Wikipedia:WikiProject on open proxies

    WikiProject on open proxies

    The WikiProject on open proxies seeks to identify, verify and block open proxies and anonymity network exit nodes. To prevent abuse or vandalism, only proxy checks by verified users will be accepted. All users are welcome to discuss on the talk page, report possible proxies, or request that a blocked IP be rechecked.

    • If you've been blocked as an open proxy, please see: Help:blocked.
    • To report a proxy check or an incorrect block, see the #Reporting section.


    Reporting edit

    Please report IP addresses you suspect are open proxies below. A project member will scan or attempt to connect to the proxy, and if confirmed will block the address.

    File a new report here
    I.
    For block requests:

    Verify that the following criterion has been met:

    • The IP has made abusive contributions within the past week
    For unblock requests:

    Verify that the following criteria has been met:

    • No current criteria
    II.

    For block requests Replace "IP" below with the IP address you are reporting.


    For unblock requests Replace "IP" below with the IP address you are reporting.


    III. Fill out the resulting page and fill-in the requested information.
    IV. Save the page.
    Verified Users/Sysops Templates
    • IP is an open proxy {{Proxycheck|confirmed}} for confirmed open proxies and Tor exit nodes.
    •  Likely IP is an open proxy {{Proxycheck|likely}} for likely open proxies and Tor exit nodes.
    •  Possible IP is an open proxy {{Proxycheck|possible}} for possible open proxies and Tor exit nodes.
    •  Unlikely IP is an open proxy {{Proxycheck|unlikely}} for unlikely open proxies and Tor exit nodes.
    • Not currently an open proxy {{Proxycheck|unrelated}} for IP's confirmed not to be an open proxy or Tor exit node.
    • Inconclusive {{Proxycheck|inconclusive}} for IP's that are inconclusive.
    • no Declined to run a check {{Proxycheck|decline}} to decline a check.
    • Open proxy blocked {{Proxycheck|blocked}} for open proxies and Tor nodes that have been blocked. Please add this if you block the IP.

    Requests edit

    188.215.95.0/24 edit

      – A proxy checker has requested administrator assistance for action regarding the case below. The requested action is below.

    Reason: The range seems to be announced by IPXO (per Hurricane Electric), an "IP marketplace" according to their website. All IPs in the range who have made contributions since 1 January 2023 are active on ExpressVPN, as well as a handful of varying residential proxies according to Spur. I've not done a fully exhaustive check on the range yet, but the only IPs I've seen not flagged as ExpressVPN on the Spur data are .251-.255, though they are still listed as data centre IPs.

    It may also be worth the other /24s listed on HE as being announced by IPXO as well for any that haven't yet been blocked (some have) but probably should be. Sideswipe9th (talk) 20:56, 4 February 2023 (UTC)Reply[reply]

    Ok, I've checked through the other /24s listed. Most are either locally or globally blocked (sometimes both), but I did find a list of 20 /24 ranges that are not currently blocked. I'll check through that list now and see if I can categorise them briefly before posting them. Sideswipe9th (talk) 21:32, 4 February 2023 (UTC)Reply[reply]
    Done some spot checks on the other /24s, alas I don't have the tools or time to do a full check on each range. Results below split into three categories; ExpressVPN, data centre and possible unknown proxy, and unknown. The four ExpressVPN ranges are the ones I'm most confident on, there was only a few IPs in each range for which all were at a consistent last octet that weren't showing as ExpressVPN exit nodes, and the unknown ones at the end are the ones I'm least confident on.
    With all of the ranges currently being assigned by IPXO, I suspect the potential for any individual IP in a range to become a proxy or VPN exit node at random is high, even if the range itself is largely not proxy or VPN exit nodes at this time.
    ExpressVPN:
    Data centre and possible unknown proxy:
    Unknown:
    Sideswipe9th (talk) 22:53, 4 February 2023 (UTC)Reply[reply]
    Flagging this for admin attention. At least for the VPN and datacenter ranges. MarioGom (talk) 12:54, 19 February 2023 (UTC)Reply[reply]
    Could someone please action this? There's a proxy hopping editor on the 192.101.67.0/24 · contribs · block · log · stalk · Robtex · whois · Google range who's just made two disruptive edits against a long standing consensus on Irreversible Damage. Sideswipe9th (talk) 21:24, 7 March 2023 (UTC)Reply[reply]
    ExpressVPN ranges done, hoping to circle back to the rest. --Blablubbs (talk) 16:00, 12 March 2023 (UTC)Reply[reply]
    @Blablubbs I don't know if you even remember this but just thought I'd remind you after a year. Klinetalk to me!contribs 22:01, 1 March 2024 (UTC)Reply[reply]

    161.69.116.0/24 edit

      – A proxy checker has requested a second opinion on this case.

