Talk:WikiProject on open proxies/Archives/2007

There's been a recent spate of trolling on open proxies on Commons associated with a en.wp troll. Given this, I would like to look into activating this on Commons (I note there is a commented out link here to that nonexistent page). I've posted a message regarding this to the Admin Noticeboard there. Advice and information on how to get this established on Commons would be appreciated, as well as comments. Thanks.--Nilfanion 23:53, 25 January 2007 (UTC)

Hello Nilfanion. Establishing a chapter on Commons requires only minor changes to the templates and page. There should be at least one or two Commons administrators willing to regularly keep that project synchronized. There is a very large number of IP addresses that will need to be blocked initially to catch up with the MetaProject; a user wrote a script to automate this a while back, so I'll see if I can find him. —{admin} Pathoschild 05:29, 26 January 2007 (UTC)

Thanks for the reply, I'll read up on the active chapters over the weekend to figure out what structural pages need to be made on Commons. Obviously the initial catch-up has to be the top priority, no point going any further until thats done. Keeping it up to date is something I am prepared to deal with (I am an admin there), though the more the merrier of course. When you get hold of the script can you poke me?--Nilfanion 19:34, 26 January 2007 (UTC)

I have an account on commons and will be more than happy to help. Geo.plrd 18:20, 16 February 2007 (UTC)

I would also be willing to help. I'm on the trusted user's listed on en:WP:OP (although I haven't really done much work there yet) and am very active on commons (and depending on how my RFA closes, may be an admin). Yonatanh 14:21, 4 March 2007 (UTC)

I've blocked all the IPs listed at WM:OP/B and in Category:Open proxies blocked on all participating projects at the time of this message. This amounts to 660 IPs/ranges (some of which were already blocked). I think this constitutes the majority of the backlog. Are there any other IPs that need to be blocked. If not, lets get the Commons mirror pages established.--Nilfanion 18:28, 20 March 2007 (UTC)

...you are looking for someone to host an online version of NMAP. Is this true? 68.39.174.238 20:44, 16 February 2007 (UTC)

Yep. Such help would be greatly appreciated. —{admin} Pathoschild 05:01, 17 February 2007 (UTC)

Any explanation of what this requires (EG. server service type, ports, etc)? A quick Google search didn't turn anything up. If there's a page explaining the process, I could easily determine if I would be able to do so. 68.39.174.238 22:45, 17 February 2007 (UTC)

An online nmap interface requires nmap itself (see installation guide) and an interface script such as phpNMAP (download, live example), which requires PHP. The input form must use the GET method. —{admin} Pathoschild 00:02:30, 18 February 2007 (UTC)

What exactly is the point of hosting an online installation of nmap? Now that they've got the windows bugs knocked out of it, I can't really see any reason why anyone couldn't simply run it on their own (hell, I'm running it on WinXP as we speak). I'm also not sure nmap's really the best tool to be using for open proxy checking; it turns up few false positives, but even fewer "true" positives. It seems to only detect the blatantly open proxies (those open on common ports, etc.), and even those it only gets right only about 10% of the time. Then again, most proxy checkers are quite inaccurate. Typically, I find simply consulting CWI, the sorbs list, etc., to be a more effective way of determining if a proxy is open than using nmap. Also, as a caution, I'd have to think that running nmap publicly on your server would likely make it quite easily exploitable. If you do decide to install it, I highly recommend you password-protect it, so that only OPV's of the various projects can access it. AmiDaniel 02:02, 28 February 2007 (UTC)

Hello AmiDaniel. The official site still lists a number of limitations with Windows XP SP2. However, the main benefit to an online (password-protected) script is the ability to scan a proxy simply by clicking the 'scan' link on the table. Such a script can be configured ahead of time, simplifying usage to filling in the IP and clicking 'scan'. The nmap limitations you mention depend on configuration; you can make it scan uncommon ports, for example. —{admin} Pathoschild 02:02:51, 28 February 2007 (UTC)

Hmm, okay. Well, the limitations seem quite minor to me, but I do see how this could be convient for doing simple scans. I'm not sure, but I'd also have to figure it may be faster to run this from a dedicated server, as they typically use faster connections, as well. Most proxyscan tools that have been made available in the past by Wikimedians have either been blacklist lookup tools or tools that only scanned a handful of ports, so I would much prefer an online nmap to another of those (although User:Tawker's wasn't bad, I must say). Anyway, I don't think I'd feel comfortable running nmap from my server, but if you need serverspace for anything else, let me know -- I've got plenty to go around. On another thought, have you considered requesting to run this from the toolserver? AmiDaniel 03:13, 28 February 2007 (UTC)

