Wikipedia:WikiProject on open proxies/Requests/Archives/50


65.151.155.241

{{proxycheckstatus}}

Reason: WHOIS reports "Network sharing device or proxy server"; Spur says "belongs to a call-back proxy network". Suspicious edits like https://en.wikipedia.org/w/index.php?title=Talk:HTTP_cookie&diff=prev&oldid=1145743447Bri (talk) 16:28, 3 January 2024 (UTC)

@Bri:   IP is an open proxy, but not in active use: last edits were ~6mo ago, so I think no action is needed. If a passing admin wants to block I won't object though. — Mdaniels5757 (talk • contribs) 01:10, 4 January 2024 (UTC)
@Mdaniels5757. These types of proxies are rarely blocked for more than a few days. As they have been inactive for months, I'm inclined take no action. Malcolmxl5 (talk) 23:53, 9 March 2024 (UTC)

212.82.69.130

{{proxycheckstatus}}

Reason: Made a unconstructive edit. Has a history of reverted edits. SPUR says Residental/Call-Back Proxy. Nobody (talk) 09:12, 5 March 2024 (UTC)

It’s a school website with an open port 443, the default port for HTTPS, but the website is not secure. The contributions look like typical juvenile stuff rather than proxy use but I’ll block anyway. Malcolmxl5 (talk) 20:56, 23 March 2024 (UTC)

41.215.169.49

{{proxycheckstatus}}

41.215.169.49 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: ACC request - Looks to a CGNAT belonging to Airtel Ghana (mobile operator). If cannot unblock, please soften down to AO - RichT|C|E-Mail 23:25, 5 March 2024 (UTC)

Unfortunately this seems to fall in the 'secret-sauce' portion of the bot, since it looks like there was spam activity in the past, but not seeing anything current, so would love some feedback from @ST47:. Q T C 23:25, 6 March 2024 (UTC)
@Rich Smith@OverlordQ. The block has expired. Is there anything left to do? Malcolmxl5 (talk) 14:47, 24 March 2024 (UTC)

161.69.57.14

{{proxycheckstatus}}

Reason: VPN according to proxycheck.io. Recent editing might be greenwashing of petroleum industry-related articles. ☆ Bri (talk) 19:37, 4 April 2024 (UTC)

I’ve checked every IP in the range 16.69.0.0/16 since the beginning of the year and all of them resolve to MCAFEE WGCS VPN service with many being part of other proxy networks. I’ve blocked the /16 range for two years. Malcolmxl5 (talk) 21:24, 5 April 2024 (UTC)

193.187.88.0/24

{{proxycheckstatus}}

Reason: Flagged as proxy by GetIPIntel and IPHub. Firestar464 (talk) 23:25, 5 April 2024 (UTC)

Has just been globally blocked as such. Firestar464 (talk) 23:28, 5 April 2024 (UTC)

46.102.156.0/24 and 94.177.9.0/24

{{proxycheckstatus}}

https://www.alwyzon.com/en

Reason: Both ranges belong to Hohl IT e.U. aka (Alwyzon) which is an Austrian provider of dedicated servers. Matthew Tyler-Harrington (aka mth8412) (talk) 03:45, 22 June 2023 (UTC)

  Confirmed as to the ranges with "Customers" in the name (/26), but I didn't check them all. This might also be a job for the ASNbot (AS40994) @AntiCompositeNumber:Mdaniels5757 (talk • contribs) 00:36, 8 December 2023 (UTC)
I’ve blocked the two /26. Malcolmxl5 (talk) 13:15, 23 March 2024 (UTC)
Closing. — Mdaniels5757 (talk • contribs) 23:07, 14 April 2024 (UTC)

5.42.72.0/21

{{proxycheckstatus}}

Reason: IP range belongs to webhosting/VPN service. 2601:1C0:4401:F60:817:B3DA:A0F9:1195 (talk) 18:34, 20 August 2023 (UTC)

  Confirmed along with most things in [1]. Perhaps User:AntiCompositeNumber could add this (ASN 210644) to User:AntiCompositeBot/ASNBlock? — Mdaniels5757 (talk • contribs) 00:28, 8 December 2023 (UTC)
All the /24 in the /21 are currently globally blocked. I’ve added a local block for the /21. Malcolmxl5 (talk) 12:57, 23 March 2024 (UTC)
Closing. — Mdaniels5757 (talk • contribs) 23:08, 14 April 2024 (UTC)