    Reason: VPN server. 73.67.145.30 (talk) 18:38, 17 April 2023 (UTC)Reply[reply]

    McAfee WGCS is a corporate gateway, technically a VPN, but last time it was discussed here, it was not blocked. Requesting a second opinion. MarioGom (talk) 21:43, 26 April 2023 (UTC)Reply[reply]
    Not an admin, so feel free to ignore. Looking at the two prior discussions on this (March 2021, May 2022) it seems that softblocking might be appropriate in this case? There are some McAfee WGCS ranges that we do currently softblock (eg 185.221.70.0/24, 208.81.64.0/21) so this would at least be consistent with them, though there are other ranges that we don't currently softblock (eg 185.125.227.0/24).
    Whatever the decision is from this discussion, we may want to look at making things consistent across all of the known ranges. Sideswipe9th (talk) 21:56, 26 April 2023 (UTC)Reply[reply]
    I have opened Wikipedia talk:WikiProject on open proxies#Corporate VPNs as an attempt to harmonize criteria for corporate proxies. MarioGom (talk) 22:52, 25 September 2023 (UTC)Reply[reply]

    165.85.64.0/22 edit

      – A proxy checker has requested a second opinion on this case.

    Reason: Amazon AWB. 165.85.64.0 - 165.85.66.255 are all registered to Amazon AWB, hence the /22 range in this report. BLP disruption caught by filter log. 73.67.145.30 (talk) 16:45, 28 April 2023 (UTC)Reply[reply]

    2a00:f48:1003:22dd::1 edit

      – A proxy checker has requested administrator assistance for action regarding the case below. The requested action is below.

    Reason: VPN network/Webhosting service. 73.67.145.30 (talk) 08:05, 1 May 2023 (UTC)Reply[reply]

    •   Unlikely IP is an open proxy While ipcheck states it's likely a proxy due to some API data, I'm not seeing any activity on Spur and Shodan, and technical research into the IP didn't turn up anything of note. However, the /48 range this IP belongs to is currently announced by a web and VPS hosting provider from Germany, and the /32 range is assigned to a colocation provider also in Germany. A webhostblock on the /48 or a colocationwebhost block on the /32 might be appropriate in the circumstances. Flagging for a second opinion though because either choice is a big range. Sideswipe9th (talk) 20:26, 17 July 2023 (UTC)Reply[reply]
    I agree a webhost block on the /47 could be appropriate. Flagging for admin attention for the final call. MarioGom (talk) 09:10, 27 August 2023 (UTC)Reply[reply]

    209.35.227.0/24 edit

      – A proxy checker has requested a second opinion on this case.

    Reason: VPN. Perimeter 81. 73.67.145.30 (talk) 18:43, 15 May 2023 (UTC)Reply[reply]

    •   Confirmed While the range is announced by Perimeter 81, and a large portion of it seems to be empty per Spur and Shodan, there are IP ranges within that are active on Perimeter 81's VPN product. However that product is aimed at businesses, with pricing to match. This seems similar to the Zscaler, McAfee WGCS cases that are also open at present. A softblock on the range might be appropriate however, the one contributor who was active on 15 May 2023 was using an IP that's part of their VPN range. While I've tried to pin down the exact range for just the IPs that are part of their VPN offering, it seems somewhat spread out throughout it with gaps, so it might be more expedient to just block it in its entirety. Flagging this for a 2O though, while we figure out how to handle this particular type of VPN provider. Sideswipe9th (talk) 00:22, 19 July 2023 (UTC)Reply[reply]

    46.102.156.0/24 and 94.177.9.0/24 edit

      – A proxy checker has requested administrator assistance for action regarding the case below. The requested action is below.

    https://www.alwyzon.com/en
    

    Reason: Both ranges belong to Hohl IT e.U. aka (Alwyzon) which is an Austrian provider of dedicated servers. Matthew Tyler-Harrington (aka mth8412) (talk) 03:45, 22 June 2023 (UTC)Reply[reply]

      Confirmed as to the ranges with "Customers" in the name (/26), but I didn't check them all. This might also be a job for the ASNbot (AS40994) @AntiCompositeNumber:Mdaniels5757 (talk • contribs) 00:36, 8 December 2023 (UTC)Reply[reply]

    176.126.232.134 edit

      – This proxy check request is closed and will soon be archived by a bot.

