Wikinews:Requests for CheckUser/Archive 4

Sherif23

  1. Sherif23 (talk · contribs)
  2. 82.128.123.146 (talk · contribs)

These quack identically. Both posting the same spammy stuff-for-sale ad. I'm all for a block of a day or two on the IP as I think it's fairly clearly the user previously warned, but would appreciate confirmation. Blood Red Sandman (Talk) (Contribs) 15:56, 27 June 2011 (UTC)[reply]

Burning

  1. Zzyxzaa26 (talk · contribs)
  2. Zenuxx557 (talk · contribs)
  3. Lord of Mustard (talk · contribs)

The first looks to me like our auld friend Mr Kitties, the second was created close by with a comparable name. The third has exactly the kind of name I'd expect from xyr; would normally not req check but it was created ~1 min from the first. Request confirmation or exhoneration, and weeding out of any sleepers; also, a block on underlying IP if confirmed. It it is xyr, I expect the following to be connected (also want underlying IP and sleepers searched for on these, if they are unrelated to the above):

  1. Talking Toilet (talk · contribs)
  2. Toilets On Fire (talk · contribs)
  3. Bananas on Fire (talk · contribs)

I suspect open proxies being (ab)used; confirming and indeffing any would help. Blood Red Sandman (Talk) (Contribs) 10:04, 24 June 2011 (UTC)[reply]

  1. Melvin Landscape Service, Inc. (talk · contribs)
  2. Askmymom (talk · contribs)
  3. Peanut Butter Taco (talk · contribs)
  4. Don't say another word (talk · contribs)
  5. Zenuxx557 (talk · contribs)
  6. Lord of Mustard (talk · contribs)
  7. Bananas on Fire (talk · contribs)
  8. Toilets On Fire (talk · contribs)
  9. Talking Toilet (talk · contribs)

=   Confirmed

  1. Zzyxzaa26 (talk · contribs)

= appears to be unrelated, see also en.wikipedia contribs for that one.

-- Cirt (talk) 19:17, 24 June 2011 (UTC)[reply]

Creation within a few moments of each other, obvious quacking and waddling, but confirm needed all the same before doing whatever needs doing:

  1. Fairybarbie1993 (talk · contribs)
  2. Barbiedoll1993 (talk · contribs)

Any passing CU, thoughts are welcomed. BarkingFish (talk) 21:51, 14 June 2011 (UTC)[reply]

  Confirmed. -- Cirt (talk) 23:01, 14 June 2011 (UTC)[reply]

Quacks like Orso (talk · contribs)/Shalam Kumbar (talk · contribs). Can we confirm? --Pi zero (talk) 16:42, 7 June 2011 (UTC)[reply]

Thanks. --Pi zero (talk) 19:34, 7 June 2011 (UTC)[reply]
You are welcome! -- Cirt (talk) 14:17, 8 June 2011 (UTC)[reply]

69.178.195.143 (talk · contribs), 69.178.194.170 (talk · contribs), and appropriate range

One of these IPs performed a slew of Anti-Semitic vandalism in the early hours of today. I find it most suspicious that someone else, in the same /22, would then choose to edit the blocked IP's talk.

  • Do browser strings match? (And, thus should we be watching carefully).
  • Is there additional disruption from within the /22?
  • Would a rangeblock impact any legitimate users?

Thanks for looking into this. --Brian McNeil / talk 21:24, 4 June 2011 (UTC)[reply]

This may be another case of our cat-lover vandal. アンパロ Io ti odio! 21:26, 4 June 2011 (UTC)[reply]
  1.   Confirmed, browser strings match.
  2. No other disruption from within the range.
  3.   Confirmed, Rangeblock would not impact any legitimate users.
  4.   Done, rangeblock applied.

Cheers, -- Cirt (talk) 02:27, 5 June 2011 (UTC)[reply]

Thanks. An ounce of prevention – enough prophylactics to block any sewage outlet.  ;-) --Brian McNeil / talk 04:17, 5 June 2011 (UTC)[reply]
You are most welcome! ;) -- Cirt (talk) 07:12, 5 June 2011 (UTC)[reply]

Jeanpaul

Similar edits content (advertising). Gryllida 11:11, 2 June 2011 (UTC)[reply]

No need for a check, it is w:WP:DUCK, and I am sure an admin can make their own decision about blocking with that in mind. -- Cirt (talk) 13:43, 2 June 2011 (UTC)[reply]
Went ahead and blocked them both per w:WP:DUCK. -- Cirt (talk) 06:14, 3 June 2011 (UTC)[reply]

Thanks, Gryllida 01:56, 5 June 2011 (UTC)[reply]

You are welcome! -- Cirt (talk) 02:27, 5 June 2011 (UTC)[reply]

These appear to be the same vandal abusing multiple accounts. Seems it could be useful moving forward to have confirmation of this. --Pi zero (talk) 12:23, 28 May 2011 (UTC)[reply]

Not seeing technical connection, at least not obvious one. Can you give more behavioral evidence? -- Cirt (talk) 17:57, 28 May 2011 (UTC)[reply]
The behavioral evidence seems reasonably solid, imo. Within a few days of each other, each spammed numerous users' talk pages with a message about being with an alien faction that will enslave humankind; different alien factions, Orso's was the Ku Ku Laka while Shalam Kumbar's was The Way of Orso. It would have been cleaner to have technical evidence, though. Sigh. --Pi zero (talk) 18:42, 28 May 2011 (UTC)[reply]

  Doing... -- Cirt (talk) 20:37, 28 May 2011 (UTC)[reply]

Update:   Confirmed. Two underlying IPs blocked. -- Cirt (talk) 20:39, 28 May 2011 (UTC)[reply]
Thanks. --Pi zero (talk) 20:54, 28 May 2011 (UTC)[reply]
You are welcome! ;) -- Cirt (talk) 21:14, 28 May 2011 (UTC)[reply]

Another litter

Created in rapid succession: TurtlesBurning (talk · contribs), Headphones turtle (talk · contribs), Speed pappy anger english (talk · contribs), Poopy Butt (talk · contribs), K!tties Burning (talk · contribs), Cat Lover For Life (talk · contribs). Can we confirm that these are all socks? --Pi zero (talk) 04:20, 20 May 2011 (UTC)[reply]

Socks?

Poopy butt 5 (talk · contribs) AhdaDdA (talk · contribs) and Jfguoafsd7yasfbas4e (talk · contribs) were created in a little period of time, and I'd say they are socks, possibly of the cats fanatic guy. I blocked the first one as an unacceptable username, the other ones... I'm not so sure, and it'd been kinda controversial if I blocked them for "abusing multiple accounts" since there is no reason to say it actually apart from being created almost immediately one apart from the other. Thank you in advance アンパロ Io ti odio! 03:05, 15 May 2011 (UTC)[reply]

Series of spamming SPAs

The following have all, near-immediately after registering, posted pisspoor spammy nonsense. Could they please be checked with a view to a more prolonged IP, or range, block?