24.192.34.183

{{proxycheckstatus}}

Reason: Did some vandalism, SPUR says Possible Proxy. Nobody (talk) 09:16, 16 April 2024 (UTC)

Spur now says "24.192.34.183 - Not Anonymous 24.192.34.183 itself does not appear to be part of anonymization infrastructure". Nothing else suggests proxy use. Closing with no action. --Malcolmxl5 (talk) 21:36, 20 April 2024 (UTC)

103.4.93.51

{{proxycheckstatus}}

Reason: See filter log. Has been blocked as a Proxy in the past. Spur says Possible Proxy. Nobody (talk) 07:07, 24 April 2024 (UTC)

220.241.9.173

{{proxycheckstatus}}

Reason: Vandalism, SPUR says Forticlient VPN. Nobody (talk) 07:20, 26 April 2024 (UTC)

Blocked. --Malcolmxl5 (talk) 14:55, 27 April 2024 (UTC)

104.151.103.93

{{proxycheckstatus}}

104.151.103.93 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Requested unblock. This IP address is the public facing IP address of the Wikimedia Deutschland (WMDE) office. The IP address belongs to an IP range of 1&1 Versatel, our internet provider, who statically assigned this address to our fiber optics uplink. We often have events where we introduce future volunteers into editing Wikipedia or their sister projects. Among our colleagues are also many volunteers who get affected by this block. Masin Al-Dujaili (WMDE) (talk) 10:10, 11 April 2024 (UTC)

There's certainly something fishy going on in other parts of the range. Courtesy ping for NinjaRobotPirate. Maybe split the range in half, i.e. block the lower /18? -- zzuuzz (talk) 12:21, 11 April 2024 (UTC)
Sure, sounds fine. I don't remember the exact details of this block any more, but I usually block 1&1 on sight. From Ionos, it looks like they're branching out of just web hosting now, though. NinjaRobotPirate (talk) 16:27, 11 April 2024 (UTC)

IPfe80::e122:d2f:7437:7f9c192.168.255.245

{{proxycheckstatus}}

[[User:|]] · contribs · block · log · stalk · Robtex · whois · Google

Reason: Requested unblock. Agasarah (talk) 21:17, 4 May 2024 (UTC)

89.197.204.196

{{proxycheckstatus}}

Reason: VPN server. 73.67.145.30 (talk) 16:56, 18 June 2024 (UTC)

192.155.107.54

{{proxycheckstatus}}

Reason: Confirmed VPN via Geolocate. Jalen Folf (Bark[s]) 07:10, 29 June 2024 (UTC)

2A10:BCC2:2029:6030:3C22:44CA:5B85:B2BC

{{proxycheckstatus}}

User admitted to being proxy after vandalizing pages. Interestingly, their Uncyclopedia page reveals that their IP is an open proxy for pawns.app. OhHaiMark (talk) 22:24, 29 May 2024 (UTC)

I can’t corroborate that but I’ve blocked the /64 for vandalism anyway while noting that this IP self-admitted to being an open proxy. Malcolmxl5 (talk) 00:32, 2 July 2024 (UTC)

202.134.9.141

{{proxycheckstatus}}

202.134.9.141 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

Reason: Same proxy sock that got blocked earlier for both ban evasion and editing with proxy. [2] He is still socking to restore the same article.[3][4] Ratnahastin (talk) 15:22, 8 March 2024 (UTC)

There’s a lot of blocks in the history, the most recent is a 3 month /12 block in September for block evasion. Malcolmxl5 (talk) 11:06, 13 March 2024 (UTC)

163.47.119.0/24

{{proxycheckstatus}}

Note sure how reliable this is, but it's identified as a VPN server on the goeloacate link on the contributions page. Assuming that's accurate, I suspect the VPN is being used by at least some one of the editors on this range to evade IP range blocks. Sir Sputnik (talk) 00:31, 12 May 2024 (UTC)

It’s a VPS hosting service. Now blocked. -- Malcolmxl5 (talk) 12:41, 4 July 2024 (UTC)

95.153.32.34 and others

{{proxycheckstatus}}

Reason: recently used by particularly vile LTA. Drmies (talk) 16:29, 8 July 2024 (UTC)

57.140.32.8

{{proxycheckstatus}}

Seems to be a Menlo Security VPN. Checked using Spur (public version) and IPQualityScore and returned as a VPN. Edit history also indicates that it might be a shared IP. However, other services (shown on IPCheck) indicates that it may not be a proxy. ~~2NumForIce (speak|edits) 15:04, 16 May 2024 (UTC)

