Page MenuHomePhabricator
Create Task
Maniphest T166817

Globally block identifiable open proxies
Open, Stalled, Needs TriagePublic
Actions

Description

Project documentation

https://meta.wikimedia.org/wiki/Community_health_initiative/Blocking_tools_and_improvements/Open_proxies

Problem to solve

Editing from open proxies is globally not allowed on Wikimedia wikis as a way to mitigate spam and vandalism. Currently there is no tool that automatically globally blocks identifiable open proxies, but User:ProcseeBot is successfully used on English Wikipedia. @Slakr manages ProcseeBot and is open to enabling the bot on Meta to set global blocks, under the condition that his code is not publicly available. We'll also want to acquire consensus from Stewards.

----

Proposed solution

  • Enable ProcseeBot on Meta to make global blocks of identifiable open proxies.

See also: T380917: Ability to configure a wiki to auto block open proxies (locally block open proxies - not advised for Wikimedia wikis, but potentially useful for third party wikis)

Related Objects
Search...

StatusSubtypeAssignedTask
 StalledNoneT166817 Globally block identifiable open proxies
 Resolved TBolligerT177645 Reach out to ProcseeBot and ProxyBot authors for their input on if/how we can improve the bots
 Duplicate SPooreT177648 Craft plan for on-wiki discussion about open proxy blocking bots
 Resolved TBolligerT177984 Pre-investigation: ProcseeBot & ProxyBot
Restricted Task
 ResolvedDreamy_JazzT354599 [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter
 ResolvedkostajhT360067 Deploy Extension:IPReputation
 ResolvedsbassettT360070 Application Security Review Request : Extension:IPReputation
 DuplicateDreamy_JazzT380454 Provide ip_reputation_tunnel_operators AbuseFilter
 DuplicateSTranT380919 Don't funnel all protected variable access logs to CheckUser temporary account access log
 ResolvedSTranT381052 Investigate: Should we remove the preference check from AbuseFilter's protected variables implementation?
 DuplicateDreamy_JazzT380710 Provide ip_reputation_risk_types variable in AbuseFilter
 ResolvedDreamy_JazzT386913 IPReputation: Create a service to get IPoid data in IPReputation
 ResolvedDreamy_JazzT380918 Provide capability to define new protected variables from other extensions
 ResolvedSTranT385687 Investigate: How should the AbuseFilter variable `user_unnamed_ip` be restricted
 ResolvedDreamy_JazzT380920 Remove the AbuseFilter protected variables preference gate
 ResolvedDreamy_JazzT387333 CheckUser should impose IP viewing restrictions on AbuseFilter's `unnamed_user_ip` protected variable
 ResolvedDreamy_JazzT387331 Provide a mechanism for other extensions to modify protected variables access requirements
 ResolvedDreamy_JazzT387013 IPReputation: Add AbuseFilter dependency in CI and Phan
 ResolvedSTranT387324 Add hook to support custom logging in `ProtectedVarsAccessLogger`
 ResolvedSTranT387328 Refactor CheckUser ProtectedVarsAccessLogger logging out of AbuseFilter
 ResolvedSTranT387329 Investigate: Confirm our logging expectations for AbuseFilter/CheckUser Temporary Accounts logs when using protected variables
 ResolvedDreamy_JazzT390873 AbuseFilter protected variables: Make it possible for protected variable values expire when the IP address expires
 ResolvedDreamy_JazzT390874 IPReputation: Create the initial IPReputation AbuseFilter variables
 ResolvedDreamy_JazzT388781 AbuseFilter / IP reputation: Instrument latency
 ResolvedDreamy_JazzT393665 AbuseFilter IP reputation: Provide documentation and recommendations for usage
 ResolvedDreamy_JazzT396069 Support generation of IPReputation AbuseFilter variable data for previous actions
 ResolvedDreamy_JazzT396079 Support generation of IPReputation AbuseFilter variables for temporary accounts and account creation
 ResolvedSecurityDreamy_JazzT396750 CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>
 ResolvedSecurityDreamy_JazzT397196 CVE-2025-53499: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions
 ResolvedSecurityDreamy_JazzT397221 CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern

Event Timeline

TBolliger created this task.Jun 1 2017, 5:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 1 2017, 5:58 PM
MarcoAurelio subscribed.Jun 6 2017, 9:37 PM
TBolliger moved this task from Product/Tech backlog to Snackbox on the Anti-Harassment-Team board.Oct 5 2017, 9:54 PM
TBolliger added a subtask: T177645: Reach out to ProcseeBot and ProxyBot authors for their input on if/how we can improve the bots.Oct 6 2017, 6:31 PM
TBolliger created subtask T177648: Craft plan for on-wiki discussion about open proxy blocking bots.Oct 6 2017, 6:33 PM
TBolliger moved this task from Snackbox to Analytics on the Anti-Harassment-Team board.Oct 11 2017, 5:56 PM
TBolliger renamed this task from ProcSee bot improvements to Epic ⚡️ ProcSee bot improvements.Oct 18 2017, 6:34 PM
TBolliger added a subtask: T177984: Pre-investigation: ProcseeBot & ProxyBot.
TBolliger closed subtask T177984: Pre-investigation: ProcseeBot & ProxyBot as Resolved.Oct 24 2017, 8:59 PM
TBolliger updated the task description. (Show Details)Nov 6 2017, 9:53 PM
TBolliger changed the status of subtask T177648: Craft plan for on-wiki discussion about open proxy blocking bots from Open to Stalled.Nov 20 2017, 7:45 PM
TBolliger renamed this task from Epic ⚡️ ProcSee bot improvements to Epic ⚡️ Global proxy blocking bot/tool.Nov 27 2017, 5:23 PM
TBolliger mentioned this in T177645: Reach out to ProcseeBot and ProxyBot authors for their input on if/how we can improve the bots.
TBolliger closed subtask T177645: Reach out to ProcseeBot and ProxyBot authors for their input on if/how we can improve the bots as Resolved.
TBolliger renamed this task from Epic ⚡️ Global proxy blocking bot/tool to Globally block identifiable open proxies.Dec 7 2017, 8:01 PM
TBolliger updated the task description. (Show Details)
TBolliger added a project: Stewards-and-global-tools.
TBolliger added a subscriber: Slakr.
Huji subscribed.Dec 7 2017, 8:17 PM
Rxy subscribed.Dec 8 2017, 9:31 AM
Rxy added a comment.Dec 8 2017, 11:09 AM

I'm interested in this. I think that is helpful for mitigation massive attacks via Open Proxy. WMF wikis having massive attacks via Open Proxy in some times (e.g. P5117 ru.wiktionary, HEAVY PAGE: ja.wikipedia).

In Japanese Wikipedia and SWMT wikis ("#cvn-sw"@freenode), PxyBot are checking Open proxy connectability (some ports) for each posts per IP users.
If that is an Open proxy, In case of detected from Japanese Wikipedia: PxyBot have been block it automatically. In case of detected from SWMT channel : Report it as Open Proxy detection at that channel and adding black list to CVN Bots.
if not so, simply cache as 'not detected' That result is cached for few months, and cached IP are not re-scanning.
(Note: I'm now planning PxyBot migrating to CVN.)

TBolliger added a comment.Dec 8 2017, 7:29 PM

Hi @Rxy — Thanks for finding this ticket and commenting! I wasn't aware of PxyBot — it's good to find other examples of how this problem is being solved. It seems like the big difference between PxyBot and ProcseeBot is that PxyBot is reactive (checks IPs that make edits) while ProcseeBot is proactive (routinely harvests potential proxy IPs and checks if they are proxies.) They both seem like sane approaches — do you have any thoughts about ProcseeBot's methodology?

Also, can you please clarify for me what happens on SWMT wikis? What happens when it is reported at the channel and added to the blacklist?

JEumerus subscribed.Dec 9 2017, 8:51 AM
Rxy added a comment.Dec 17 2017, 11:47 AM
In T166817#3823722, @TBolliger wrote:

Hi @Rxy — Thanks for finding this ticket and commenting! I wasn't aware of PxyBot — it's good to find other examples of how this problem is being solved. It seems like the big difference between PxyBot and ProcseeBot is that PxyBot is reactive (checks IPs that make edits) while ProcseeBot is proactive (routinely harvests potential proxy IPs and checks if they are proxies.) They both seem like sane approaches — do you have any thoughts about ProcseeBot's methodology?

I think ProcseeBot's blocking logs can be used as an Open Proxies list functionally (e.g. An attacking to a non-WMF web sites using Open Proxies from that bot's blocking log via MediaWiki API).

I think better for implemented of anti-robot mechanism to showing that bot's blocking logs, or doesn't input the port number in that blocking.