Possible connections

  1. You just got KO'd (talk · contribs)
  2. K!ttiesonf!reFOREVER! (talk · contribs)
  3. SoccerMom1987 (talk · contribs)

Possible connection indicated by recent string of vandalism. Tyrol5 (talk) 17:03, 29 June 2011 (UTC)[reply]

You forgot about meeeeee!!!!! )': MaximumK!ttiesonf!re (talk) 17:05, 29 June 2011 (UTC)[reply]
That sounded like an admission, so I went ahead and blocked MaximumK!ttiesonf!re. I'll also do K!ttiesonf!reFOREVER!, since that one's blatant. I'll leave the other two for a CU to take a look at, though. DENDODGE 17:08, 29 June 2011 (UTC)[reply]
Also went ahead and blocked MaximumK!ttiesonf!reEXTREME (talk · contribs), also blatant. Tyrol5 (talk) 17:12, 29 June 2011 (UTC)[reply]
This. --Pi zero (talk) 17:19, 29 June 2011 (UTC)[reply]
Thanks! Tyrol5 (talk) 23:34, 29 June 2011 (UTC)[reply]
You're welcome! -- Cirt (talk) 23:49, 29 June 2011 (UTC)[reply]

┌─────────┘
I just did a block on 173.23.200.0/22 as the current burning feline operating range. Can this be checked to see no collateral damage? --Brian McNeil / talk 17:06, 30 June 2011 (UTC)[reply]

Please confirm these suckers:

  1. K.ttiesonf.re666 (talk · contribs)
  2. Slurp My Snot (talk · contribs)
  3. Saliva Drinker (talk · contribs)
  4. Osama Bin Laden is AWESOME!! (talk · contribs)
  5. Jacob360 (talk · contribs)
  6. Uponaside (talk · contribs)

Pretty sure they're all our burning feline friend. --Brian McNeil / talk 22:38, 2 July 2011 (UTC)[reply]

The usual, please. A possibly unrealted pair: Agesmatter1 (talk · contribs) and Ticktock747 (talk · contribs) are clearly the same user, but there seems to be a knowledge of process here: Who owns these socks? Blood Red Sandman (Talk) (Contribs) 22:43, 2 July 2011 (UTC)[reply]

  1. Uponaside (talk · contribs)
  2. Jacob360 (talk · contribs)
  3. K.ttiesonf.re666 (talk · contribs)
  4. Slurp My Snot (talk · contribs)
  5. Saliva Drinker (talk · contribs)
  6. Osama Bin Laden is AWESOME!! (talk · contribs)
  7. Don't say another word (talk · contribs)
  8. Askmymom (talk · contribs)
  9. Peanut Butter Taco (talk · contribs)
  10. Melvin Landscape Service, Inc. (talk · contribs)
  11. MaximumK!ttiesonf!reEXTREME (talk · contribs)
  12. MaximumK!ttiesonf!re (talk · contribs)
  13. K!ttiesonf!reFOREVER! (talk · contribs)
  14. You just got KO'd (talk · contribs)
  15. SoccerMom1987 (talk · contribs)
  16. Magnifying Glass (talk · contribs)
  17. The Cat Igniting Witch of the North (talk · contribs)
  18. SoccerMom1989 (talk · contribs)

Note: This user is known on other wikis as: Dantherocker1. -- Cirt (talk) 16:24, 4 July 2011 (UTC)[reply]

Robajz / Leo El Marinero

I ask for a checkusering on Robajz (talk · contribs), since it appears to be a sockpuppet of Stapler08 (talk · contribs).

Aside, can you please also check the recent sockpuppets of Kitiesonfire and apply a IP block please? Thank you! I blocked all the sockpuppets on sight. --アンパロ Io ti odio! 20:44, 22 July 2011 (UTC)[reply]

unrelated fr33kman t 18:49, 3 August 2011 (UTC)

Herd of cats

Please confirm these, all created in the space of about two minutes:

  1. Turds On Fire!! (talk · contribs)
  2. PoopInTheToilet88 (talk · contribs)
  3. Terrorist99 (talk · contribs)
  4. GayGuy77 (talk · contribs)
  5. Jacob3601 (talk · contribs)
  6. ILikeMen777 (talk · contribs)

There is an additional account that could be unrelated, so I haven't (as of this writing) blocked it; it was created six minutes later and is only indirectly implicated: this batch of socks mostly vandalized each others' talk pages, but they also vandalized this one other user's. Elf Gallowglass (talk · contribs). Misdirection is possible, hence my non-block. --Pi zero (talk) 16:29, 26 July 2011 (UTC)[reply]

^^Additional to the above, please also include:

  1. IEnjoyMen101 (talk · contribs)

Thank you, BarkingFish (talk) 10:18, 28 July 2011 (UTC)[reply]

^^In addition to the additional addition above, please add these :P

I'm 99.99% sure these are Kittiesonfire5 - all currently indeffed with no talk page access due to previous misuse of the unblock request facility.

  1. PeePeeVajina99 (talk · contribs)
  2. Larry the Dolphin IN SPACE! (talk · contribs)
  3. I'mQueer990 (talk · contribs)
  4. Acne-Ridden Teen (talk · contribs)
  5. C0ckInMyMouth101 (talk · contribs)
  6. ILikePenus101 (talk · contribs)


BarkingFish (talk) 16:01, 2 August 2011 (UTC)[reply]

  •   Question Is it possible to actually apply a decent rangeblock and stop this "special needs" contributor? If not, are these proxies to be permanently blocked? This is becoming tiresome. --Brian McNeil / talk 18:01, 2 August 2011 (UTC)[reply]
I've emailed Cirt as we've a growing backlog of RfCUs. If no response within 24 hrs, I'll chase up a steward to handle all pending requests.
It is particularly irksome that I used to have this right, never actually abused it, but confrontationally raised its use with some idiot and was put in a position of resigning it. We need this work carried out promptly, somewhat proactively, and very, very thoroughly. --Brian McNeil / talk 18:06, 2 August 2011 (UTC)[reply]
I'm in the process of working on the AbuseFilter at the moment Brian, I've added some useful ones from enwp, who've kindly given me permission to access their private filters for import, and I'm also working on putting a very stringent filter in place to hit this guy right where it hurts. I will let you know when the filter is in place and active :) The only other CU's I know of are Craig Spurrier and Skenmy - who I done thunk is inactive :P BarkingFish (talk) 18:38, 2 August 2011 (UTC)[reply]
  Confirmed all of them. I have range blocked the appropriate range. That should keep down the problems for a while. fr33kman t 18:45, 3 August 2011 (UTC)
More suspected socks
I Need a Urine Sample‎ (talk · contribs)
Oops I Crapped My Pants‎ (talk · contribs)