I've considered it, but the toolserver is unreliable and often slow. :) —{admin} Pathoschild 04:02:45, 28 February 2007 (UTC)

Time for another fundraising drive? :D AmiDaniel 06:18, 28 February 2007 (UTC)

Well since they're getting new hardware soon maybe you'll reconsider. :) Yonatanh 14:24, 4 March 2007 (UTC)

Because I haven't found any bot that would block all IP's listed here for me, I created a semi-automatic tool which makes manual blocking a bit faster. After saving page with blocks on my disk I run a Perl script which extracts block URL's from HTML file and creates another HTML file. Opening the resulting file (while having pop-ups blocker disabled in my browser) causes windows with block page for every IP to be opened. All I need to do next is to click "block" button and close the tab. Anyone's interested with the script? --Derbeth 21:01, 17 February 2007 (UTC)

Beware evil admin bot scripts--the anti-efficiency Gestapo will hunt you down :). AmiDaniel 02:03, 28 February 2007 (UTC)

That sounds useful. Would it be possible to make it click the 'block' button as well? —{admin} Pathoschild 02:02:20, 28 February 2007 (UTC)

I bet it would be quite simple to amend the script to use a url with an extra escape "&clicktheblockbutton", and then you'd just need a simple js to do the rest:

addOnloadHook( function() {
   if (window.location.href.indexOf("&clicktheblockbutton") != -1) {
       Document.body.getElementById("wpBlock").click();
   }
});

-- AmiDaniel 09:31, 5 March 2007 (UTC)

Here's the code: User:Derbeth/block-extract.pl. --Derbeth 23:34, 1 March 2007 (UTC)

Hello! My IP is blocked on the English Wikipedia as "open-proxy", but it is not an open-proxy (talk page is protected, so I cannot appeal there). I have also added this IP to "Unblock" section on the page. Thanks. 83.238.180.4 00:06, 4 March 2007 (UTC)

Looks secure to me:

amidaniel@VOYAGER:~> nmap -vP0 83.238.180.4

Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2007-03-09 01:31 MST
DNS resolution of 1 IPs took 0.34s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect() Scan against ip-83-238-180-4.netia.com.pl (83.238.180.4) [1672 ports] at 01:31
Connect() Scan Timing: About 8.97% done; ETC: 01:37 (0:05:05 remaining)
Stats: 0:05:10 elapsed; 1 hosts completed (1 up), 1 undergoing Connect() Scan
Connect() Scan Timing: About 89.44% done; ETC: 01:37 (0:00:36 remaining)
The Connect() Scan took 366.23s to scan 1672 total ports.
Host ip-83-238-180-4.netia.com.pl (83.238.180.4) appears to be up ... good.
All 1672 scanned ports on ip-83-238-180-4.netia.com.pl (83.238.180.4) are: filtered

Nmap finished: 1 IP address (1 host up) scanned in 366.603 seconds

It is on the SORBS list, but it's been listed for some time. It's possible the ISP finally cleaned up their act and secured their ports. Unless anyone objects, I see no problem with unblocking this ip. AmiDaniel 08:40, 9 March 2007 (UTC)

Blocked again :-(... 83.238.180.4 03:24, 14 March 2007 (UTC)

This is most definitely an open proxy. Checkuser evidence shows that the IP is being used abusively by an individual who calls himself Gen. von Klinkerhoffen. The WHOIS for the IP shows that it belongs to a Polish ISP which is very unusual for an individual who speaks absolutely perfect English and was reading about Brian Peppers on WikiTruth.—Ryūlóng (竜龍) 07:11, 14 March 2007 (UTC)

This is NOT an open-proxy. I've checked it, first with nmap from external host:

# nmap -v -P0 83.238.180.4

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).
Host  (83.238.180.4) appears to be down, skipping it.
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds

then with "live" open proxy check on http://www.richard.zonnet.nl/cgi-bin/nph-proxycheck :

Open proxy check
 Checking your computer (83.238.180.4) for common open proxies... Please wait until the page is loaded 
To check: hosts=1, proto:ports=63, host:proto:ports=63
NumOpen=0(0) NRead=0 Time=10

 If 'NumOpen' is larger than 0 you have an open proxy. Please close it down as soon as possible.
 If 'NumOpen' is 0 no proxy could be detected, we only test a few of the many possible ports.
 Now scanning your computer for common open ports... Please wait until the page is loaded 
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-03-14 22:23 CET
All 1663 scanned ports on ip-83-238-180-4.netia.com.pl (83.238.180.4) are: filtered

Nmap finished: 1 IP address (1 host up) scanned in 54.163 seconds

So, it looks pretty secure. I think some people use "open-proxy" template as an excuse to block uncomfortable (not necessary abusive) users...

