Page MenuHomePhabricator
Create Task
Maniphest T354599

[EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter
Closed, ResolvedPublic
Actions

Description

Context

In T354597: Record IP reputation data for account creations and edits we'll likely discover that there are combinations of IP reputation data that usually result in unwanted edits or account creations. We should allow AbuseFilter maintainers to be able to create filters targeting traffic using a subset of labels in the IP reputation data.

Decision record about implementation: https://www.mediawiki.org/wiki/Trust_and_Safety_Product/Decision_records/2025-02-04-IPReputation_AbuseFilter_variables_for_registered_users

Proposal

Introduce IP reputation AbuseFilter protected variables for things like risks (callback proxy, VPN), tunnel types, client concentration count, or simply being present in iPoid-Service's database. Based on spur.us documentation, some possibilities for variables:

  • client.behaviors
  • client.count
  • client.countries
  • client.proxies
  • infrastructure
  • risks
  • services
  • tunnels.anonymous
  • tunnels.operator
  • tunnels.type

Consequences

We would be able to define mitigations in AbuseFilter based on edits from IPs matching specific IP reputation variables.

Notes from L3SC discussion

Copying over some requirements from L3SC discussion:

[,,,] variables like tunnels.operator could narrow down user identification, especially if the VPN service is uncommon and the Abuse Filter has some overly narrow combinations of conditions. Even in that case, the risk would still be low since Abuse filters are under tight community scrutiny and filter maintainers are highly trusted volunteers who exercise care when crafting filter conditions. Additionally, with the guarantee, IP reputation AbuseFilter variables will only be restricted to AF maintainers, rather than making them visible to the wider public, there is an extra layer of precaution.

want to reiterate that we build in the right measures/controls to mitigate false positives, for eg editors from some countries often. use open proxies/shared ip addresses and may not necessarily have malicious intent and could be wrongly tagged in the abuse filter.

Conclusion:

  • The variables need to be treated in the same way as user_unnamed_ip, in that they are considered "protected variables" and the filters and logs where they are used are accessible only to users with the right to view filters with protected variables.

Acceptance criteria

  • AbuseFilter variables exist for a variety of IPReputation data
  • These new variables work for actions performed by logged out users and temporary accounts
  • These new variables work for account creations of permanent accounts when the account is created while logged out
  • The new variables, their functionality, and recommendations for their use are communicated out to the community

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedkostajhT294511 2021 Security Team wikireplicas audit
 DeclinedNoneT284948 Raw IPs of logged-out users disclosed in wiki-replicas
 ResolvedNiharikaT324492 Temporary accounts - MVP
 OpenkostajhT357776 [Epic] Mitigate abilities to abuse temporary accounts
 StalledFeatureNoneT380917 Ability to configure a wiki to auto block open proxies
 StalledNoneT166817 Globally block identifiable open proxies
 ResolvedDreamy_JazzT354599 [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter
 ResolvedkostajhT360067 Deploy Extension:IPReputation
 ResolvedsbassettT360070 Application Security Review Request : Extension:IPReputation
 DuplicateDreamy_JazzT380454 Provide ip_reputation_tunnel_operators AbuseFilter
 DuplicateSTranT380919 Don't funnel all protected variable access logs to CheckUser temporary account access log
 ResolvedSTranT381052 Investigate: Should we remove the preference check from AbuseFilter's protected variables implementation?
 DuplicateDreamy_JazzT380710 Provide ip_reputation_risk_types variable in AbuseFilter
 ResolvedDreamy_JazzT386913 IPReputation: Create a service to get IPoid data in IPReputation
 ResolvedDreamy_JazzT380918 Provide capability to define new protected variables from other extensions
 ResolvedSTranT385687 Investigate: How should the AbuseFilter variable `user_unnamed_ip` be restricted
 ResolvedDreamy_JazzT380920 Remove the AbuseFilter protected variables preference gate
 ResolvedDreamy_JazzT387333 CheckUser should impose IP viewing restrictions on AbuseFilter's `unnamed_user_ip` protected variable
 ResolvedDreamy_JazzT387331 Provide a mechanism for other extensions to modify protected variables access requirements
 ResolvedDreamy_JazzT387013 IPReputation: Add AbuseFilter dependency in CI and Phan
 ResolvedSTranT387324 Add hook to support custom logging in `ProtectedVarsAccessLogger`
 ResolvedSTranT387328 Refactor CheckUser ProtectedVarsAccessLogger logging out of AbuseFilter
 ResolvedSTranT387329 Investigate: Confirm our logging expectations for AbuseFilter/CheckUser Temporary Accounts logs when using protected variables
 ResolvedDreamy_JazzT390873 AbuseFilter protected variables: Make it possible for protected variable values expire when the IP address expires
 ResolvedDreamy_JazzT390874 IPReputation: Create the initial IPReputation AbuseFilter variables
 ResolvedDreamy_JazzT388781 AbuseFilter / IP reputation: Instrument latency
 ResolvedDreamy_JazzT393665 AbuseFilter IP reputation: Provide documentation and recommendations for usage
 ResolvedDreamy_JazzT396069 Support generation of IPReputation AbuseFilter variable data for previous actions
 ResolvedDreamy_JazzT396079 Support generation of IPReputation AbuseFilter variables for temporary accounts and account creation
 ResolvedSecurityDreamy_JazzT396750 CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>
 ResolvedSecurityDreamy_JazzT397196 CVE-2025-53499: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions
 ResolvedSecurityDreamy_JazzT397221 CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
kostajh updated the task description. (Show Details)Nov 1 2024, 3:03 PM
kostajh mentioned this in T379348: Cache IP data from Spur in MediaWiki application-level Memcached.Nov 11 2024, 6:03 PM
kostajh changed the task status from Stalled to Open.Nov 21 2024, 10:21 AM