Mikemoral♪♫ 04:23, 8 August 2011 (UTC)[reply]

RacistGuy101‎ (talk · contribs)
ILoveMen123‎ (talk · contribs)
MenAreHotAndSpicy6675‎ (talk · contribs)
Ejaculation1234‎ (talk · contribs)
ILikeMen123‎ (talk · contribs)
RegularShow765 (talk · contribs)

Also highly suspicious based on moment of account creation:

Graham (talk · contribs) (no SUL, though same name as some accounts elsewhere)

--Pi zero (talk) 17:18, 8 August 2011 (UTC)[reply]

And more
I Enjoy Flinging Poop at people (talk · contribs)
MyButtSmellsAwful (talk · contribs)
ButtCrack101 (talk · contribs)
SmellyButt123 (talk · contribs)
Jimmy765 (talk · contribs)
Gerald101 (talk · contribs)
ItCameFromMyAss (talk · contribs)
IEnjoyUrination (talk · contribs)

Mikemoral♪♫ 00:52, 10 August 2011 (UTC)[reply]

Quacking like a cat

Can we confirm these are our cat-hater? (Created in a batch)

  1. FecalMatter101 (talk · contribs)
  2. Pooman365 (talk · contribs)
  3. IHaveALargeDick (talk · contribs)
  4. IEnjoyWeiners (talk · contribs)
  5. IEnjoyMasturbating (talk · contribs)

--Pi zero (talk) 18:24, 25 August 2011 (UTC)[reply]

  Confirmed. -- Cirt (talk) 20:42, 25 August 2011 (UTC)[reply]
Thanks! --Pi zero (talk) 21:42, 25 August 2011 (UTC)[reply]

These too please, Cirt :)

  1. IEnjoyMaleBodyParts (talk · contribs)
  2. ILikeGorillaPubes (talk · contribs)
  3. EnterimageANUS (talk · contribs)

BarkingFish (talk) 20:39, 26 August 2011 (UTC)[reply]

78.149.114.62

78.149.114.62 (talk · contribs) Made a clear attempt to sneak copyrighted material through the review process, but failed. (This was not a misunderstanding of the rules/law but a deliberate act, in this case, unlike most copyvios.) With no other contribs till today, I'm suspicious; this is someone who already knows a thing or two about the project. Can we see if we can link this to any troll accounts, or at least confirm open proxy use? Blood Red Sandman (Talk) (Contribs) 20:09, 13 September 2011 (UTC)[reply]

Nothing came up. Only edits to 2 different articles, Bomb blast in Delhi kills 12, injures 62 and British "Father of Pop Art" Richard Hamilton dies aged 89. -- Cirt (talk) 04:35, 25 October 2011 (UTC)[reply]

Old cats

Two old kitties accounts have been vandalizing their user talk pages. These are part of a set blocked on May 20. I've revoked remaining privs for the whole set, but note that apparently IP measures taken did not suffice. Can we do better?

The two:

  1. Headphones turtle (talk · contribs)
  2. Speed pappy anger english (talk · contribs)

Others in the set:

  1. Cat Lover For Life (talk · contribs)
  2. TurtlesBurning (talk · contribs)
  3. Poopy Butt (talk · contribs)
  4. K!tties Burning (talk · contribs)

--Pi zero (talk) 01:55, 15 October 2011 (UTC)[reply]

  Confirmed, added an IP block. -- Cirt (talk) 04:38, 25 October 2011 (UTC)[reply]

Onewhohelps

Onewhohelps (talk · contribs) and his mobile account OWHMobile (talk · contribs) are likely socks of a known crosswiki troll. This user follows similar patterns off-wiki - mainly IRC spam and harassment. This user has been determined elsewhere to be w:User:Surasaman aka w:User:Thepoliticalmaster. Similar block exists on Outreachwiki. I've been informed of similar disruption to members of at least one non-WMF wiki. This user uses a variety of IP addresses, based on IRC evidence, and so cross-project CU collaboration may be in order. Blood Red Sandman (Talk) (Contribs) 16:24, 17 November 2011 (UTC)[reply]

  1. Onewhohelps (talk · contribs)
  2. OWHMobile (talk · contribs)
  3. Indomenulis (talk · contribs)
  4. MartinTiny (talk · contribs)
  5. Lorenzo 93 (talk · contribs)
  6. Shekharnwagh (talk · contribs)
  7. Onomeasikele fane (talk · contribs)
  8. Irecave (talk · contribs)
  9. Hrd777 (talk · contribs)
  10. MrZoolook (talk · contribs)
  11. Tertseror (talk · contribs)

The above are   Confirmed. Beginning coordination process with crosswiki CUs. Thank you for alerting us to this. ;) -- Cirt (talk) 17:48, 17 November 2011 (UTC)[reply]

Triplet spammers

The following accounts all showed up at the same time, posting faux-news "articles" (with no Wikinews formatting and no sources) ending with an unrelated paragraph containing spam links. (Actually, I think at least two of the three had the same spam links.) --Pi zero (talk) 09:40, 1 January 2012 (UTC)[reply]

  1. Cathleenjones (talk · contribs)
  2. Mileyjimm (talk · contribs)
  3. Pam9 (talk · contribs)
  4. Vickyrobertson (talk · contribs)

All above including added 4th one, are   Confirmed. Blocked underlying IP for one week. -- Cirt (talk) 01:52, 2 January 2012 (UTC)[reply]

  1. Jessicamiles (talk · contribs)
  2. Cathleenjones (talk · contribs)
  3. Mileyjimm (talk · contribs)
  4. Pam9 (talk · contribs)
  5. Vickyrobertson (talk · contribs)

All   Confirmed. -- Cirt (talk) 02:27, 5 March 2012 (UTC)[reply]

Kittiesonfire is Dantherocker1

Just an FYI heads up, the "Kittiesonfire" socks =   Confirmed as Dantherocker1 from en.wikipedia. All related socks can be blocked on sight. Thank you for your time, -- Cirt (talk) 04:24, 7 January 2012 (UTC)[reply]

Feline rocker

Blocked two more:

  1. 67.236.225.122 (talk · contribs) — replaced AAA with something about kitties; I blocked it for a week, fwiw.
  2. Therockerkitten (talk · contribs) — indefblocked on sight.