Also, can you please clarify for me what happens on SWMT wikis? What happens when it is reported at the channel and added to the blacklist?

When user (or IP address) have been added in CVN blacklist, that user's edit are highlighted in Red text at IRC channel.

example: m:User:Rxy/T166817-CVN-Highlighted

Additionally, User of the CVNSimpleOverlay script are can be highlighted at wiki for that blacklisted user.

TBolliger added a comment.EditedDec 18 2017, 9:45 PM

Ahh, thank you. I agree that the block log could be potentially used to assemble a list of proxy IPs, but I know the value of transparency for the block log is held to a higher importance on English Wikipedia than this potential for abuse.

Huji added a subtask: Restricted Task.Dec 19 2017, 1:25 AM
Matanya moved this task from Untriaged to Medium priority on the Stewards-and-global-tools board.Jan 18 2018, 11:34 PM
TBolliger added a project: MediaWiki-User-management.Jan 19 2018, 9:16 PM
TBolliger moved this task from Backlog to User blocking on the MediaWiki-User-management board.
MGChecker subscribed.Feb 26 2018, 8:21 PM
Sau226 added subscribers: Zppix, Sau226.Mar 4 2018, 11:25 AM

I think @Zppix also has a working anti open proxy bot that appears to work. Do correct me if I'm wrong.

TBolliger moved this task from Analytics to Product/Tech backlog on the Anti-Harassment-Team board.Mar 9 2018, 2:05 PM
TBolliger removed a project: Anti-Harassment-Team.Jun 11 2018, 9:12 PM
DannyS712 edited projects, added MediaWiki-Blocks; removed MediaWiki-User-management.Apr 25 2020, 12:11 AM
Restricted Application added a project: MediaWiki-User-management. · View Herald TranscriptApr 25 2020, 12:11 AM
Aklapper removed a project: MediaWiki-User-management.Apr 25 2020, 12:23 PM
Zabe subscribed.Oct 4 2021, 11:40 PM
MarioGom subscribed.Apr 22 2022, 7:35 AM
akosiaris closed subtask Restricted Task as Declined.May 23 2023, 3:14 PM
Bugreporter updated the task description. (Show Details)Jan 4 2025, 2:05 PM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptJan 4 2025, 2:05 PM
Bugreporter mentioned this in T380917: Ability to configure a wiki to auto block open proxies.Jan 4 2025, 2:06 PM
Bugreporter updated the task description. (Show Details)Jan 4 2025, 2:09 PM
A_smart_kitten subscribed.Jan 4 2025, 2:42 PM
Xaosflux changed the task status from Open to Stalled.Jan 4 2025, 7:24 PM
Xaosflux subscribed.

The proposed solution for this is untenable; the volunteer managed solution on that project hasn't operated since the year 2020.

Johannnes89 subscribed.Jan 6 2025, 7:33 AM
Aklapper added a comment.Jan 6 2025, 9:51 AM

@Xaosflux: Hmm, what/who exactly is this stalled on ("waiting for further input (e.g. from the task author or a third party like upstream)")?

kostajh subscribed.Jan 6 2025, 10:44 AM

Similar to what I wrote in T380917#10370204, I'd suggest that this stays "Stalled" until we can see if T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter will be a satisfactory solution.

Xaosflux added a comment.Jan 6 2025, 12:07 PM

@Aklapper as this asking to "Enable ProcseeBot" - seem as it is stalled on the third party of the processbot operator. Perhaps this should be refactored to a generic feature request after refining the user story instead, although the task author is gone so that may also be stuck.

Aklapper added a subtask: T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter.Jan 6 2025, 12:09 PM
Titore subscribed.Apr 10 2025, 4:25 PM
Dreamy_Jazz closed subtask T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter as Resolved.Jun 23 2025, 5:03 PM
kostajh added a comment.Jun 23 2025, 8:56 PM
In T166817#10431965, @kostajh wrote:

Similar to what I wrote in T380917#10370204, I'd suggest that this stays "Stalled" until we can see if T354599: [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter will be a satisfactory solution.

This is now available: https://www.mediawiki.org/wiki/Extension:IPReputation/AbuseFilter_variables

That said, I would suggest not creating blocking actions based solely on these variables, but instead looking at ways to combine the IP reputation signals with other AbuseFilter variables to mitigate abuse as needed.

1AmNobody24 subscribed.Jun 24 2025, 11:07 AM
HideonRosie subscribed.Jul 20 2025, 9:20 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits