Thanks for reporting this.

Phab conf: Regarding the manual IP list for Phab itself in https://gerrit.wikimedia.org/r/#/c/368775/ , based on a few file uploads in Phab that still went through after deployment of that very patch, I've seen the ranges 160.77.0.0 - 160.77.127.255, 160.90.128.0 - 160.90.255.255, 160.105.128.0 - 160.105.255.255.

@Dispenser: WP0 conf: As the video is not available anymore (I'd love to have a copy though): Was there anything included actually showing the IP of the video author? Avatars obviously would be displayed if the IP was not a WP0 one, so I wonder what made it clear that the video author definitely was on WP0.

@Aklapper The user loads 403 Phabricator, pulls down the notification bar with Wi-Fi disabled, Maroc Telecom, and disables/re-enables Mobile Data a few times and reloads for the full Phabricator website.

I found those ranges in a GeoIP database for Morocco back in June (Z567#10320). We didn't include them for fear of blocking Orange Morocco (the only non-WP0 mobile carrier).

https://gerrit.wikimedia.org/r/#/c/368775/ is merged but @Dispenser you are saying there should be a another patch adding more IPs? Do we still have ongoing issues? We should just avoid playing a game of a whack-a-mole.

@Dzahn The issue demonstrated is that we cannot reliably filter for Wikipedia Zero connectivity. This can be remedied by:

• By Ops continuously communicating with the ISP to get the current ranges, or
• Documenting that WP0 identification is porous and the only guarantee is country wide blocking

The account was registered on August 15 and blocked on August 23. According to CheckUser policy this IP information will start to disappear on November 13 (90 days). I'm afraid of inaction loosing this opportunity.

@Keegan You've got less than a fortnight!

7 days. In 7 days the IP information will start disappearing.

https://phabricator.wikimedia.org/T174342#3559407 already lists the IP ranges I'd say. Link seems to be https://meta.wikimedia.org/wiki/Steward_requests/Checkuser/2017-10#Agadirhaha.40commons now. It's unclear to me who is asked in this ticket to look up the corresponding IP.

105.66.130.* and 154.147.0.* are other Moroccan mobile (?) IPs that recently registered on Phab. Might welcome investigation too.

@Dispenser: See T174342#3737108 - I don't know who "the team" and why this task would be invalid.

@Aklapper The Checkuser information is irrecoverably gone and thus the task can no longer be completed and Invalid. You can change it to decline if you think that's more appropriate.

...and we just saw 154.150.77.xx in Phab and 154.144.138.xx

So what does it take for this task to be resolved? Is someone actually looking into it or is it just being pushed around?

We have a set of IP blocks in the Phabricator config (modules/phabricator/files/apache/phabbanlist.conf in ops puppet); we have the IP list that Varnish uses to mark Zero requests with the X-CS header (in /var/netmapper in the varnish hosts); we have the IP configuration on Zerowiki that's in theory maintained by Maroc employees; and on Maroc's side there is presumably some configuration used for the actual zero-rating. Where do we expect the discrepancy to be? Who is looking into it?

Presumably if the pirates go through the effort of uploading files regularly then it works (ie. some users can actually download them while being zero-rated), right? That would mean they are in the zero rating range as seen by Maroc (otherwise they would be charged), but not in the zero rating range as seen by Varnish (otherwise they would be blocked from accessing Phabricator files). So it seems like the problem is external and someone from Partnerships should ask Maroc to double-check?

Alternative theories:

• Something is wrong with the zerofetch script so IP ranges in the Varnish config do not match those on Zerowiki (seems pretty unlikely).
• Something is wrong with the block configuration; there is some other way to reach Phabricator files that's not affected.
• Downloaders are not actually getting zero-rated, but they somehow haven't noticed. In that case it's just phabbanlist.conf that's out of sync with the rest (would not be too surprising as it was just manually copied once and then not maintained).

In T174342#3787625, @Tgr wrote:

we have the IP configuration on Zerowiki that's in theory maintained by Maroc employees

The IP ranges on ZeroWiki for Maroc were last updated in November 2014.

In T174342#3787625, @Tgr wrote:

So what does it take for this task to be resolved? Is someone actually looking into it or is it just being pushed around?

! In T174342#3788928, @Mholloway wrote:

! In T174342#3787625, @Tgr wrote:

we have the IP configuration on Zerowiki that's in theory maintained by Maroc employees

The IP ranges on ZeroWiki for Maroc were last updated in November 2014.

I believe the ask in this task is to ensure that the WP0 IPs we have - which were provided by Maroc - are correct and up-to-date. There doesn't seem to be a clear chain of responsibility for checking on this.

I've reached out to Partnerships about getting in touch with Maroc and INWI for IP range updates.

In T174342#3790202, @Mholloway wrote:

I've reached out to Partnerships about getting in touch with Maroc and INWI for IP range updates.

Great, thank you!

Sounds like it would be useful if Partnerships could be added in the Phabricator-based workflow for future updates.

In T174342#3790202, @Mholloway wrote:

I've reached out to Partnerships about getting in touch with Maroc and INWI for IP range updates.

@Mholloway: Thanks. Any news / feedback from Partnerships to share when it comes to making sure these IP ranges are up-to-date? Thanks in advance!