--Pi zero (talk) 15:46, 8 January 2012 (UTC)[reply]

Another set:

  1. ChokingOnMyBalls (talk · contribs)
  2. SweatyKittyNuts (talk · contribs)
  3. K!tt!3s0nf!r3_is_back! (talk · contribs)
  4. WipingMyAss (talk · contribs)
  5. MajorPoopFetish (talk · contribs)
  6. FelineNutsack (talk · contribs)
  7. Human nutsack2 (talk · contribs) --Pi zero (talk) 22:55, 9 January 2012 (UTC)[reply]

--Pi zero (talk) 14:08, 9 January 2012 (UTC)[reply]

  1. CatsBurningLikeFire (talk · contribs) --Pi zero (talk) 21:07, 10 January 2012 (UTC)[reply]
  Confirmed, again. -- Cirt (talk) 21:26, 10 January 2012 (UTC)[reply]
  1. CatBurningInFlames (talk · contribs) --Pi zero (talk) 00:35, 11 January 2012 (UTC)[reply]
  Confirmed. -- Cirt (talk) 05:56, 11 January 2012 (UTC)[reply]

Can we make a technical connection with this one? --Pi zero (talk) 06:45, 27 March 2012 (UTC)[reply]

  1. Flamecat (talk contribs deleted contribs logs block user block log checkuser)
  Confirmed, blocked the underlying IP, it was a hacked mail server proxy. -- Cirt (talk) 17:05, 27 March 2012 (UTC)[reply]

Another set, created in under three minutes. --Pi zero (talk) 01:49, 29 March 2012 (UTC)[reply]

  1. IAdoreCrustyAssCheeks (talk contribs deleted contribs logs block user block log checkuser)
  2. ILoveDingleBerries (talk contribs deleted contribs logs block user block log checkuser)
  3. PoopyFace123 (talk contribs deleted contribs logs block user block log checkuser)
  4. ViewMyAnus (talk contribs deleted contribs logs block user block log checkuser)
  5. FirmlyGraspMyTurd (talk contribs deleted contribs logs block user block log checkuser)
  6. IEnjoyMicrowavingTurds (talk contribs deleted contribs logs block user block log checkuser)
  Confirmed, blocked underlying IP, will confer with other CUs on this. -- Cirt (talk) 06:50, 29 March 2012 (UTC)[reply]

Latest. --Pi zero (talk) 20:10, 8 April 2012 (UTC)[reply]

  1. FingerMyPoopyButthole (talk contribs deleted contribs logs block user block log checkuser)
  2. BiteMyCrustyAssCheeks (talk contribs deleted contribs logs block user block log checkuser)
  3. OrderStandInMyPoop (talk contribs deleted contribs logs block user block log checkuser)
  4. MyFlamingTurd (talk contribs deleted contribs logs block user block log checkuser)
  5. SteamingTurdSandwich (talk contribs deleted contribs logs block user block log checkuser)
  6. DisectMyTurdForFree (talk contribs deleted contribs logs block user block log checkuser)
  7. 173.23.204.7 (talk contribs deleted contribs logs block user block log checkuser) — left an effectively signed note on User talk:Cirt
Yes,   Confirmed, -- Cirt (talk) 06:59, 9 April 2012 (UTC)[reply]

Multi-account spammer

I've blocked the following users, all of whom posted substantially the same advertising/spam to (usually their own) user pages. (Fegistered blocks indefinite; IP, a mere three days.)

  1. Asd311045 (talk · contribs)
  2. Asd557735 (talk · contribs)
  3. Asd936312 (talk · contribs)
  4. 46.115.36.34 (talk · contribs)

--Pi zero (talk) 23:31, 12 January 2012 (UTC)[reply]

  Confirmed, blocked another IP. -- Cirt (talk) 00:16, 13 January 2012 (UTC)[reply]

Marciano

A user has just been threatening various users with wiki-watch.com, using the same modus operandi as the IP that was recently doing that cross-wiki over, supposedly, the Rocky Marciano article. The IP is globally blocked for six months for cross-wiki abuse. I'm wondering if any technical connection can be made between these. Also possibly related —I offer it for consideration if deemed appropriate— is the user who originally created the Marciano pages cross-wiki; xe hasn't gotten xyrself blocked anywhere but Wikispecies that I can see (there, indef without ability to edit own talk page, as a vandalism-only account), though I do note a somewhat suggestive similar predilection for edit summaries in ALL CAPS.

  1. Wikiwatchcom (talk · contribs)
  2. 64.107.88.66 (talk · contribs)
  3. BakerMarciano (talk · contribs)

--Pi zero (talk) 17:44, 14 January 2012 (UTC)[reply]

  Comment - No technical correlation between the above three yet. The last account has another account tied to its IP (not the one in the above list, another unrelated one), but I don't see any abusive editing with that account yet. Please do keep an eye on it, and feel free to post a re-check if there is further behavioral evidence on this wiki or from others. Thank you, -- Cirt (talk) 04:48, 15 January 2012 (UTC)[reply]

This IP seems to be claiming to be the same idiot (judging by the content of the vandalism). --Pi zero (talk) 01:22, 28 January 2012 (UTC)[reply]

  1. 131.239.63.6 (talk · contribs)

SPA,… Spammer(s)

Three accounts, created in succession, and used to create SEO support-type for spammed links.

  1. Hannahmiller (talk contribs deleted contribs logs block user block log checkuser)
  2. Cleofellemorgan (talk contribs deleted contribs logs block user block log checkuser)
  3. Angelamoore (talk contribs deleted contribs logs block user block log checkuser)

I'm keen to know if there is a shared underlying IP, if it has a history of this activity (I've seen this sort of SEO spam in the past few weeks - also a small volume). Lastly, this is a new spamming method for here, so a yes/no on "have other projects seen similar?" is something I'm curious on. Since WMF username captchas are pretty simple, it would concern me that a scripted spam run could hit us 3 times in an hour, and just be the tip of a wiki-spamming iceberg. --Brian McNeil / talk 09:21, 25 January 2012 (UTC)[reply]

Block-evading spammer

Identical mo, even same company site linked to; I indefblocked the first yesterday, then the second when it cropped up today. I see one of them has non-zero edits on another sister (en.wp), and has been indefblocked there. --Pi zero (talk) 15:21, 26 January 2012 (UTC)[reply]

  1. Pubsonline (talk contribs deleted contribs logs block user block log checkuser)
  2. Pub online (talk contribs deleted contribs logs block user block log checkuser)

Spammers with same MO

Two accounts, created maybe five hours apart, each account immediately creating a user page containing only a spam link. That's a distinctive MO, twice in a quarter day. The two spam links are thematically similar, too. So I'd like to know if these two accounts have any technical connection. --Pi zero (talk) 15:36, 1 February 2012 (UTC)[reply]

  1. Koiljh (talk contribs deleted contribs logs block user block log checkuser)
  2. Orange55 (talk contribs deleted contribs logs block user block log checkuser)
  Confirmed. -- Cirt (talk) 15:38, 1 February 2012 (UTC)[reply]

Katherine

  1. Katherine8282 (talk contribs deleted contribs logs block user block log checkuser)
  2. Katherine808082 (talk contribs deleted contribs logs block user block log checkuser)

Similar usernames, similar pattern of 13-year-old-girl-style edits. Are there any more of these lurking? Blood Red Sandman (Talk) (Contribs) 18:38, 2 February 2012 (UTC)[reply]

Nauseous green

I've noted three users (two registered and an IP) recently that put me in mind of recently banned Viriditas, and would like to know whether technical connections can be made.