We have L3SC approval.

kostajh claimed this task.Nov 21 2024, 10:25 AM
kostajh added a project: Trust and Safety Product Sprint.

I'll turn this into an epic, where we can track individual variables as subtasks.

DatGuy subscribed.Nov 21 2024, 10:25 AM
kostajh renamed this task from Provide IP reputation variables in AbuseFilter to [EPIC] Provide IP reputation variables in AbuseFilter.Nov 21 2024, 10:37 AM
kostajh updated the task description. (Show Details)
Restricted Application added a project: Epic. · View Herald TranscriptNov 21 2024, 10:37 AM
kostajh mentioned this in T380708: Migrate account creation blocking logic to AbuseFilter.Nov 25 2024, 9:39 AM
kostajh closed subtask T360067: Deploy Extension:IPReputation as Resolved.Nov 25 2024, 9:46 AM
kostajh mentioned this in T380917: Ability to configure a wiki to auto block open proxies.Nov 26 2024, 8:30 PM
A_smart_kitten subscribed.Nov 26 2024, 8:46 PM
Dreamy_Jazz changed the status of subtask T380918: Provide capability to define new protected variables from other extensions from Open to Stalled.Dec 12 2024, 5:41 PM
kostajh mentioned this in T166817: Globally block identifiable open proxies.Jan 6 2025, 10:44 AM
Aklapper added parent tasks: T380917: Ability to configure a wiki to auto block open proxies, T166817: Globally block identifiable open proxies.Jan 6 2025, 12:09 PM
kostajh moved this task from Backlog to 2024-2025 Q3 on the WE4.2 Anti-abuse board.Feb 4 2025, 9:59 AM
kostajh updated the task description. (Show Details)Feb 5 2025, 9:29 AM
kostajh changed the status of subtask T380918: Provide capability to define new protected variables from other extensions from Stalled to Open.
acooper mentioned this in T384545: Use of MediaWiki\Block\DatabaseBlock::isExemptedFromAutoblocks was deprecated in MediaWiki 1.44.Feb 5 2025, 1:27 PM
Dreamy_Jazz mentioned this in T386913: IPReputation: Create a service to get IPoid data in IPReputation.Feb 20 2025, 11:29 AM
Dreamy_Jazz mentioned this in rEIPRe16234f19968: Split IPoid data collection to service.Feb 20 2025, 6:13 PM
Dreamy_Jazz mentioned this in T387013: IPReputation: Add AbuseFilter dependency in CI and Phan.Feb 21 2025, 12:19 PM
Dreamy_Jazz added a subtask: T387013: IPReputation: Add AbuseFilter dependency in CI and Phan.
Nemoralis unsubscribed.Feb 21 2025, 12:53 PM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptFeb 21 2025, 12:53 PM
Dreamy_Jazz closed subtask T387013: IPReputation: Add AbuseFilter dependency in CI and Phan as Resolved.Feb 24 2025, 11:38 AM
STran added subtasks: T387324: Add hook to support custom logging in `ProtectedVarsAccessLogger`, T387328: Refactor CheckUser ProtectedVarsAccessLogger logging out of AbuseFilter, T387329: Investigate: Confirm our logging expectations for AbuseFilter/CheckUser Temporary Accounts logs when using protected variables, T387331: Provide a mechanism for other extensions to modify protected variables access requirements, T387333: CheckUser should impose IP viewing restrictions on AbuseFilter's `unnamed_user_ip` protected variable.Feb 26 2025, 3:38 PM
STran closed subtask T380919: Don't funnel all protected variable access logs to CheckUser temporary account access log as Resolved.Feb 26 2025, 3:49 PM
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Feb 28 2025, 6:01 PM
Dreamy_Jazz edited projects, added Trust and Safety Product Team (Engineering); removed Trust and Safety Product Team.
kostajh moved this task from Engineering to Engineering on the Trust and Safety Product Team board.Mar 10 2025, 12:44 PM
kostajh edited projects, added Trust and Safety Product Team; removed Trust and Safety Product Team (Engineering).
kostajh mentioned this in T234155: Create CheckUser-level abuse filters.Mar 13 2025, 10:50 AM
Xaosflux subscribed.Mar 13 2025, 8:38 PM
Ponor subscribed.Mar 14 2025, 2:24 PM
kostajh added a subtask: T388365: IPoid: Add services field to database and API output.Mar 19 2025, 10:13 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)); removed Trust and Safety Product Sprint.Mar 20 2025, 12:04 PM
kostajh closed subtask T387329: Investigate: Confirm our logging expectations for AbuseFilter/CheckUser Temporary Accounts logs when using protected variables as Resolved.Mar 25 2025, 10:36 AM
kostajh moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.Mar 25 2025, 10:40 AM
