talk) 15:36, 24 February 2018 (UTC)
 * Twinkle can help automate the creation of a SPI - TNT❤ 15:38, 24 February 2018 (UTC)
 * Ah, cool, thanks. Buried under ARV.  Why didn't I think to look there? :-)  I've had Twinkle installed for quite a while, but haven't explored every corner of its functionality.  I should probably look into it more.  -- RoySmith (talk) 15:54, 24 February 2018 (UTC)

Inquiring about a single account
Is it possible to request an investigation where I only see one user but with a very bizarre editing pattern, potentially suggestive of PR sockpuppeting? This is an account that immediately turned his/her user and talkpages blue and made a number of trivial edits in rapid succession (adding/deleting spaces) to get autoconfirmed many years ago, and now is back from hibernation and only being used to make favorable edits to a not-particularly-important actor's bio. This came to my attention because an acquaintance noted that the (unsourced) birthdate on his bio was totally implausible given that they went to high school together. Calliopejen1 (talk) 20:33, 27 February 2018 (UTC)
 * I usually find it easiest to contact a CU privately when it is an obvious sock and there are grounds for a CU, but you don't know the original master or who the socks are. The SPI formatting doesn't tend to work as well IMO, when there is only one account and it is also the named master. TonyBallioni (talk) 20:36, 27 February 2018 (UTC)
 * You're also likely to be hit with the "CU is not for fishing" response. If it's an obvious sock, or the behavior is egregious enough, block 'em for that; if any socks come out of the woodwork, it should be easier to spot. ~  Amory <small style="color:#555"> (u • t • c) 22:41, 27 February 2018 (UTC)
 * Agree with all the above. Something a checkuser is always asking is, what could I be achieving with this check? In the situation described above, you are either going to find a sock-infested PR operation doctoring numerous biographies, or more likely, just some random IP doing some minor updating to just one article. In the latter case a CU is not going to be achieving much, but which is the actually case is difficult to say from here.. -- zzuuzz (talk) 22:55, 27 February 2018 (UTC)
 * A better place to ask is WP:ANI; socks are still primarily identified by behavior. Checkuser evidence is supplementary and useful for finding sleepers once someone has demonstrated that they are creating sockpuppet accounts, but we still primarily identify people the old fashioned way.  If you believe some shenanigans are going on, but aren't sure who is committing them, asking at ANI is likely to generate better results, as you're likely to attract someone who will recognize the behavior.  -- Jayron <b style="color:#090">32</b> 15:29, 28 February 2018 (UTC)

Thanks all. I emailed a checkuser... Will see what comes of this. Calliopejen1 (talk) 15:11, 28 February 2018 (UTC)
 * Thanks, User:Jayron32. Posted here. Calliopejen1 (talk) 23:13, 28 February 2018 (UTC)

Policy title change discussion
I have initiated a discussion on changing the title of the Sock puppetry policy. Interested editors may wish to comment in the discussion. Ivanvector (Talk/Edits) 15:03, 28 February 2018 (UTC)

Note on update to banning policy
Just as a note, the RfC on the update to the banning policy for repeat sockmasters has been closed as successful. I've updated the banning policy accordingly in this section. I know there was some discussion in terms of the practical parts, and whether it'd be easier to add a parameter to the existing sockmaster template or just to use the banned user template in addition to the tags, so I thought it worth posting here now that the change has happened. TonyBallioni (talk) 13:44, 9 March 2018 (UTC)
 * Should it be emphasized in that section that CheckUser blocks still may not be lifted by any administrator without first consulting with a CheckUser? This reads as though a threestrikes-banned user may have their ban overturned by the community (I agree), but editors confuse "block" and "ban" all the time, and a community discussion still cannot overturn a CU block. Ivanvector (Talk/Edits) 13:53, 9 March 2018 (UTC)
 * Tweaked the footnote and moved it to the end of the paragraph: . That should address your concerns, I think. I didn't know where it would best fit in the text proper, but thought it made sense int he footnote. Yes, the community does not have the authority to lift a CU block. The update just means there would need to be a community discussion after consulting a CU. TonyBallioni (talk) 14:07, 9 March 2018 (UTC)
 * Is this ban retroactive or does it apply hereon? --<span style="font-family:'Trebuchet MS',Geneva,sans-serif"> QEDK ( 後  &#127800;  桜 ) 15:31, 9 March 2018 (UTC)
 * Hereon. We never apply new rules to old cases, since that's not terribly fair to those the rules are being applied against. ~ Rob 13 <sup style="margin-left:-1.0ex;">Talk 17:03, 9 March 2018 (UTC)
 * It'd be a fair assumption to think something like this being put into retroactive effect has no negative implications. --<span style="font-family:'Trebuchet MS',Geneva,sans-serif"> QEDK ( 後  &#127800;  桜 ) 18:33, 9 March 2018 (UTC)