So, unblock it ASAP, please, as it is NOT an open-proxy (and never was, AFAIK). 83.238.180.4 21:36, 14 March 2007 (UTC)

One more thing: user talk of this IP is protected at the moment, so I cannot appeal on WP nor change misleading message at the bottom of the page (written by me before this IP has been blocked again). Please, could someone add template {{protected}} or something and add info that this IP is (again) accused of being an open-proxy (which is not true)? Thanks in advance. 83.238.180.4 22:21, 14 March 2007 (UTC)

Some of you probably already know this, but if you type "proxy" on google [1] the first page that comes up is proxy.org (the next hit is the wikipedia entry :) ). On proxy.org, they have a list of 4222 proxies. A few tests showed that around 50% of these are blocked for editing on en-wp. Still, by hitting "random proxy" it is extremely easy to find an open one. You can check the IPs on wikipedia, and I found that many have been used for vandalism. Blocking these proxies would be a great project, and one that is sure to prevent a lot of needless vandalism. Also check out http://www.proxy-list.net/ , which is nice because it lists IPs. Hope this helps, and keep up the good work! 128.113.145.13 15:50, 14 March 2007 (UTC)

Well, unfortunately, claims about being an "open-proxy" are used as an excuse to block some uncomfortable users by abusive administrators, as case of this IP on en-wp clearly shows. 83.238.180.4 21:50, 14 March 2007 (UTC)

Please check your block log. As you're certainly aware, your ip is not blocked because it is open proxy. AmiDaniel 03:33, 26 April 2007 (UTC)

As you are aware, this IP was blocked as open-proxy at the time, when that sentence was written. It means that there are usually no real checks of open ports etc., but IPs are sometimes labeled as o-p just because some people consider some edits as inappropriate (and definitions of "inappropriate" are quite different on different WP language versions; the same with blocking/banning policies and practices etc.). 83.238.180.4 22:14, 28 April 2007 (UTC)

FYI: This IP has been blocked for 1 week on meta, just because of above comment, apparently... 83.238.180.4 20:59, 13 May 2007 (UTC)

Is anyone aware of the following? nl:User:RonaldB has developed some magic to automagically do all sorts of stuff with open proxies and blocking. See Open_proxy_fighting for current results on open proxy counter actions. Aside from a one or two incidents (possible false positive) involving a user with a Thai IP address, open proxy trolling and vandalism has decreased dramatically and without or with very few human interaction. Siebrand 18:52, 20 March 2007 (UTC)

Hrmm, I think there is a method to integrate this into the meta project. This would be a bot job, and the following is a vague specification for it. User:RonaldB regularly blocks OPs using the block summary "Open Proxy" - see his blocking log. If a bot could parse that info (db-dump?) and then add it to Meta:WikiProject on open proxies/blocked on nlwiki using {{proxyip}} and a suitable note could be added. Once listed on that page, admins from the participating chapters here could handle that.--Nilfanion 20:42, 22 March 2007 (UTC)

I generated and posted the list, but it is browser-crashingly long, and seems to cut out at one point. Would a simple list suffice? And to note, don't click the link through to the list unless you have a fast computer, it locks both IE and Firefox for 20+ minutes on my computer. --Michael Billington 07:52, 30 March 2007 (UTC)

Youch, that might need poking around for an admin to delete if its that massive. I should have figured that he was insanely active. Thinking about it, just the plain text file is not likely to be much better; if you upload the list of blocks as plain text that would be a start. Its possible there's nice convenient range blocks that can be applied to save work for the administrators on the projects represented here.--Nilfanion 23:39, 1 April 2007 (UTC)

Assuming we get a manageable list of IPs to block, the next question is what to do with it? Should we treat the IPs as confirmed open proxies and block them all for a couple years - or should they be reviewed as with an unconfirmed OP? There would be serious scalability issues with the latter, but if we don't trust the nl system we have to do that.--Nilfanion 23:39, 1 April 2007 (UTC)

I asked an administrator to delete the old list, and have now re-posted it in a fairly plain format. 1,000 items per page, 15 pages. There's 14,263 open proxies listed in all, (I think en.wiki has just under 20,000). I'm not sure if that counts as manageable, but if this page is anything to go by, then they have already been scanned and confirmed. As long as they aren't too out of date, re-scanning should (hopefully) not be necessary. --Michael Billington 08:30, 9 April 2007 (UTC)