kostajh closed subtask T380918: Provide capability to define new protected variables from other extensions as Resolved.Mar 25 2025, 12:50 PM
Dreamy_Jazz mentioned this in T380920: Remove the AbuseFilter protected variables preference gate.Mar 25 2025, 5:29 PM
Dreamy_Jazz updated the task description. (Show Details)Apr 1 2025, 8:36 PM
Dreamy_Jazz added a subtask: T388781: AbuseFilter / IP reputation: Instrument latency.Apr 3 2025, 11:27 AM
Dreamy_Jazz closed subtask T387333: CheckUser should impose IP viewing restrictions on AbuseFilter's `unnamed_user_ip` protected variable as Resolved.Apr 3 2025, 2:21 PM
Dreamy_Jazz closed subtask T380920: Remove the AbuseFilter protected variables preference gate as Resolved.Apr 10 2025, 3:16 PM
kostajh closed subtask T387324: Add hook to support custom logging in `ProtectedVarsAccessLogger` as Resolved.Apr 14 2025, 8:07 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)); removed Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)).Apr 14 2025, 2:52 PM
kostajh moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)) board.
kostajh mentioned this in T290324: Create Oversight-level abuse filters.Apr 16 2025, 11:53 AM
kostajh closed subtask T387328: Refactor CheckUser ProtectedVarsAccessLogger logging out of AbuseFilter as Resolved.Apr 16 2025, 3:34 PM
Dreamy_Jazz closed subtask T387331: Provide a mechanism for other extensions to modify protected variables access requirements as Resolved.Apr 17 2025, 12:48 PM
kostajh mentioned this in T386456: Feature: Allow for private, rights-restricted tags.Apr 28 2025, 11:28 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)); removed Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)).May 5 2025, 6:50 AM
kostajh moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.
kostajh moved this task from In Progress to Epics in progress on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 5 2025, 7:28 AM
kostajh closed subtask T388781: AbuseFilter / IP reputation: Instrument latency as Resolved.May 15 2025, 5:51 AM
kostajh mentioned this in T364705: Provide AbuseFilter condition for revertrisk threshold.May 16 2025, 8:47 AM
kostajh moved this task from 2024-2025 Q3 to 2024-2025 Q4 on the WE4.2 Anti-abuse board.May 20 2025, 6:31 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 25 2025, 6:50 PM
kostajh moved this task from Priority Backlog to Epics in progress on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.
Tchanders mentioned this in T360195: WE4.2.14a: Analyze IP reputation data and how it maps to on-wiki editing and account creation activity.Jun 10 2025, 5:31 PM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).Jun 16 2025, 6:10 AM
kostajh moved this task from Priority Backlog to Epics in progress on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
Dreamy_Jazz removed a subtask: T380711: Provide ip_reputation_tunnel_type AbuseFilter variable.Jun 16 2025, 11:32 AM
kostajh renamed this task from [EPIC] Provide IP reputation variables in AbuseFilter to [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter.Jun 17 2025, 8:57 AM
kostajh closed subtask T396069: Support generation of IPReputation AbuseFilter variable data for previous actions as Resolved.
kostajh removed a subtask: T388365: IPoid: Add services field to database and API output.
Dreamy_Jazz added a subtask: T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id>.Jun 17 2025, 9:02 AM
kostajh closed subtask T396079: Support generation of IPReputation AbuseFilter variables for temporary accounts and account creation as Resolved.Jun 17 2025, 9:50 AM
kostajh closed subtask T390874: IPReputation: Create the initial IPReputation AbuseFilter variables as Resolved.
Dreamy_Jazz added a subtask: T397196: CVE-2025-53499: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions.Jun 17 2025, 1:46 PM
Dreamy_Jazz added a subtask: T397221: CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern.Jun 17 2025, 3:41 PM
Dreamy_Jazz added a project: User-notice.Jun 20 2025, 6:13 PM
Dreamy_Jazz updated the task description. (Show Details)Jun 20 2025, 6:16 PM
Quiddity moved this task from To Triage to Not ready to announce on the User-notice board.Jun 20 2025, 6:36 PM
Dreamy_Jazz subscribed.EditedJun 20 2025, 7:07 PM

