I've noticed increasing levels of vandalism via anonymizing proxies. We turned off the automatic proxy-scanning some time ago because of complaints by the clue-deficient who saw this as potential attacks. However, it might be a good idea to do the following:
* whenever an admin _blocks_ a user, the IP they were editing from should be automatically proxy-scanned, and blocked indefinitely if it is an open proxy (_in addition to_ the username/IP block that would have been applied)
By restricting proxy scans to proven vandals, this will reduce the rate of proxy scans to a few dozen a day (from tens of thousands before), and result in a proportionately trivial level of complaints which can safely be auto-replied or ignored. It will also allow the reply to be very clear: "we detected abuse from your user, verified that it was coming from an unsecured proxy on your network, and took appropriate action".
99% of the code for this already exists, so it should be trivial to put in place -- however, I'm aware that our heroic developers are somewhat busy...
-- Neil
Neil Harris (usenet@tonal.clara.co.uk) [050121 22:55]:
I've noticed increasing levels of vandalism via anonymizing proxies. We turned off the automatic proxy-scanning some time ago because of complaints by the clue-deficient who saw this as potential attacks. However, it might be a good idea to do the following:
- whenever an admin _blocks_ a user, the IP they were editing from
should be automatically proxy-scanned, and blocked indefinitely if it is an open proxy (_in addition to_ the username/IP block that would have been applied) By restricting proxy scans to proven vandals, this will reduce the rate of proxy scans to a few dozen a day (from tens of thousands before), and result in a proportionately trivial level of complaints which can safely be auto-replied or ignored. It will also allow the reply to be very clear: "we detected abuse from your user, verified that it was coming from an unsecured proxy on your network, and took appropriate action".
Oh, yes *please*!
- d.
David Gerard wrote:
Neil Harris (usenet@tonal.clara.co.uk) [050121 22:55]:
I've noticed increasing levels of vandalism via anonymizing proxies. We turned off the automatic proxy-scanning some time ago because of complaints by the clue-deficient who saw this as potential attacks. However, it might be a good idea to do the following:
- whenever an admin _blocks_ a user, the IP they were editing from
should be automatically proxy-scanned, and blocked indefinitely if it is an open proxy (_in addition to_ the username/IP block that would have been applied) By restricting proxy scans to proven vandals, this will reduce the rate of proxy scans to a few dozen a day (from tens of thousands before), and result in a proportionately trivial level of complaints which can safely be auto-replied or ignored. It will also allow the reply to be very clear: "we detected abuse from your user, verified that it was coming from an unsecured proxy on your network, and took appropriate action".
Oh, yes *please*!
- d.
And I've just realized that this will also have another advantage: legitimate policy-compliant users using open proxies (for whatever reason) won't get automatically banned: they will still be able to edit, so we default to being permissive. The moment that proxy is used for abuse, though, that's another open proxy blocked for good.
More possible heuristics: scan editing IPs for open proxies if the page they are editing has been protected in the recent past, or if the admin revert function has recently been used on that page. This will catch proxy-hopping users who engage in edit wars (Israel/Palestine, Fascism, GW Bush...), but again only add a very small number of scans to the overall total.
As in earlier proposals, we can add a recent-scans record, so an IP won't be scanned more than say once a day, no matter what happens.
-- N.
Neil Harris wrote: (re proxy-scanning on demand)
And I've just realized that this will also have another advantage: legitimate policy-compliant users using open proxies (for whatever reason) won't get automatically banned: they will still be able to edit, so we default to being permissive. The moment that proxy is used for abuse, though, that's another open proxy blocked for good.
More possible heuristics: scan editing IPs for open proxies if the page they are editing has been protected in the recent past, or if the admin revert function has recently been used on that page. This will catch proxy-hopping users who engage in edit wars (Israel/Palestine, Fascism, GW Bush...), but again only add a very small number of scans to the overall total.
As in earlier proposals, we can add a recent-scans record, so an IP won't be scanned more than say once a day, no matter what happens.
-- N.
Here are two final, but possibly less safe, heuristics: * do an open proxy scan on any IP that does a page move * do an open proxy scan on any IP that commits edits at faster than a certain rate
Those might well put a spoke in certain determined vandals' activities.
- N.
Neil Harris wrote:
Here are two final, but possibly less safe, heuristics:
- do an open proxy scan on any IP that does a page move
- do an open proxy scan on any IP that commits edits at faster than a
certain rate
Those might well put a spoke in certain determined vandals' activities.
Did I say final?
* Do an open proxy scan on any IP that blanks a page (ie reduces it in size by >80%, after blank-trimming is taken into account -- a very common form of idiot vandalism) * Do an open proxy scan on any IP that triggers the spam-detector (as link-spammers will often work their way round open proxy lists)
Those will auto-catch more categories of idiot vandals operating over open proxies, without too much added scan/complaints load.
Please critique and/or add to the list of plausible heuristics, with the general idea that it is never a bad idea to block an open proxy, but it is not good to scan every IP all the time.
-- N.
It's a less elegant solution, but I think it'll work nicely as a stop-gap: I've proposed periodically running a bot that grabs various open proxy lists and scans and blocks them[1]. Your input is appreciated.
1: http://en.wikipedia.org/wiki/Wikipedia_talk:Bots#OpenProxyBlockerBot
Neil Harris wrote:
I've noticed increasing levels of vandalism via anonymizing proxies. We turned off the automatic proxy-scanning some time ago because of complaints by the clue-deficient who saw this as potential attacks. However, it might be a good idea to do the following:
- whenever an admin _blocks_ a user, the IP they were editing from
should be automatically proxy-scanned, and blocked indefinitely if it is an open proxy (_in addition to_ the username/IP block that would have been applied)
By restricting proxy scans to proven vandals, this will reduce the rate of proxy scans to a few dozen a day (from tens of thousands before), and result in a proportionately trivial level of complaints which can safely be auto-replied or ignored. It will also allow the reply to be very clear: "we detected abuse from your user, verified that it was coming from an unsecured proxy on your network, and took appropriate action".
99% of the code for this already exists, so it should be trivial to put in place -- however, I'm aware that our heroic developers are somewhat busy...
-- Neil
Hoi, We have had some problems with proxy scans before Waerth, a wikimedian who is really active, has no choise but use a proxy. He is living in Thailand.
It would be much better to change the working of the banning process. When an IP range is known to be a proxy, we could disallow anonymous cowards from editing. As we can be aware that traffic is from a proxy, we could allow known users from editing from these proxies. In this manner we prevent vandalism by anonymous cowards while providing a service to the known good. :)
Thanks, GerardM
wikitech-l@lists.wikimedia.org