Need history repair of sock-hijacked pages
Per yesterday's report [] can a friendly admin please: Thanks, <b style="color: black;">Crow</b><i style="color: black">Caw</i> 21:30, 19 March 2018 (UTC)
 * Restore or history-merge the deleted article Suman Gupta (actress) to its original location at Sumana. The deleted article should be left red. Protecting either at your discretion as this is a favorite target of his.
 * Move or histmerge Aapke Aa Jaane Se to its original location at Aap Kaa Surroor again leaving no redirect.
 * If you agree that the current AfD warrants a G5 speedy, move/histmerge Chandrashekhar (TV series) to its original location at Talk:Chandra (disambiguation), again with no redirect.
 * re your first request: Suman Gupta (actress) has almost no (deleted) history. Just a redirect, nothing to merge. Is it maybe Draft:Suman Gupta (actress) that should be merged?  Vanjagenije  (talk)  21:45, 19 March 2018 (UTC)
 * Looks like it got double moved to Draft:Suman Gupta (actress) yes. The page should have the history of Sumana (redirect but with a fair amount of history, much from this sock). <b style="color: black;">Crow</b><i style="color: black">Caw</i> 21:55, 19 March 2018 (UTC)
 * Is it OK now (regarding the first request)?  Vanjagenije  (talk)  22:06, 19 March 2018 (UTC)
 * It needs to be back at Sumana which is a valid redirect. <b style="color: black;">Crow</b><i style="color: black">Caw</i> 22:09, 19 March 2018 (UTC)
 * I don't understand. The history is now at Sumana, but is deleted. Should I undelete the whole history, but turn it into a redirect?  Vanjagenije  (talk)  22:22, 19 March 2018 (UTC)
 * Sorry yes. Sumana was originally a valid redirect to Saman (deity) before it was hijacked by the sock, so it should be restored as such with the history, which it seems like you've done. Just need to undelete it now to bring it back to status-quo-ante-sock. The target articles that he moved it to should stay deleted, as they are now. Thanks and sorry for the confusion. <b style="color: black;">Crow</b><i style="color: black">Caw</i> 13:53, 20 March 2018 (UTC)
 * ✅. Seams like your second request was also done by .  Vanjagenije  (talk)  15:35, 20 March 2018 (UTC)
 * Perfect thanks to you both! <b style="color: black;">Crow</b><i style="color: black">Caw</i> 19:57, 20 March 2018 (UTC)

Could actually be a sock rather than the sockmaster
See Sockpuppet investigations/Banasura/Archive for details and in particular edits at WP:RSN. At first I thought this was just a new fairly incompetent editor with a pronounced pov, but their ability to rapidly find new IP ranges to sock through and the language of their attacks makes me wondering if they were a returning editor. Doug Weller talk 18:42, 18 March 2018 (UTC)
 * I see editing this page Bhimbetka rock shelters many years ago. Other than that nothing jumps out. I'm not familiar with these IP ranges either. But I get the same feeling you get, this doesn't seem like a genuine new user at all. Ivanvector (Talk/Edits) 21:04, 19 March 2018 (UTC)
 * It was the communist charge that made me wonder most. Doug Weller  talk 21:11, 19 March 2018 (UTC)
 * These IP searches within SPI might be informative: 117.207.* 117.221.* 59.96.*. I'll check some of these for similarities later if nobody beats me to it. Looks like the user is still active in these ranges btw. Ivanvector (Talk/Edits) 21:18, 19 March 2018 (UTC)
 * , Sockpuppet investigations/117.213.18.8/Archive links to User:Jim1138/IP Hopper from Kerala and seems quite possible. Doug Weller  talk 17:51, 21 March 2018 (UTC)
 * Also, are there any addresses active now I should CU? Doug Weller  talk 19:48, 21 March 2018 (UTC)
 * was active on 117.207.234.132 on some admins' talk pages (by admission) but they seem to have stopped. They're already tagged as a Banasura sock, anyway. 59.96.199.143 appears to be static. I don't see a strong connection between Banasura and 's IP hopper, but I wonder if the IP hopper is related to Sockpuppet investigations/(Chemistry)? There are no IPs in that archive. I wonder if Jim1138 or see anything I don't.
 * I think it's probably safe to consider Banasura a distinct user with sockpuppets, unless anyone finds anything more convincing. Personal observation is supporting more and more my theory that sock puppetry is a cultural phenomenon in the tech communities of some regions, seemingly especially India and eastern Europe, and if we see a blocked user from these areas evading with sockpuppets we should not be too quick to assume they're a returning abuser and not just some random person who's spent most of their tech life finding ways around technical restrictions, and frankly ours are very easy to get around. Ivanvector (Talk/Edits) 12:12, 22 March 2018 (UTC)

