The WikiProject on open proxies seeks to identify, verify and block open proxies and anonymity network exit nodes. To prevent abuse or vandalism, only proxy checks by verified users will be accepted. All users are welcome to discuss on the talk page, report possible proxies, or request that a blocked IP be rechecked.
If you've been blocked as an open proxy, please see: Help:blocked.
To report a proxy check or an incorrect block, see the #Reporting section.
Please report IP addresses you suspect are open proxies below. A project member will scan or attempt to connect to the proxy, and if confirmed will block the address.
Before reporting any suspected open proxies here, please remember that not all vandals are open proxies and vandals should not get an automatic check here; remember that it takes the volunteers here about 5-10 minutes to give a request a thorough check.
File a new report here
For block requests:
Verify that the following criterion has been met:
The IP has made abusive contributions within the past week
For unblock requests:
Verify that the following criteria has been met:
No current criteria
For block requests
Replace "IP" below with the IP address you are reporting.
For unblock requests
Replace "IP" below with the IP address you are reporting.
Fill out the resulting page and fill-in the requested information.
Save the page.
Verified Users/Sysops Templates
IP is an open proxy((Proxycheck|confirmed)) for confirmed open proxies and Tor exit nodes.
LikelyIP is an open proxy((Proxycheck|likely)) for likely open proxies and Tor exit nodes.
PossibleIP is an open proxy((Proxycheck|possible)) for possible open proxies and Tor exit nodes.
UnlikelyIP is an open proxy((Proxycheck|unlikely)) for unlikely open proxies and Tor exit nodes.
Not currently an open proxy((Proxycheck|unrelated)) for IP's confirmed not to be an open proxy or Tor exit node.
Inconclusive((Proxycheck|inconclusive)) for IP's that are inconclusive.
Declinedto run a check((Proxycheck|decline)) to decline a check.
Open proxy blocked((Proxycheck|blocked)) for open proxies and Tor nodes that have been blocked. Please add this if you block the IP.
Reason: The range seems to be announced by IPXO (per Hurricane Electric), an "IP marketplace" according to their website. All IPs in the range who have made contributions since 1 January 2023 are active on ExpressVPN, as well as a handful of varying residential proxies according to Spur. I've not done a fully exhaustive check on the range yet, but the only IPs I've seen not flagged as ExpressVPN on the Spur data are .251-.255, though they are still listed as data centre IPs.
It may also be worth the other /24s listed on HE as being announced by IPXO as well for any that haven't yet been blocked (some have) but probably should be. Sideswipe9th (talk) 20:56, 4 February 2023 (UTC)Reply[reply]
Ok, I've checked through the other /24s listed. Most are either locally or globally blocked (sometimes both), but I did find a list of 20 /24 ranges that are not currently blocked. I'll check through that list now and see if I can categorise them briefly before posting them. Sideswipe9th (talk) 21:32, 4 February 2023 (UTC)Reply[reply]
Done some spot checks on the other /24s, alas I don't have the tools or time to do a full check on each range. Results below split into three categories; ExpressVPN, data centre and possible unknown proxy, and unknown. The four ExpressVPN ranges are the ones I'm most confident on, there was only a few IPs in each range for which all were at a consistent last octet that weren't showing as ExpressVPN exit nodes, and the unknown ones at the end are the ones I'm least confident on.
With all of the ranges currently being assigned by IPXO, I suspect the potential for any individual IP in a range to become a proxy or VPN exit node at random is high, even if the range itself is largely not proxy or VPN exit nodes at this time.
22.214.171.124/24 ·contribs·block·log·stalk·Robtex·whois·Google - last active locally 2014 - some webhosts, some random servers belonging to various domains, no VPN usage on Spur and IPQualityScore, some on Proxycheck
126.96.36.199/24 ·contribs·block·log·stalk·Robtex·whois·Google - never active locally - random servers on various domains, no VPN or datacenter flags on Spur, ExpressVPN on IPQualityScore and ProxyCheck
188.8.131.52/24 ·contribs·block·log·stalk·Robtex·whois·Google - never active locally - random servers on various domains, no VPN or datacenter flags on Spur, ExpressVPN on IPQualityScore and ProxyCheck
Reason: Just globally unblocked the range after an UTRS appeal. From WHOIS data this seems to belong now to Xfera Móviles S.A.U, from the MasMovil group ISP (Yoigo). Thanks, —MarcoAurelio (talk) 14:39, 16 February 2023 (UTC)Reply[reply]
I'm not so sure. Whois data certainly looks like MásMóvil (mobile ISP), but the IP that appealed, 184.108.40.206, seemed to be a VPN node as recently as January 21st (see shodan). ST47: Do you have any input on this? I guess it can be unblocked and reviewed again in a few weeks. MarioGom (talk) 12:43, 19 February 2023 (UTC)Reply[reply]
I took another look at the range. Services in that range are mostly Synology, HomeAssist, domestic routers, etc. So it is, indeed, a residential range. MarioGom (talk) 21:23, 7 March 2023 (UTC)Reply[reply]
McAfee WGCS is a corporate gateway, technically a VPN, but last time it was discussed here, it was not blocked. Requesting a second opinion. MarioGom (talk) 21:43, 26 April 2023 (UTC)Reply[reply]
Not an admin, so feel free to ignore. Looking at the two prior discussions on this (March 2021, May 2022) it seems that softblocking might be appropriate in this case? There are some McAfee WGCS ranges that we do currently softblock (eg 220.127.116.11/24, 18.104.22.168/21) so this would at least be consistent with them, though there are other ranges that we don't currently softblock (eg 22.214.171.124/24).
Whatever the decision is from this discussion, we may want to look at making things consistent across all of the known ranges. Sideswipe9th (talk) 21:56, 26 April 2023 (UTC)Reply[reply]
Not sure Not sure what to make of this one. The AS for this IP range is currently assigned to QuadraNet, who are a managed infrastructure/colo provider, and who appear to use Zayo for connectivity. However much of the range are further subdivided, for example the currently blocked 126.96.36.199/26 ·contribs·block·log·stalk·Robtex·whois·Google is either upstreamnet or Hosteroid depending on who is asking. I'm hesitant to make any recommendations here, as while QuadraNet only provide colo and dedicated servers and some of the subdivisions are definitely other hosting providers that might be using services provided by QuadraNet, Zayo provide services to both business and consumer ISPs, for both fixed line and mobile connections. Given how subdivided this range is, I can't easily and quickly rule out parts of this range being assigned to non-business non-infrastructure customers. Flagging for a second opinion in case I've missed something obvious with determining how this range is subdivided.. Sideswipe9th (talk) 23:16, 18 July 2023 (UTC)Reply[reply]
Reason: Amazon AWB. 188.8.131.52 - 184.108.40.206 are all registered to Amazon AWB, hence the /22 range in this report. BLP disruption caught by filter log. 220.127.116.11 (talk) 16:45, 28 April 2023 (UTC)Reply[reply]
I've checked the three /24s separately here (18.104.22.168/24 ·contribs·block·log·stalk·Robtex·whois·Google - 22.214.171.124/24 ·contribs·block·log·stalk·Robtex·whois·Google - 126.96.36.199/24 ·contribs·block·log·stalk·Robtex·whois·Google). While the ISP is Amazon, all three ranges are currently allocated to Palo Alto Networks. The first range, 188.8.131.52/24, appears to be used for part of their GlobalProtect VPN service per Spur's data. This seems similar to the McAfee WGCS and Zscaler ranges currently reported on this page, and any hardblock on these ranges would have some collateral on legitimate users. A softblock/((Colocationwebhost-soft)) might be appropriate here. The other two ranges in the /22 seem to be in the same data centre, and don't seem to be part of the same service, but the filter log linked above is from an IP on the third /24 so it clearly has some use somewhere. Not sure what to recommend here, and I've not been able to easily search to see if any other IPs in the range have triggered any filters, though none have any recorded contributions. Sideswipe9th (talk) 18:17, 17 July 2023 (UTC)Reply[reply]
UnlikelyIP is an open proxy While ipcheck states it's likely a proxy due to some API data, I'm not seeing any activity on Spur and Shodan, and technical research into the IP didn't turn up anything of note. However, the /48 range this IP belongs to is currently announced by a web and VPS hosting provider from Germany, and the /32 range is assigned to a colocation provider also in Germany. A webhostblock on the /48 or a colocationwebhost block on the /32 might be appropriate in the circumstances. Flagging for a second opinion though because either choice is a big range. Sideswipe9th (talk) 20:26, 17 July 2023 (UTC)Reply[reply]
WHOIS suggests dual-use assignment (residential ISPs and colo), reverse/forward DNS suggests a lot of webhosts.. I'm minded to leave this be until it starts being abusive, but 2O on if we should block now — TheresNoTime (talk • they/them) 21:00, 27 July 2023 (UTC)Reply[reply]
@Tonyinman: I was wondering if you could give some information as to why you suspect that this, and the other IPs you listed at the same time as this are NordVPN server IPs? All of these IP's geolocate to India, and according to NordVPN's website they haven't operated any servers in that country since the end of June 2022. Sideswipe9th (talk) 17:17, 17 July 2023 (UTC)Reply[reply]
Confirmed While the range is announced by Perimeter 81, and a large portion of it seems to be empty per Spur and Shodan, there are IP ranges within that are active on Perimeter 81's VPN product. However that product is aimed at businesses, with pricing to match. This seems similar to the Zscaler, McAfee WGCS cases that are also open at present. A softblock on the range might be appropriate however, the one contributor who was active on 15 May 2023 was using an IP that's part of their VPN range. While I've tried to pin down the exact range for just the IPs that are part of their VPN offering, it seems somewhat spread out throughout it with gaps, so it might be more expedient to just block it in its entirety. Flagging this for a 2O though, while we figure out how to handle this particular type of VPN provider. Sideswipe9th (talk) 00:22, 19 July 2023 (UTC)Reply[reply]
