IPReputation: Create the initial IPReputation AbuseFilter variables
Closed, ResolvedPublic
Actions

Description

Summary

We can add a few of the proposed MediaWiki-extensions-IPReputation AbuseFilter variables now limited use for editors who are logged out and using their IP address.

Background

Now that we have merged patches for T380920, we can create the following AbuseFilter IPReputation variables
- ip_reputation_tunnel_operators - A list of tunnel operators associated with the IP
- ip_reputation_risk_types - The list of risks associated with the IP
- ip_reputation_client_proxies - The list of proxies associated with the IP
- ip_reputation_client_behaviors - The list of behaviours associated with the IP
- ip_reputation_client_count - The number of clients detected on an IP
- ip_reputation_ipoid_known - Whether the IP is known to iPoid-Service
These variables listed above can already be got from the IPoid data obtained by the MediaWiki-extensions-IPReputation IPoid data service
These variables need to be limited initially just to IP addresses.
- This is because we want to expire the IP reputation data when the associated IP address is expired, which will be worked on in T390873: AbuseFilter protected variables: Make it possible for protected variable values expire when the IP address expires
- We will expand these variables to work for account creation and temporary accounts in another task when T390873 is resolved

Acceptance criteria

MediaWiki-extensions-IPReputation variables specified above exist and are usable for actions performed while using their IP address (i.e. logged out and not a temporary account)
These variables are always considered protected variables and require the abusefilter-access-protected-vars right to view their values or filters they are used in
The value of these variables is taken from the associated data points in an iPoid-Service API response

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Add several IPReputation AbuseFilter variables	mediawiki/extensions/IPReputation	master	+387 -2

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
			Restricted Task
Resolved		kostajh	T294511 2021 Security Team wikireplicas audit
Declined		None	T284948 Raw IPs of logged-out users disclosed in wiki-replicas
Resolved		Niharika	T324492 Temporary accounts - MVP
Resolved		kostajh	T357776 [Epic] Mitigate abilities to abuse temporary accounts
Stalled	Feature	None	T380917 Ability to configure a wiki to auto block open proxies
Stalled		None	T166817 Globally block identifiable open proxies
Resolved		Dreamy_Jazz	T354599 [EPIC] WE4.2.14b Provide IP reputation variables in AbuseFilter
Resolved		Dreamy_Jazz	T390874 IPReputation: Create the initial IPReputation AbuseFilter variables

Event Timeline

Dreamy_Jazz created this task.Apr 2 2025, 2:17 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 2 2025, 2:17 PM

Dreamy_Jazz merged a task: T380710: Provide ip_reputation_risk_types variable in AbuseFilter.Apr 2 2025, 2:18 PM

Dreamy_Jazz merged a task: T380454: Provide ip_reputation_tunnel_operators AbuseFilter.

Dreamy_Jazz added a subscriber: kostajh.

Dreamy_Jazz added subscribers: TenWhile6, DatGuy, Johannnes89 and 3 others.

Dreamy_Jazz updated the task description. (Show Details)Apr 2 2025, 2:21 PM

Change #1133248 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/IPReputation@master] [WIP] Add several IPReputation AbuseFilter variables

https://gerrit.wikimedia.org/r/1133248

gerritbot added a project: Patch-For-Review.Apr 2 2025, 2:22 PM

Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.Apr 2 2025, 8:24 PM

Dreamy_Jazz updated the task description. (Show Details)Apr 2 2025, 10:18 PM

Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Apr 3 2025, 11:18 AM

Dreamy_Jazz updated the task description. (Show Details)Apr 3 2025, 12:46 PM

Dreamy_Jazz updated the task description. (Show Details)

Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.Apr 3 2025, 7:38 PM

Titore subscribed.Apr 10 2025, 4:25 PM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)); removed Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)).Apr 14 2025, 2:52 PM

kostajh moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)) board.

Change #1133248 merged by jenkins-bot:

[mediawiki/extensions/IPReputation@master] Add several IPReputation AbuseFilter variables

https://gerrit.wikimedia.org/r/1133248

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.27; 2025-04-29).Apr 17 2025, 3:00 PM

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)) board.Apr 17 2025, 3:05 PM

STran mentioned this in rEIPR820c74474aa6: Add several IPReputation AbuseFilter variables.Apr 17 2025, 3:14 PM

Maintenance_bot removed a project: Patch-For-Review.Apr 17 2025, 3:30 PM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)); removed Trust and Safety Product Sprint (Sprint Cozonac (April 14 - May 2)).May 5 2025, 6:49 AM

kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.

To QA this ticket you will need MediaWiki-extensions-IPReputation and AbuseFilter installed. The variables should appear in the builder dropdown list (see F59753762 for an example).

Additionally, I would suggest checking that these variables work. This will be hard to do on a local wiki, unless you have iPoid-Service installed locally. If using the local wiki route, then you would set your IP to an IP stored in your local testing iPoid-Service install and check that the data in the variables matches what is stored in the service.

If you do not have a local install, then it will be hard to test. This is because https://test.wikipedia.org has Temporary accounts enabled and we do not support these variables for these users until we have been able to work on T390873. If this is the case, then I might suggest waiting to test these variables until T390873 is completed and at which point it would be possible to test on testwiki using a temporary account to edit (while using a VPN or not, and then checking that a VPN IP has IPoid data that appears in the logs).

kostajh moved this task from Backlog to 2024-2025 Q4 on the WE4.2 Anti-abuse board.May 20 2025, 6:29 PM

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 25 2025, 6:53 PM

kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.

kostajh edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).Jun 16 2025, 6:12 AM

kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.

Triggering various local and global AbuseFilters with IP Reputation variables on wikis with and without temp accounts enabled:

I checked that the variables had the correct data from ipoid
that only users with the abusefilter-access-protected-vars right could see them in Special:AbuseLog/<id>, Special:AbuseFilter/examine/log/<id> or action=query&list=abuselog
the IP Reputation variables only appear for temporary users or for named user account creations
the IP Reputation variables only match the actions of temporary users or named user account creations

I checked that filters with the IP Rep variables catch various actions (edit, move, delete) and enforce a few consequences (block, disallow, tag) correctly.

I checked I could use IP Rep variables with a few different comparison operators like in to check array membership, array equality and numeric (in)equality (for client count).

I briefly checked that after accessing IP Rep variables a log is created with log_type=abusefilter-protected-vars. If the filter also includes user_unnamed_ip it will go to log_type=checkuser-temporary-account instead.

dom_walden mentioned this in T396079: Support generation of IPReputation AbuseFilter variables for temporary accounts and account creation.Jun 17 2025, 9:49 AM

kostajh closed this task as Resolved.Jun 17 2025, 9:51 AM

	F59753762: image.png
	May 7 2025, 9:24 PM

IPReputation: Create the initial IPReputation AbuseFilter variablesClosed, ResolvedPublicActions