Page MenuHomePhabricator

abuse filter should be able to evaluate is IP in range for registered users
Open, Needs TriagePublic

Description

commons case: abuser opens an account, waits a few days for the account to age and abuses pages. Although there are IP based abuse filters in place they do not fire, as the user is now registered and not an anon any longer.

Event Timeline

Matanya created this task.Jan 17 2017, 9:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 17 2017, 9:30 PM
Matanya updated the task description. (Show Details)Jan 17 2017, 9:31 PM
MarcoAurelio added a subscriber: MarcoAurelio.

Maybe it's me, but I never understood how to properly use ip_in_range (ip,
range) syntax. Matanya's idea is good, but I can see how this can be
problematic as well wrt user privacy.

This might cause an IP information leak if a filter catches accounts based on a narrow enough IP range, as the hit log would associate the account with the IP range that the filter catches.

This also opens the same discussion we had in the past regarding access to non-public information. If this enhancement is added to AbuseFilter then all admins in the entire WMF wikis (Wikipedias, Wiktionaries, etc.) need to go through identification process, because there is potential for them to access private information about users. I am not sure how realistic that is.

I remember we had a closely related discussion on another Phabricator task about AbuseFilters and IPs, and @Mdennis-WMF or someone else from WMF did a query with legal and eventually stated that any such enhancements might mean we need to have sysops go through identification. I cannot find it this moment but once I do, I will link it here.

Huji added a comment.Jan 18 2017, 12:09 AM

I take it back, it took one smart keyword in an email search and I found it: T107651

Speaking as one, the notion of identifying all Wikimedia admins is fairly unrealistic. Logistical effort aside, there are plenty who for many reasons will not share their personal information with the WMF. And there would be concerns about ageism as well, probably.

Huji added a comment.Jan 18 2017, 3:25 PM

Agreed. Which is why I think this feature should not be added in a way that is available to admins. We can have a discussion about CU-only features in AbuseFilter (which is a huge programming task).