Please try and drag RonaldB here into the discussion. He most probably has all the answers to the questions raised... Siebrand 21:16, 9 April 2007 (UTC)

www.uesp.net has been getting hit with a string of open proxy vandals. Besides those already listed on Wikipedia's list, we've identified several others that people more knowledgeable than us might want to check out. See our Admin board for the discussion on the topic. Lurlock 14:58, 18 April 2007 (UTC)

Our list:

• 125.101.84.47
• 200.238.102.162
• 200.238.102.170
• 210.183.6.153
• 218.63.252.219
• 219.240.36.175
• 221.190.22.14

Well, since no one else has offered, I went ahead and set one up. I've just finished configuring it for OP scanning (though I'm open to suggestions as to how to further fine-tune it), and I'm trying to keep it as utterly secure as possible. It will be running with root access; however, I've disabled loopback/localhost scans and every other dangerous exploit I could think of, and I'm going to be restricting access only to OP verified users of the MetaWikiProject and its sister projects. To request a password, please e-mail me. Details can be found here. I'll post this to enwiki too. AmiDaniel 00:51, 24 April 2007 (UTC)

I have about 5,000 IP addresses that are blocked on wp-fr but are not in the meta list. Is there anything I can do to pre-check them so I don't flood this list with stale proxies? --Gribeco 04:53, 6 May 2007 (UTC)

Please create a subpage with the proxies, and I'll run a quick script to weed out those whose blocks on frwiki occurred more than 6 months ago (seems reasonable to assume a proxy that was open less than 6 mos ago will still be open now). Those blocked longer ago than that will need to be checked again. Once I'm done, I'll forward the lists on to the subprojects. AmiDaniel 03:12, 8 May 2007 (UTC)

Here goes: WikiProject on open proxies/Blocked on frwiki. I already removed the ones that are blocked on enwiki. --Gribeco 23:55, 13 May 2007 (UTC)

Shucks. That one didn't even crash my browser -- was expecting much worse :). Alright, I'll try to parse through it tonight. AmiDaniel 02:49, 14 May 2007 (UTC)

I've duplicated the list on user subpages at:

• en:User:A. B./Sandbox10#12,640 open proxies from fr.wikipedia (permanent link)
  • Unlike the Meta list, the one I constructed uses includes {{IPvandal}} links for each IP; example:
    • 127.0.0.1 (talk • contribs • Info • WHOIS • RDNS • RBLs • block user • block log)

I'm slowly working through the first 1000 annotating which IPs have been used on en.wikipedia for spamming or vandalism. I'm not an admin, so I can block problem IPs I find, but someone can work through my annotations.

My intention is to identify domains spammed through open proxies and take them to be blacklisted at Talk:Spam blacklist. The list of IPs is a sort of byproduct of that effort.
--A. B. ^(talk) 18:27, 23 May 2007 (UTC)

I read somewhere about this site, iwantsurf.com/unblock-wikipedia, and it seems to be an open proxy. Probably it should be blocked (if it isn't already). Waldir 09:38, 29 June 2007 (UTC)

My company happens to use XO Communications for connectivity. Someone has decided that the whole XO ISP address range should be blocked. That seems a bit extreme, but I'm not interested in starting a war around the concept. However, I'm wondering why I am still blocked from editing when I log in. I can see the desire to not allow anonymous edits. But if a person has created an account and is using it, I don't see why they should be blocked.

Along with this I would like to request that 67.152.51.157 be unblocked as there is no possible chance that it is an open proxy.

It is annoying to have the tunnel http through ssh to my cable modem at home just to correct a typo on whatever random page i happen to be on.

How proxies are blocked is determined by the blocking administrator; in general, however, our "policy" is that open proxy blocks should only restrict anonymous editing, not logging in or editing as a logged-in user. You did not specify what wiki this -- is it the meta-wiki, the English Wikipedia, or some other project? If you could provide the relevant range and the wiki on which it is blocked, I'll gladly reblock it accordingly. 67.152.51.157 appears to not be an open proxy, and I see no reason why it should not be fully unblocked. If anyone has a claim to the contrary, please let me know. AmiDaniel 20:41, 23 October 2007 (UTC)

Ah, sorry for leaving out that important information! This is on the english wikipedia. The blocked range appears to be 67.152.0.0/16. It was blocked by Dmcdevit for 'open proxy - XO Communications web hosting service'. I can't speak for the whole class B, but I believe the 67.152.51.0/24 class C should be proxy free. Thank you for your help! Audin 21:04, 23 October 2007 (UTC)

The range has been reblocked to allow for account creation. I'm hesitant in splitting up the range to selectively only block those ips that are presently open because 1) it's a lot of work and 2) they may only be closed/filtered temporarily. Let me know if you have any difficulty. AmiDaniel 22:47, 23 October 2007 (UTC)