  Possible IP is an open proxy Appears to be a VDI/DaaS solution rather than an 'open to the public' proxy, but still anonymizing, so 57.140.32.0/24 · contribs · block · log · stalk · Robtex · whois · Google blocked as such. Q T C 22:09, 23 July 2024 (UTC)

15.248.0.0/16

{{proxycheckstatus}}

Reason: Amazon AWS webhosting services. Recently used for vandalism/disruption. 73.67.145.30 (talk) 15:59, 31 May 2024 (UTC)

  Completed as {{Colocationwebhost}} Q T C 22:02, 23 July 2024 (UTC)

136.226.3.95

{{proxycheckstatus}}

136.226.3.95 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan

The range 136.226.0.0/16 was blocked recently. Unfortunately my user account uses a static IP in this range. I use different devices for my editing, but only edit under my account. I also accept if the block will remain in place as it does use ZScaler (an open proxy), but am wondering if an exception could be granted. My account has never been blocked nor have I been under scrutiny for being blocked. Reason: Requested unblock. Conyo14 (talk) 16:42, 20 June 2024 (UTC)

@Conyo14. Consider requesting WP:IPBE. -- Malcolmxl5 (talk) 11:19, 22 June 2024 (UTC)
  Declined to run a check As mentioned, since this is a ZScaler range an exemption should be requested, as this is blocked not only locally, but on the global level as well. Q T C 21:58, 23 July 2024 (UTC)

208.184.210.151

{{proxycheckstatus}}

Reason: ipcheck.toolforge.org reports this as a proxy and geolocation data shows it might be a datacenter ☆ Bri (talk) 22:49, 27 June 2024 (UTC)

  Inconclusive This range appears to be part of Zayo's Direct Internet Access offering which is business/enterprise connectivity, so while there may be a possibility of an open proxy, this seems to be more along the lines of somebody editing at work. Q T C 21:52, 23 July 2024 (UTC)

157.167.128.0/24

{{proxycheckstatus}}

Reason: Cloud server/VPN. This is an odd one, because the IP range geolocates to Turkey, and is listed as a VPN network; but most of the edits are to Turkish-related articles. Is this some sort of corporate cloud network? 2601:1C0:4401:F60:8C11:4CC3:7E71:B4CE (talk) 20:54, 13 August 2023 (UTC)

  Inconclusive. It’s showing up as a Forcepoint gateway proxy. Forcepoint is a company that provides cybersecurity services for businesses and governments so, yes, coupled with it geolocating to Turkey and editing Turkish topics, which is not typical proxy behaviour, this probably is a corporate gateway. It's not very busy and looks low risk; I’ll mark it as inconclusive. Closing. --Malcolmxl5 (talk) 12:05, 2 August 2024 (UTC)

192.189.187.125

{{proxycheckstatus}}

Reason:Listed ISP is FedEx which is not a legitimate provider, in addition these various FedEx proxy ranges are used by a LTA and extensive sock puppeteer HaughtonBrit to block evade and push tendentious edits in various South Asian topics. Southasianhistorian8 (talk) 21:13, 3 April 2024 (UTC)

  Unlikely IP is an open proxy. It's not uncommon for an IP address or range of IP addresses to be owned by non-ISP organisations and I can't corroborate that this is a proxy or VPN. That’s not to say that disruptive editing can’t be blocked where it occurs but this is one edit almost four months ago handled by a revert so there is nothing more to be done now. Closing. --Malcolmxl5 (talk) 12:19, 31 July 2024 (UTC)

110.93.85.16 and others

{{proxycheckstatus}}

Reason: Questionable beauty pageant editing for some time from IPs in 110.93.85.0/24, and recent use by those noted above; spur reports both belong to a call-back proxy network. ☆ Bri (talk) 19:44, 2 July 2024 (UTC)

  • While the behaviour is obviously the one person, their contributions are not abusive. Spur now shows them as 'not anonymous'. An IP has pointed out that the IPs are reported as public proxies in IP2Location (see talk page). However, I can’t see a way to connect to them. Closing.
  Inconclusive Malcolmxl5 (talk) 11:45, 23 August 2024 (UTC)

37.140.254.206

{{proxycheckstatus}}

Reason: vpn ltbdl (talk) 10:10, 2 August 2024 (UTC)

  Confirmed as Express VPN. Closing. --Malcolmxl5 (talk) 10:29, 2 August 2024 (UTC)

72.14.126.22

{{proxycheckstatus}}

Reason: It appears https://spur.us/context/72.14.126.22 is a known proxy and it seems suspiciously used. Pastillawheel (talk) 16:14, 26 August 2024 (UTC)

  • Spur notes a 'possible proxy' and that the IP address belongs to a particular proxy network. Activity from this IP address is likely a mix of anonymous and normal activity. This means not all traffic from this IP address belongs to this proxy network. So I look at the contributions. It’s a long-standing stable connection located in the US with an interest in US subjects. I see no signs of abuse of editing privileges. I think there is unlikely to be proxy use at this time. --Malcolmxl5 (talk) 11:08, 29 August 2024 (UTC)

102.141.49.156 and 94.200.5.30

{{proxycheckstatus}}

Reason: suspicious back-to-back edits with another IP on the same article but the IPs geolocate to different continents, and Spur indicates at least one is in a call-back network. ☆ Bri (talk) 00:55, 29 August 2024 (UTC)

103.242.22.207

{{proxycheckstatus}}

Reason: Added an EFFPR report without triggering an filter, which is something an LTA has been doing with IPs from the IPA region. SPUR also says Possible Proxy. Nobody (talk) 17:42, 30 August 2024 (UTC)

  • Spur notes a 'possible proxy' and that the IP address belongs to a particular proxy network. Activity from this IP address is likely a mix of anonymous and normal activity. This means not all traffic from this IP address belongs to this proxy network. A single edit, while odd, is not enough to make a determination. Closing. --Malcolmxl5 (talk) 15:05, 1 September 2024 (UTC)

104.128.72.34 Comment

{{proxycheckstatus}}

Reason: Wikipedia:Sockpuppet investigations/TotalTruthTeller24 block evasion; https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/104.128.72.34 and https://ipcheck.toolforge.org/index.php?ip=104.128.72.34 confirm it is a proxy. C F A 💬 02:40, 1 September 2024 (UTC)

203.82.39.231

{{proxycheckstatus}}

This is one of a large group of IPs who go on vandalism sprees with no subtlety at all. The edits are copy/paste junk, and the edit summaries are copy/paste junk. No attempt to hide. As soon as one is blocked, another takes over. On every talk page, they've linked an article, like Atelier Ayesha: The Alchemist of Dusk, although there are several others. If you look at the list of user talk pages that link to that article, there are a LOT, and just about every one of them has participated in a similar spree at some point. I noticed just now that the IP I'm reporting quietly came back after I blocked them and removed the article link. Not sure if they're using the article wikilinks to communicate, or to bookmark the IPs they're using? I'm suspicious of the entire IP group, but this one was one of the most recent I've encountered. Joyous! Noise! 23:12, 8 September 2024 (UTC)

  Open proxy blocked. Certainly is, Joyous!. I was able to log onto it and make a a few marks on the user talk page a couple of minutes ago. I’ve reblocked, a hard block, for two years. -- Malcolmxl5 (talk) 01:10, 9 September 2024 (UTC)

205.239.40.3

{{proxycheckstatus}}

Says on whatismyipaddress.com that it is a VPN server. Edits align with that consensus, as it appears clearly to have been used by multiple different users. CutlassCiera 15:49, 1 October 2024 (UTC)

  •   Unlikely IP is an open proxy. Looks like a shared IP address with people editing from a workplace rather than a VPN. It is currently blocked for a week with tpa removed. --Malcolmxl5 (talk) 13:41, 5 October 2024 (UTC)

41.216.42.170

{{proxycheckstatus}}

Appears to be a proxy according to proxycheck.io, GetIPIntel, and IPQualityScore (via ipcheck.toolforge.org). Behaviour is not yet abusive, but reminds me of an LTA who hounds me for a couple of years now: first he is interested in Ukraine, next in one of the unrelated random articles that I've edited recently. At least it's definitely not a new user. — Mike Novikoff 12:59, 13 October 2024 (UTC)

  Open proxy blocked. And blocked. --Malcolmxl5 (talk) 21:50, 13 October 2024 (UTC)

186.180.79.22

{{proxycheckstatus}}

Looks much the same as 41.216.42.170 just blocked yesterday: a proxy according to proxycheck.io, GetIPIntel, and IPQualityScore; the edits are similar too. This one has a block log already. — Mike Novikoff 12:40, 14 October 2024 (UTC)

  Open proxy blocked. Yep. Malcolmxl5 (talk) 15:45, 14 October 2024 (UTC)

5.58.98.183

{{proxycheckstatus}}

Our old friend SwissArmyGuy (now I'm sure it's him) won't stop. Just look at this and that! And, of course, the IP has SOCKS5 on port 8081. — Mike Novikoff 23:50, 14 October 2024 (UTC)

Better please stop, I was moving for a concise versions of Help:IPA, rather than "Standard German" or "Modern Standard Arabic". --5.58.98.183 (talk) 00:09, 15 October 2024 (UTC)
Bingo! You have learned the word "concise" at last, it took only two months. You keep watching all my edits, you don't even deny your identity, yet you don't see what page we are on and what the topic is. — Mike Novikoff 00:28, 15 October 2024 (UTC)
As per Wikipedia:Requested moves, you have to comment like support or oppose as part of the policy. 5.58.98.183 (talk) 00:33, 15 October 2024 (UTC)
Also no evidence related to later IP edits after Pavel Durov. 5.58.98.183 (talk) 00:35, 15 October 2024 (UTC)

103.17.213.98

{{proxycheckstatus}}

The LTA has gone bananas, the open port is now 8080. It's not the first time that he accuses me of "block evasion" and "disruption". I wonder if I can do anything with this madness besides reporting the proxies. — Mike Novikoff 03:25, 15 October 2024 (UTC)

  Open proxy blocked. --Malcolmxl5 (talk) 10:10, 15 October 2024 (UTC)

2.147.21.242

{{proxycheckstatus}}

Reason: Suspicious editing in a topic area with a ton of blocked socks; appears possible to be an Iranian proxy. ☆ Bri (talk) 16:20, 15 October 2024 (UTC)

  •   Unlikely IP is an open proxy. Odd that an Iran IP should show an interest in a Zimbabwean beauty pageant contestant but I see nothing to corroborate that this is a proxy. --Malcolmxl5 (talk) 17:26, 23 October 2024 (UTC)

64.124.54.99

{{proxycheckstatus}}

Reason: Per check at ipcheck. Thanks, Myrealnamm's Alternate Account (talk) 15:42, 23 October 2024 (UTC)

The global block has been removed. Reopening. --Malcolmxl5 (talk) 15:35, 24 October 2024 (UTC)
  •   Inconclusive. This appears to be a Zayo Bandwidth datacenter. Space will be leased to other organisations but I can’t identify the organisation that this IP (and range) is leased to. The behaviour suggests a school to me. Marking as inconclusive. This does not preclude sanctions if there is disruption from the IP. --Malcolmxl5 (talk) 02:24, 31 October 2024 (UTC)

45.230.196.67

{{proxycheckstatus}}

Reason: Abuse by an LTA, targeting editors in edit summaries Joyous! Noise! 16:41, 28 October 2024 (UTC)

  Likely IP is an open proxy. If it’s the LTA I’m thinking of, it’s definitely proxy use. Already blocked. --Malcolmxl5 (talk) 12:06, 31 October 2024 (UTC)

5.202.174.253

{{proxycheckstatus}}

Port 8080 according to proxycheck.io. Looks like yet another block evasion, see revision history of Help talk:IPA/Standard German. — Mike Novikoff 15:45, 29 October 2024 (UTC)

85.117.239.26

{{proxycheckstatus}}

And yet another instance of the same, port 3128. Roaches bloody roaches. — Mike Novikoff 14:01, 31 October 2024 (UTC)

37.157.242.57

{{proxycheckstatus}}

Reason: The specific IP mentioned showed up on my radar with vandalism. A little investigation showed it is in a range owned by range redstation.com Internet as a Service, i.e. server farm. Probably 37.157.242.0/23 if WHOIS is giving me good data. ☆ Bri (talk) 19:59, 6 November 2024 (UTC)

  Open proxy blocked. Yes, redstation is a webhosting company. The ISP is iomart (37.157.240.0/21) who offer cloud and managed hosting services including colocation. I have blocked the /21 accordingly. -- Malcolmxl5 (talk) 22:57, 6 November 2024 (UTC)

93.127.170.206

{{proxycheckstatus}}

Reason: VPN; cf. Spur. Eryk Kij (talk) 15:03, 16 November 2024 (UTC)