    176.126.232.134 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

    Reason: Requested unblock. I'm unable to edit wikipedia pages from this IP (our office) even when logged in. The IP is statically allocated to us (since Feb 2022), we're not running any proxy and I'm not seeing any unusual open ports or suspicious network activity. xmath (talk) 19:30, 30 June 2023 (UTC)Reply[reply]

    Update: never mind, the block isn't for our IP specifically, apparently the entire IP range has been mistakenly classified as webhosting instead of FTTH/FTTB. xmath (talk) 20:59, 30 June 2023 (UTC)Reply[reply]

      Not currently an open proxy, please unblock the range. — Mdaniels5757 (talk • contribs) 00:42, 15 August 2023 (UTC)Reply[reply]
      Done Q T C 05:55, 2 March 2024 (UTC)Reply[reply]

    157.167.128.0/24 edit

      A user has requested a proxy check. A proxy checker will shortly look into the case.

    Reason: Cloud server/VPN. This is an odd one, because the IP range geolocates to Turkey, and is listed as a VPN network; but most of the edits are to Turkish-related articles. Is this some sort of corporate cloud network? 2601:1C0:4401:F60:8C11:4CC3:7E71:B4CE (talk) 20:54, 13 August 2023 (UTC)Reply[reply]

    My reading is that this is a user or users in Turkey editing via a connection belonging to an enterprise, perhaps a business or a public body, that subscribes to cybersecurity services offered by Forcepoint. It looks to me like a corporate proxy. The contributions suggest a stable connection with largely unproblematic edits and I would not be inclined to take any action at this time. Malcolmxl5 (talk) 02:05, 20 January 2024 (UTC)Reply[reply]

    5.42.72.0/21 edit

      – A proxy checker has requested administrator assistance for action regarding the case below. The requested action is below.

    Reason: IP range belongs to webhosting/VPN service. 2601:1C0:4401:F60:817:B3DA:A0F9:1195 (talk) 18:34, 20 August 2023 (UTC)Reply[reply]

      Confirmed along with most things in [1]. Perhaps User:AntiCompositeNumber could add this (ASN 210644) to User:AntiCompositeBot/ASNBlock? — Mdaniels5757 (talk • contribs) 00:28, 8 December 2023 (UTC)Reply[reply]

    65.151.155.241 edit

      A user has requested a proxy check. A proxy checker will shortly look into the case.

    Reason: WHOIS reports "Network sharing device or proxy server"; Spur says "belongs to a call-back proxy network". Suspicious edits like https://en.wikipedia.org/w/index.php?title=Talk:HTTP_cookie&diff=prev&oldid=1145743447Bri (talk) 16:28, 3 January 2024 (UTC)Reply[reply]

    @Bri:   IP is an open proxy, but not in active use: last edits were ~6mo ago, so I think no action is needed. If a passing admin wants to block I won't object though. — Mdaniels5757 (talk • contribs) 01:10, 4 January 2024 (UTC)Reply[reply]

    117.55.242.132 edit

      – This proxy check request is closed and will soon be archived by a bot.

    Reason: Made an unsourced BLP edit. SPUR shows possible call-back proxy. Nobody (talk) 12:38, 1 March 2024 (UTC)Reply[reply]

    Blocked for one week given the nature of the proxy. --Malcolmxl5 (talk) 04:01, 4 March 2024 (UTC)Reply[reply]

    5.78.0.0/16 edit

      A user has requested a proxy check. A proxy checker will shortly look into the case.

    Reason: Colocation webhost. Looking at the WHOIS info, it appears to belong to Hetzner, a provider of cloud servers, dedicated servers, colocation and web hosting, according to their website. Looking at the block log of this IP, it was blocked in February 2022 for two years as a colocation webhost before. Reason why I'm reporting is because soon after the expiration of that 2 year block, some user at least seems to be using it to vandalise various music-related articles; see Wikipedia:Administrators' noticeboard/Incidents#Need a rangeblock for Oregon IPs for more insight on this. This is an example of their vandalism, where they're introducing incorrect information into the article, with no explanation, sources, etc. There are so many recent edits like these from this range. — AP 499D25 (talk) 13:32, 4 March 2024 (UTC)Reply[reply]

    Hetzner has quite a few ranges. See here for some examples. Nobody (talk) 13:55, 4 March 2024 (UTC)Reply[reply]

    Automated lists and tools edit

    • User:AntiCompositeBot/ASNBlock maintained by User:AntiCompositeBot is a list of hosting provider ranges that need assessment for blocks that is updated daily. Admins are encouraged to review the list and assess for blocks as needed. All administrators are individually responsible for any blocks they make based on that list.
    • ISP Rangefinder is a tool that allows administrators to easily identify and hard block all ranges for an entire ISP. It should be used with extreme caution, but is useful for blocking known open proxy providers. All administrators are individually responsible for any blocks they make based on the results from this tool.
    • IPCheck is a tool that can help provide clues about potential open proxies.
    • Bullseye provides information about IPS, including clues about potential open proxies.
    • whois-referral is a generic WHOIS tool.
    • Range block finder finds present and past range blocks.

    See also edit

    Subpages
    Related pages
    Sister projects (defunct)