The IP and user Free Web Defence have in the past few days been resubmitting Viriditas's Black History Month article for review without improvement. Free Web Defense has no other edits here; elsewhere are two edits on en.wp, only one of which is publicly visible (spurious result from tool? edit to deleted page?), from late January — predating Viriditas's disruption here. In the case of Viriditas, I'm not prepared to dismiss suspicion of the account on that basis. The other registered user, Fkjsdnkjfndsjfsd, submitted a minimal article with ten sources, and did nothing when asked to repair misformatted source templates and questioned on the need for so many sources; the account was created yesterday and made some contributions to two Wikipedias — Filipino and Latin (appears to be an experienced user adopting a random-keystrokes username; keeping in mind, Viriditas claims to be based in Hawaii and, well, chose the username Viriditas). --Pi zero (talk) 17:35, 8 February 2012 (UTC)[reply]

  1. 193.62.43.202 (talk contribs deleted contribs logs block user block log checkuser)
  2. Free Web Defence (talk contribs deleted contribs logs block user block log checkuser)
  3. Fkjsdnkjfndsjfsd (talk contribs deleted contribs logs block user block log checkuser)
  4. Viriditas (talk contribs deleted contribs logs block user block log checkuser)
  Doing.... -- Cirt (talk) 18:03, 8 February 2012 (UTC)[reply]
Going to confer with other fellow Checkusers on this one. -- Cirt (talk) 18:30, 8 February 2012 (UTC)[reply]
  • The IP has now got the idea that rather than simply requesting review, xe'd replace the {{review}} template with {{publish}}. Xe did that to two aritcles this morning (Black History Month and another). I've given xem a three day block, but this behavior is so very like Viriditas that if it's a meatpuppet rather than a sockpuppet, it looks to be a meatpuppet with remarkably short strings. --Pi zero (talk) 13:06, 9 February 2012 (UTC)[reply]
  1. 193.62.43.202 (talk contribs deleted contribs logs block user block log checkuser)
  2. Free Web Defence (talk contribs deleted contribs logs block user block log checkuser)

These first 2 are the same, blocked as   Confirmed. The others are less conclusive. Feel free to block on behavioral evidence as an admin judgment decision, as they appear to be using mobile phones to edit which obscures changing IPs somewhat. -- Cirt (talk) 16:17, 9 February 2012 (UTC)[reply]

  1. Fkjsdnkjfndsjfsd (talk contribs deleted contribs logs block user block log checkuser)
  2. 117.193.166.194 (talk contribs deleted contribs logs block user block log checkuser)
  3. 77.28.104.213 (talk contribs deleted contribs logs block user block log checkuser)

These all share very similar useragent info. I'd suspect 117.193.166.194 (talk contribs deleted contribs logs block user block log checkuser) is another proxy, but I'd like to hear thoughts of Cspurrier (talk · contribs) on this. -- Cirt (talk) 17:38, 22 February 2012 (UTC)[reply]

Update: Yes, 117.193.166.194 does indeed appear to be a hacked mail server proxy. I'd still of course appreciate comments from any other CUs or experienced users with regard to proxies. -- Cirt (talk) 17:39, 22 February 2012 (UTC)[reply]
Again, same user agent info. Quite likely another proxy. -- Cirt (talk) 22:49, 22 February 2012 (UTC)[reply]

Labor reporter

Labor reporter (talk · contribs) resubmitted an article without addressing the concerns. The next diff shows the user being warned this was disruptive, and the diff after that shows an IP doing the same thing. Is the IP in fact the same user, logging out to be disruptive? Is the IP from the set of disruptive IPs above? Or are they all totally unrelated and coincidental? Blood Red Sandman (Talk) (Contribs) 14:58, 2 April 2012 (UTC)[reply]

  1. Labor reporter (talk contribs deleted contribs logs block user block log checkuser)
  2. Newport Backbay (talk contribs deleted contribs logs block user block log checkuser)
These two are   Confirmed as the same, see also this diff. The associated IP is technically unrelated, (though I'm going to do further investigation), but it is an IP of an android cellphone, apparently. Feel free to block it on admin judgment based on the strong behavioral evidence. If there is admin action taken, blocks, etc, please note it here, below, and then please also note it at WN:AAA. Thank you! Cheers, -- Cirt (talk) 05:04, 3 April 2012 (UTC)[reply]
For some reason, I get a 404 on the diff so here is a direct link. I'm going to block Newport Backpay indef and the IP a week as this is now a user who is otherwise disruptive, so mmultiple accounts are not acceptable. Blood Red Sandman (Talk) (Contribs) 14:47, 4 April 2012 (UTC)[reply]

Two spamming IPs

I don't have a clue what to make of this, but figured I'd turn it over to someone who could possibly have a clue.

The first of these IPs just created page Category talk:Baseball, containing a blurb about sunglasses and eyeglasses. Seems familiar, but I don't know from where. The IP has no other edits on Wikinews. I checked for same IP contributions on sister projects, and found one on en.wp, from yesterday. That is a blurb about cellphone jammers. Which also seemed familiar. Coming back to Wikinews, I looked again at the deleted Category talk:Baseball, and discovered two deleted revisions; the earlier, from four days ago, was a blurb about cellphone jammers. Er... --Pi zero (talk) 01:55, 8 April 2012 (UTC)[reply]

  Confirmed, to each other, but not much else at the moment. -- Cirt (talk) 05:38, 8 April 2012 (UTC)[reply]

Jshellmann and other accounts

Bringing this to local community attention:

  1. Jshellmann (talk contribs deleted contribs logs block user block log checkuser)
  2. Mastershake177 (talk contribs deleted contribs logs block user block log checkuser)
  3. Sshall4 (talk contribs deleted contribs logs block user block log checkuser)
  4. Srbealor (talk contribs deleted contribs logs block user block log checkuser)
  5. Inpayne (talk contribs deleted contribs logs block user block log checkuser)
  6. Jdbethel (talk contribs deleted contribs logs block user block log checkuser)
  7. Crtew (talk contribs deleted contribs logs block user block log checkuser)
  8. Kelsey lyn (talk contribs deleted contribs logs block user block log checkuser)
  9. KMCrane (talk contribs deleted contribs logs block user block log checkuser)
  10. Abram samuelson (talk contribs deleted contribs logs block user block log checkuser)
  11. KeneeMichelle22 (talk contribs deleted contribs logs block user block log checkuser)
  12. Slynnr.2013 (talk contribs deleted contribs logs block user block log checkuser)
  13. Delexmer (talk contribs deleted contribs logs block user block log checkuser)
  14. Patmhickey (talk contribs deleted contribs logs block user block log checkuser)
  15. Mr awmorris (talk contribs deleted contribs logs block user block log checkuser)
  16. Jzevans (talk contribs deleted contribs logs block user block log checkuser)
  17. Sixtine.dollars (talk contribs deleted contribs logs block user block log checkuser)
  • I initially checked into this due to behavior that seemed similar to Wikinews:Requests_for_CheckUser#Nauseous_green on an article written by one of these accounts.
  • They are all   Confirmed on a purely technical basis, without respect to behavioral evidence.
  • The majority of them in multiple cases use very similar, and sometimes identical, useragent info as well.

I'd like thoughts from local admins and the community about what to do about this. I'll defer to other admins as far as admin action, blocking, etc, just bringing here for review. Cheers, -- Cirt (talk) 02:44, 12 April 2012 (UTC)[reply]

  • Did we do anything wrong? I can vouch for every person listed above. In fact, if you want to know more about us, go to my user page under contributions. All of my students are listed there. We're all very transparent. Brian and Pi also know about the university - Wikinews connection.Crtew (talk) 03:11, 12 April 2012 (UTC)[reply]
    • Comment: There appears to be a repeated pattern of cases of edits moving from "develop" back to "review" tag, for an article that has at least one failed review, without really doing enough to address the reviews. This is a disturbing pattern of behavior. -- Cirt (talk) 03:13, 12 April 2012 (UTC)[reply]

I agree. My students are too quick to hit the submit button. I have made the decision several to pull things out of submit so as not to waste the editors' time. We talked about that tonight as we worked on the Zimmerman article.Crtew (talk) 03:21, 12 April 2012 (UTC)[reply]

It's a big problem, and something Wikinews has dealt with in the past at Wikinews:Requests_for_CheckUser#Nauseous_green, above. Regarding single edits that move a page from "develop" back to "review" with nothing really being done to address the failed review. -- Cirt (talk) 03:23, 12 April 2012 (UTC)[reply]

  • Update: Do not block, please. It's a legitimate class group per this comment by Crtew. We'll monitor and hopefully there will be a decrease in students that have a repeated pattern of cases of edits moving from "develop" back to "review" tag, for an article that has at least one failed review, without really doing enough to address the reviews. Cheers, -- Cirt (talk) 15:40, 12 April 2012 (UTC)[reply]

Stupid question

Pardon my cluelessness, but, what is this I'm looking at? --Pi zero (talk) 17:18, 20 April 2012 (UTC)[reply]

'scuse me, a "dell moment"? Have you been inflicted with substandard hardware accompanied by god-awful advertising? :P --Brian McNeil / talk 12:58, 22 April 2012 (UTC)[reply]

Another apparently in this set. --Pi zero (talk) 01:03, 20 May 2012 (UTC)[reply]

  1. 123.65.221.48 (talk contribs deleted contribs logs block user block log checkuser)
  Confirmed. -- Cirt (talk) 02:59, 20 May 2012 (UTC)[reply]

These next two are probably separate from the above, but I'm putting them in this section because, like the above, they're putting their spam in an otherwise-non-existent talk page for an out-of-the way page (this time it's User talk:Microchip08/Database dump/entry). The content of the spam, however, is different than the above. --Pi zero (talk) 04:13, 24 May 2012 (UTC)[reply]

  1. 110.86.166.114 (talk contribs deleted contribs logs block user block log checkuser)
  2. 27.159.230.177 (talk contribs deleted contribs logs block user block log checkuser)

  Confirmed. -- Cirt (talk) 04:58, 24 May 2012 (UTC)[reply]

Fashionable spammers

These two characters are linked by topic, both creating pages about a particular alleged Mauritian male teenage fashion model. --Pi zero (talk) 12:50, 4 May 2012 (UTC)[reply]

Added a third. --Pi zero (talk) 19:50, 4 May 2012 (UTC)[reply]

  1. Genksh emowart (talk contribs deleted contribs logs block user block log checkuser)
  2. Kunal khemu (talk contribs deleted contribs logs block user block log checkuser)
  3. Mahen soukhee (talk contribs deleted contribs logs block user block log checkuser)
  Confirmed, no other related accounts at the moment. -- Cirt (talk) 01:52, 5 May 2012 (UTC)[reply]

Sridhar1000 and other Sridhar sock accounts

  1. Komari rajesh (talk contribs deleted contribs logs block user block log checkuser)
  2. Rafi0726 (talk contribs deleted contribs logs block user block log checkuser)
  3. Sridhar Babu Peram (talk contribs deleted contribs logs block user block log checkuser)
  4. Sridhar00 (talk contribs deleted contribs logs block user block log checkuser)
  5. Sridhar10 (talk contribs deleted contribs logs block user block log checkuser)
  6. Sridhar100 (talk contribs deleted contribs logs block user block log checkuser)
  7. Sridhar10000 (talk contribs deleted contribs logs block user block log checkuser)
  8. Sridhar100000 (talk contribs deleted contribs logs block user block log checkuser)
  9. Sridharbabu100 (talk contribs deleted contribs logs block user block log checkuser)
  10. Sridharbabu1000 (talk contribs deleted contribs logs block user block log checkuser)
  11. Sridharbabu1983 (talk contribs deleted contribs logs block user block log checkuser)
  12. Sridharbabu58 (talk contribs deleted contribs logs block user block log checkuser)

  Confirmed as socks of Sridhar1000 (talk · contribs · deleted contribs · logs · edit filter log · block user · block log).

More info at commons:Commons:Requests for checkuser/Case/Sridhar1000.

Appears to be long term sock master, cross wiki, for a significant period of time and amount of disruption.

All accounts should be blocked and tagged.

Cheers, -- Cirt (talk) 14:12, 6 May 2012 (UTC)[reply]

Peculiar spam

These exhibit a common behavior, which I've seen once before (but don't have the earlier account name handy). User page created with multiple sections, each what brianmc has aptly termed "drivel", with odd double-commas here and there. Googling fragments of these texts turns up copies on various discussion fora around the internet, except that where the copy here has a double-comma, a copy elsewhere will have the name of some random product, with a link. After investigating several of these via Google I no longer bother once I see the drivel with the double-commas. The copies here are technically neither advertising nor linking to external sites, but they taste like spiced ham so I'm treating them as such. --Pi zero (talk) 13:07, 23 May 2012 (UTC)[reply]

  1. Gtyt1iektmn (talk contribs deleted contribs logs block user block log checkuser)
  2. O1qw15im5 (talk contribs deleted contribs logs block user block log checkuser)
  3. Xiq6s3wen (talk contribs deleted contribs logs block user block log checkuser)
  4. Okjhgfbv (talk contribs deleted contribs logs block user block log checkuser)

  Likely. Different technical data for a few, but exact same useragent info. Also, Eooavcea (talk · contribs) is   Confirmed to Okjhgfbv (talk · contribs). -- Cirt (talk) 17:05, 23 May 2012 (UTC)[reply]

UPDATE:

  1. Eooavcea (talk contribs deleted contribs logs block user block log checkuser)
  2. Okjhgfbv (talk contribs deleted contribs logs block user block log checkuser)
  3. Be95sdglqgm (talk contribs deleted contribs logs block user block log checkuser)
  4. Xiq6s3wen (talk contribs deleted contribs logs block user block log checkuser)
  5. Rebecca7u (talk contribs deleted contribs logs block user block log checkuser)
  6. Baohongv1 (talk contribs deleted contribs logs block user block log checkuser)
  7. 8岁的男孩 (talk contribs deleted contribs logs block user block log checkuser)
  8. Newvip (talk contribs deleted contribs logs block user block log checkuser)
  9. Okgoodbuy (talk contribs deleted contribs logs block user block log checkuser)

These are all   Confirmed. -- Cirt (talk) 17:12, 23 May 2012 (UTC)[reply]

Looks like another. --Pi zero (talk) 02:04, 25 May 2012 (UTC)[reply]

  1. Play7c5i6 (talk contribs deleted contribs logs block user block log checkuser)
  Confirmed. -- Cirt (talk) 04:20, 25 May 2012 (UTC)[reply]

And another. --Pi zero (talk) 12:39, 7 June 2012 (UTC)[reply]

  1. 4s1y7n0fg (talk contribs deleted contribs logs block user block log checkuser)
  Confirmed. -- Cirt (talk) 16:25, 7 June 2012 (UTC)[reply]

Username vandal

Take a look at the block log; a string of usernames obviously created by a single vandal. Can we fish out the underlying IP and get it hit for, oh, a month or two? (Or indef, if it's a proxy.) Blood Red Sandman (Talk) (Contribs) 20:27, 24 May 2012 (UTC)[reply]

  Done. That's gotta be Dantherocker1 (talk · contribs). -- Cirt (talk) 21:11, 24 May 2012 (UTC)[reply]

Redundant spammers

These two spammed adevertising the same site, one as a mainspace article and the other as its talk page.

  1. Mrdang84vn (talk contribs deleted contribs logs block user block log checkuser)
  2. Emillia1991 (talk contribs deleted contribs logs block user block log checkuser)

--Pi zero (talk) 02:13, 31 May 2012 (UTC)[reply]

  1. Mrdang84vn (talk contribs deleted contribs logs block user block log checkuser)
  2. Emillia1991 (talk contribs deleted contribs logs block user block log checkuser)
  3. Luckystar (talk contribs deleted contribs logs block user block log checkuser)
  4. Suranguyen (talk contribs deleted contribs logs block user block log checkuser)

These four are   Confirmed. -- Cirt (talk) 15:47, 1 June 2012 (UTC)[reply]

Oddly correlated IPs

I'm wondering if there's a technical connection between these two IPs, as there's a peculiar behavioral connection. Both of these put speedy-deletion-worthy content on the same two Comments talk: pages. What's peculiar about this is, the later one put patent nonsense on those two pages (and on one other page), whereas the first one put louis vuitton spam there (and on two other pages). We've had a lot of louis vuitton lately, which unfortunately I haven't been keeping track of (it's hard to trace this stuff after it's been deleted), so I hoped something correlated with it might be useful. --Pi zero (talk) 13:30, 7 June 2012 (UTC)[reply]

  1. 91.121.119.42 (talk contribs deleted contribs logs block user block log checkuser) (‎louis vuitton)
  2. 188.165.254.106 (talk contribs deleted contribs logs block user block log checkuser) (patent nonsense)
  •   Comment Well, the rDNS for these are cust804.host-stage-dns.com and cust802.host-stage-dns.com respectively. I'm assuming both are insecure/hacked IIS7 servers and will be applying a three-month block. As it stands, these look to be web hosting which we should not have any requirement to be 'lenient' with. --Brian McNeil / talk 14:22, 7 June 2012 (UTC)[reply]
Possibly related, but they appear to be using different (though similar) user agents. -- Cirt (talk) 16:27, 7 June 2012 (UTC)[reply]
The following might be worth passing on to the CU mailing list because there's something "odd" with these couple of well-separated IPs having similar rDNS. From the entire 100-999 range, the following popped up; I half-expected cust808.host-stage-dns.com to start resolving as another host compromised by whatever on earth this is. Note that for some of the low-numbered ones the rDNS of the IP doesn't march the forward.
cust100.host-stage-dns.com :—176.31.240.204 (talk contribs deleted contribs logs block user block log checkuser)
cust101.host-stage-dns.com :—91.121.80.211 (talk contribs deleted contribs logs block user block log checkuser)
cust102.host-stage-dns.com :—176.31.123.62 (talk contribs deleted contribs logs block user block log checkuser)
cust103.host-stage-dns.com :—188.165.193.33 (talk contribs deleted contribs logs block user block log checkuser)
cust105.host-stage-dns.com :—94.23.32.61 (talk contribs deleted contribs logs block user block log checkuser)
cust107.host-stage-dns.com :—94.23.41.86 (talk contribs deleted contribs logs block user block log checkuser)
cust108.host-stage-dns.com :—176.31.125.52 (talk contribs deleted contribs logs block user block log checkuser)
cust109.host-stage-dns.com :—37.59.233.95 (talk contribs deleted contribs logs block user block log checkuser)
cust110.host-stage-dns.com :—91.121.74.181 (talk contribs deleted contribs logs block user block log checkuser)
cust111.host-stage-dns.com :—91.121.137.103 (talk contribs deleted contribs logs block user block log checkuser)
cust143.host-stage-dns.com :—176.31.236.150 (talk contribs deleted contribs logs block user block log checkuser)
cust528.host-stage-dns.com :—91.121.1.85 (talk contribs deleted contribs logs block user block log checkuser)
cust595.host-stage-dns.com :—91.121.121.44 (talk contribs deleted contribs logs block user block log checkuser)
cust800.host-stage-dns.com :—91.121.10.19 (talk contribs deleted contribs logs block user block log checkuser)
cust801.host-stage-dns.com :—178.33.226.67 (talk contribs deleted contribs logs block user block log checkuser)
cust802.host-stage-dns.com :—188.165.254.106 (talk contribs deleted contribs logs block user block log checkuser)
cust803.host-stage-dns.com :—188.165.243.21 (talk contribs deleted contribs logs block user block log checkuser)
cust804.host-stage-dns.com :—188.165.221.125 (talk contribs deleted contribs logs block user block log checkuser)
cust805.host-stage-dns.com :—37.59.46.96 (talk contribs deleted contribs logs block user block log checkuser)
cust807.host-stage-dns.com :—178.33.238.27 (talk contribs deleted contribs logs block user block log checkuser)
May be nothing, but was unusual enough to cobble together a couple of scripts to look at it. --Brian McNeil / talk 16:17, 7 June 2012 (UTC)[reply]
Will forward this along to CU mailing list. -- Cirt (talk) 16:27, 7 June 2012 (UTC)[reply]
Please let me know privately if anything comes up from this, it's just too weird. I was wondering if I'd found a domain being used to keep track of botnet/zombie machines; there's little correlation in the IPs in terms of 'belonging' to a legit organisation, but one in terms of if found through vulnerability scanning. --Brian McNeil / talk 16:35, 7 June 2012 (UTC)[reply]
The first two IPs mentioned look like the Chinese botspammers. They're active cross-wiki and use open proxies most of the time. Trijnstel (talk) 16:41, 7 June 2012 (UTC)[reply]