I'm in two minds about this one. The range is a webhost who provide a proxy service on it, but it's Zscaler. There are Zscaler ranges that are currently locally blocked (eg 184.108.40.206/24, 220.127.116.11/24, quarry for other ranges) and even some that are globally blocked (like 18.104.22.168/20), but the service itself has been discussed a couple of times at AN (September 2021, August 2020) and there seems to be a consensus that a ((Colocationwebhost-soft))/softblock might be appropriate in some circumstances. But, this is a pretty big range, and even with some problematic IP edits here, there'd be a lot of collateral. Not sure what to recommend off this one, but I'm going to ping Zzuuzz and ST47 as you both seem to have handled many of these IPs and ranges. Sideswipe9th (talk) 02:28, 17 July 2023 (UTC)Reply[reply]
As I previously commented on those linked threads, I usually strongly oppose blocking Zscaler just because it's Zscaler. We don't need to aim for consistency here, just block where there's disruption. Looking at the range, nothing really jumps out to me. -- zzuuzz(talk) 08:49, 17 July 2023 (UTC)Reply[reply]
Hmmm. Personally I like consistency, as it makes handling cases like this easier. Though, I do of course recognise that Zscaler has a large number of legitimate users. There are certainly disruptive edits in the range, they're more visible if you filter the contribs by mw-reverted, or one of the "possible BLP/vandalism" tags, but with a range this large that's kinda to be expected I guess. I guess it comes down to what our policy on general paid proxies is, and the global policy is certainly that paid proxies may be blocked without warning for an indefinite period, but that discussion seems out of scope for this request. Sideswipe9th (talk) 18:31, 17 July 2023 (UTC)Reply[reply]
The /24 is announced by an Armenian cloud hosting provider, and data on Shodan has many of the IPs running common server OSes. Should be safe to webhost block the range. There's 17 other /24 ranges from the same provider listed on HE, though some are currently locally and globally blocked. I'll append a list of the unblocked ranges to this report shortly that should also be safe for a webhost block. Sideswipe9th (talk) 01:22, 17 July 2023 (UTC)Reply[reply]
The following /24s are all announced by the same hosting provider and should be safe for a webhost block. I also discovered a second AS for the same provider. Three of the ranges from this provider are currently webhost or coloblocked.
Confirmed Range is still assigned by a web hosting provider. The IPs that were actively contributing through this recently are also all active on multiple residential proxy services and at least one VPN provider according to Spur's data. The range itself was webhostblocked by Daniel Case on 17 July 2023, however I would recommend additionally hardblocking 22.214.171.124 through 126.96.36.199 inclusive due to being active on a VPN service and multiple residential proxy services. Sideswipe9th (talk) 23:35, 18 July 2023 (UTC)Reply[reply]
Reason: Requested unblock. I'm unable to edit wikipedia pages from this IP (our office) even when logged in. The IP is statically allocated to us (since Feb 2022), we're not running any proxy and I'm not seeing any unusual open ports or suspicious network activity. xmath (talk) 19:30, 30 June 2023 (UTC)Reply[reply]
Update: never mind, the block isn't for our IP specifically, apparently the entire IP range has been mistakenly classified as webhosting instead of FTTH/FTTB. xmath (talk) 20:59, 30 June 2023 (UTC)Reply[reply]
LikelyIP is an open proxy Seems likely to be a compromised server based on the shodan info. It's currently blocked for a month by Primefac, but I think we could probably make this one longer. Sideswipe9th (talk) 04:01, 15 July 2023 (UTC)Reply[reply]
Individual IP's in these two ranges, 188.8.131.52 and 184.108.40.206, have already been blocked as proxies on the Swedish and Russian Wikipedias respectively. Both blocked IP's were used on those projects by User:Phạm Văn Rạng to evade their global lock. They look to be using a larger portion of these IP ranges for evasion on this project as well. I've already applied some range blocks to deal with the evasion, but some insight into what's going on technically would be appreciated. Courtesy pinging @Riggwelter: and @Q-bit array: who applied to blocks on the other projects, in case you want to weigh in here. Sir Sputnik (talk) 17:19, 30 July 2023 (UTC)Reply[reply]
Automated lists and tools
User:AntiCompositeBot/ASNBlock maintained by User:AntiCompositeBot is a list of hosting provider ranges that need assessment for blocks that is updated daily. Admins are encouraged to review the list and assess for blocks as needed. All administrators are individually responsible for any blocks they make based on that list.
ISP Rangefinder is a tool that allows administrators to easily identify and hard block all ranges for an entire ISP. It should be used with extreme caution, but is useful for blocking known open proxy providers. All administrators are individually responsible for any blocks they make based on the results from this tool.
IPCheck is a tool that can help provide clues about potential open proxies.
Bullseye provides information about IPS, including clues about potential open proxies.