I've added something about this to https://meta.wikimedia.org/wiki/Tech/News/2025/27.

The feature has been released to all WMF wikis.

Dreamy_Jazz moved this task from Not ready to announce to Announce in next Tech/News on the User-notice board.Jun 20 2025, 7:08 PM
Dreamy_Jazz claimed this task.Jun 20 2025, 8:09 PM
Dreamy_Jazz updated the task description. (Show Details)Jun 23 2025, 11:12 AM
Dreamy_Jazz closed this task as Resolved.EditedJun 23 2025, 5:03 PM

We are resolving this hypothesis as completed.

We met the goal of the hypothesis by adding several AbuseFilter variables that allow filters to match against the IP reputation data for an action. These variables are used in at least one AbuseFilter and guidance has been produced on how to use these variables that will go out to the wider community next week via Tech News.

The remaining work under this task does not need to be completed for the hypothesis to be resolved, but is in the process of being resolved.

Initial feedback from the WMF Stewards appears positive. If improvements are suggested after the wider communication goes out we can consider it as part of future work.

kostajh awarded a token.Jun 23 2025, 5:22 PM
kostajh added a comment.EditedJun 24 2025, 9:36 AM

Documentation is here: https://www.mediawiki.org/wiki/Extension:IPReputation/AbuseFilter_variables

Quiddity moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Jun 26 2025, 10:54 PM
kostajh closed subtask T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id> as Resolved.Jun 27 2025, 9:44 AM
kostajh closed subtask T397221: CVE-2025-53498: AbuseFilter batch testing tool do not log when protected variables are in the test pattern as Resolved.Jun 27 2025, 11:05 AM
kostajh mentioned this in T398291: AI/ML Infrastructure Request: Expand ORES-enabled RevertRisk filters deployment to all wikis, excluding Commons and Wikidata.Jul 1 2025, 10:36 AM
kostajh closed subtask T397196: CVE-2025-53499: AbuseFilter 'abusefiltercheckmatch' API does not check protected variable access restrictions as Resolved.Jul 2 2025, 1:39 PM
Trizek-WMF moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Jul 3 2025, 3:28 PM
kostajh closed subtask T390873: AbuseFilter protected variables: Make it possible for protected variable values expire when the IP address expires as Resolved.Jul 7 2025, 9:34 AM
Dreamy_Jazz closed subtask T393665: AbuseFilter IP reputation: Provide documentation and recommendations for usage as Resolved.Jul 7 2025, 9:00 PM
SecurityPatchBot reopened subtask T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id> as Open.Jul 7 2025, 11:53 PM
Dreamy_Jazz closed subtask T396750: CVE-2025-53495: Do not show IP Reputation AbuseFilter variables to those without permission in Special:AbuseFilter/examine/<rc id> as Resolved.Jul 8 2025, 6:52 AM
Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Jul 18 2025, 7:31 AM
Nemoralis mentioned this in T403903: Add IPInfo data as AbuseFilter variables.Sep 6 2025, 11:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits