Follow-up to checkuser-l mail, subject [Checkuser-l] touchy CU matter.
It appears account autocreation happens (at least in some cases) from application servers (2620:0:861:101::/64 at least, maybe other ranges too), see below (restricted paste):
{P16607}
All of the IPs from 2620:0:861:101::/64 that are autocreating accounts at enwiki belong to mw* servers:
urbanecm@notebook ~/tmp $ wget https://config-master.wikimedia.org/known_hosts.ecdsa urbanecm@notebook ~/tmp $ while read ip; do grep $ip known_hosts.ecdsa | cut -d , -f 1; done < ips.txt mw1276.eqiad.wmnet mw1277.eqiad.wmnet mw1278.eqiad.wmnet mw1279.eqiad.wmnet mw1281.eqiad.wmnet mw1282.eqiad.wmnet mw1283.eqiad.wmnet mw1312.eqiad.wmnet mw1386.eqiad.wmnet mw1388.eqiad.wmnet mw1390.eqiad.wmnet mw1392.eqiad.wmnet urbanecm@notebook ~/tmp $
This appears to be a bug either in CheckUser, MediaWiki-extensions-CentralAuth or MediaWiki-User-login-and-signup. Either way, it harms CU's ability to prevent abuse at the Wikimedia projects.
It happens at least since 1.36.0/wmf.35, see:
mysql:research@dbstore1003.eqiad.wmnet [enwiki]> select cuc_agent from cu_changes where cuc_ip_hex like "v6-26200000086101010%" order by cuc_id limit 1; +-------------------------+ | cuc_agent | +-------------------------+ | MediaWiki/1.36.0-wmf.35 | +-------------------------+ 1 row in set (0.002 sec) mysql:research@dbstore1003.eqiad.wmnet [enwiki]>