Some clerking necessary?
I was looking through some old things, and came back to Sockpuppet investigations/OccultZone/Archive. It seems there's one issue unresolved there. If OZ and AmritasyaPutra are separate people, as we seem to be assuming at the moment, then shouldn't the last couple of reports be moved? If they are not (: I know the unblock was essentially based on giving someone the benefit of the doubt; but what do you think now?) shouldn't this be made clear, especially given that OZ themselves was unblocked a few months after the last report filed here? Vanamonde (talk) 04:20, 22 March 2018 (UTC)
 * I'm asking others. I'm no longer sure that they are separate. 15:02, 24 March 2018 (UTC) — Preceding unsigned comment added by Doug Weller (talk • contribs)
 * I think we should stop assuming that editors tagged as socks of each other are necessarily the same persons. Meatpuppets also get tagged as "socks" and, sometimes, "stolen" or "borrowed" accounts too. Is it possible to disentangle which is which? -- Kautilya3 (talk) 12:39, 25 March 2018 (UTC)
 * I'm less interested in correct record keeping for its own sake, and more interested in having clear documentation that will minimize confusion when dealing with any future sockpuppetry. The OZ sockfarm has supposedly been dealt with; but there's plenty of collusion and tag-teaming going on, much of it by newish users, and plenty of it by users who've learned to dodge the CU. You know of whom I speak. In examining their contributions, I'd like to know, for instance, whether I should compare them to AP and OZ separately, or whether we're considering the whole bunch a single sock/meatfarm with intentionally created behavioral variation. Thanks; I appreciate it. Vanamonde (talk) 13:11, 25 March 2018 (UTC)

Sock puppetry
The below users are doing sock puppetry

1. User:Kleuske

2. User:Paul August

3. User:JohnBlackburne

All three accounts are being operated by same person. — Preceding unsigned comment added by Lptx (talk • contribs) 23:35, 28 March 2018 (UTC)


 * Please follow the instructions on the main page (WP:SPI) on how to open a case. Look for the heading "How to open an investigation", right above the list of open investigations. 青い(Aoi) (talk) 23:39, 28 March 2018 (UTC)
 * Thank you,, for the best laugh I’ve had all day. Pinging and  so they too can appreciate this thorough, careful report.-- JohnBlackburne words<sub style="margin-left:-2.0ex;">deeds 23:41, 28 March 2018 (UTC)
 * Thanks. I needed that. Kleuske (talk) 23:44, 28 March 2018 (UTC)
 * It would be an honor to be able to take credit for all your edits ;-) Paul August &#9742; 23:49, 28 March 2018 (UTC)


 * Dear, I will provide more details. Lptx (talk) 23:52, 28 March 2018 (UTC)
 * Dear or  or  - please have all the laugh - laughter therapy is good for health Lptx (talk) 23:52, 28 March 2018 (UTC)
 * Thanks for removing your personal attack. Paul August &#9742; 00:03, 29 March 2018 (UTC)
 * // - it is quite very difficult predict from which account you will make appearance. Anyways - YES that was a mistake. I have taken it back. Rest admins will take care. Thanks and RegardsLptx (talk) 00:08, 29 March 2018 (UTC)
 * The fact that three editors, each with a ton of edits, disagree wth you, does not make them sockpuppets. They may just be three individual who all happen to disagree with you. Kleuske (talk) 00:10, 29 March 2018 (UTC)

This SPI may need expediting because I AfD-nommed 5 of the evidence articles prior to filing
I normally have the patience of Job with SPI, but I AfD-nommed several articles before I realized there were numerous socks involved. Since the socks concentrated on only a handful of articles, those 5 articles are the bulk of the evidence, and if they get deleted it will be hard for non-admin clerks to review and may also make it harder for admins to review. The SPI in question is WP:Sockpuppet investigations/Keevaymusic. (I also requested CU but I'm beginning to think CU may not be possible, in which case the evidentiary articles become even more important.) Softlavender (talk) 09:21, 28 March 2018 (UTC)
 * This seems straight forward so I will take this. I have applied standard block on the recent two accounts, and I will check around again when I return home. Alex Shih (talk) 09:48, 28 March 2018 (UTC)
 * I've already closed it, but you can do what you wish with it, Alex.--Bbb23 (talk) 14:22, 28 March 2018 (UTC)
 * Brilliant, I think this is good enough for now! Thanks . Alex Shih (talk) 15:20, 28 March 2018 (UTC)


 * Thanks. I'd personally feel calmer if the other socks were blocked too, since if the user remembers those passwords he can simply go back to one of them. Also, there's also the WP:COI element to be dealt with -- all of the still-existing articles the farm created seem to be about the user's own relatives (as noted in the SPI). There's also block evasion to consider -- all of the socks were evading the permablock of the master -- should their articles be CSDed on that score? Softlavender (talk) 02:31, 30 March 2018 (UTC)