Offensive usernames

Charming little gobshite we've got here. Recommend passing onto the CU list to find out any other usernames cross-wiki and getting them all blocked. Could also do with a hiderev on the user create and so. --Brian McNeil / talk 14:05, 12 June 2012 (UTC)[reply]

  • I've done the revision hiding on these. Not needed too often, so took me a minute or two to implement. Do let know if an established troll or sockpuppeteer is involved (even if not saying who). --Brian McNeil / talk 14:11, 12 June 2012 (UTC)[reply]

  Confirmed. FWIW, AGK is an admin on en.wikipedia. -- Cirt (talk) 18:00, 12 June 2012 (UTC)[reply]

Grossly offensive vandal(s)

Topic of request will become amusingly clear when you see the block log.

A few other usernames created in same timeframe, so keen to catch any sleepers/other socks — as well as confirm these are a pair. --Brian McNeil / talk 05:30, 27 June 2012 (UTC)[reply]

  Confirmed. Perfect match. No other socks found on that IP range though --Cspurrier (talk) 19:38, 30 June 2012 (UTC)[reply]

Persistent PITA

According to Pi zero, 4th account creating self-same page. Would a narrow IP rangeblock help "provide clue"? --Brian McNeil / talk 06:22, 23 July 2012 (UTC)[reply]

That got a little garbled in transmission. The same user created the same content under four different page names, over a fairly long period of time which is why we hadn't noticed it sooner. Once I noticed, I blocked the user — but they immediately turned around and created the content again, under a fifth page name, using a different account.
--Pi zero (talk) 12:57, 23 July 2012 (UTC)[reply]
  • Well, the same logic applies. A /24, /23 or /22 block might only hit him. A /22 is always a good bet for folks on ADSL (which rDNS may reveal); the majority of DSLAM-type kit will serve 768 customers per box, usually all in the same range - unless the ISP has had to scrounge IP addresses for the lease. --Brian McNeil / talk 12:54, 24 July 2012 (UTC)[reply]
  1. Jpljr (talk contribs deleted contribs logs block user block log checkuser)
  2. Cecjr (talk contribs deleted contribs logs block user block log checkuser)
  3. Lacoco (talk contribs deleted contribs logs block user block log checkuser)

These are all   Confirmed as the same. -- Cirt (talk) 00:52, 27 July 2012 (UTC)[reply]

Saki/Saqib AGAIN

I'm looking at 175.110.195.144 (talk contribs deleted contribs logs block user block log checkuser), which I blocked for a month after they self-identified as prolific socker Saqib. As a memory refresher, Saqib's account Saki (talk contribs deleted contribs logs block user block log checkuser) was unblocked on the condition of strict transparancy regarding use of undeclared accounts. I took the undeclared use of an IP to breach the spirit of that and blocked. I'm asking both the account and the IP to be looked at very closely indeed, to root out any socks lurking. Blood Red Sandman (Talk) (Contribs) 19:57, 23 August 2012 (UTC)[reply]

  • The IP, from checks I've carried out, is within a university (Madrassa?) and may-well be a compromised DNS server. I'd also like to request a range-check centred around the appropriate /24 or /22 as I would be remarkably unsurprised not to find an absence of lurking socks. --Brian McNeil / talk 21:00, 23 August 2012 (UTC)[reply]

Nope, sorry, nothing else on that range at this time. -- Cirt (talk) 01:27, 27 August 2012 (UTC)[reply]

More 'peculiar spam' / randomized usernames

Previously raised spam here.

This was a bunch of usernames which mostly looked like they'd been spat out by a program (along the lines of a random password generator).

Well, there's more, and this probably merits being taken up on the checkuser list. Please note the special annotations.

Suspects in last 24-odd
  1. 21hgo3u41239 (talk contribs deleted contribs logs block user block log checkuser)
  2. N4m347yp3 (talk contribs deleted contribs logs block user block log checkuser)
  3. Zhhuimc21 (talk contribs deleted contribs logs block user block log checkuser)
  4. Wsy8gbkD (talk contribs deleted contribs logs block user block log checkuser)
  5. Ynciiyn (talk contribs deleted contribs logs block user block log checkuser)
  6. Uccdsdjgop7o (talk contribs deleted contribs logs block user block log checkuser) x
  7. 5hhhhjyf (talk contribs deleted contribs logs block user block log checkuser)
  8. F7uc56jo8s (talk contribs deleted contribs logs block user block log checkuser) A
  9. Tyyeyewr (talk contribs deleted contribs logs block user block log checkuser)
  10. Uurghdfg (talk contribs deleted contribs logs block user block log checkuser) B
  11. Lakr0820eg12 (talk contribs deleted contribs logs block user block log checkuser)
  12. Dhcro569 (talk contribs deleted contribs logs block user block log checkuser)
  13. FsucJWsyc8 (talk contribs deleted contribs logs block user block log checkuser)
  14. Wsy8gbkD (talk contribs deleted contribs logs block user block log checkuser)
Older, creation date based upon {{Howdy}} from user talk
  1. Gjqsp034 (talk contribs deleted contribs logs block user block log checkuser) x Created Aug 16
  2. Whytukffw (talk contribs deleted contribs logs block user block log checkuser) x Created Aug 16
  3. Wweaverreo (talk contribs deleted contribs logs block user block log checkuser) x Created Aug 10
  4. Klgjmfgbcv (talk contribs deleted contribs logs block user block log checkuser) x Created Jul 19
  5. 2u9v5m4h0 (talk contribs deleted contribs logs block user block log checkuser) x Created Jul 9
Key
x—Already blocked
A—Strangely enough, created B

Looks pretty obvious here that one or more individuals are running account-creation bots for spamming and - possibly other - purposes. It looks suitably sophisticated that, if duscussion on the checkuser list concurs, is an issue developers should be looking into. --Brian McNeil / talk 12:52, 24 August 2012 (UTC)[reply]

  • Any feedback you can divulge from checkuser-l on this? I found 14 created over a two-day period, which I conservatively extrapolate as over 300 accounts created since the start of July. Of those, 6 have been caught and blocked. That's only 2% of what could-well be an army of would-be spammer accounts in the last two months. This has been going on a good-deal longer than that. --Brian McNeil / talk 02:16, 27 August 2012 (UTC)[reply]

Just noticed and blocked this one. --Pi zero (talk) 12:29, 27 August 2012 (UTC)[reply]

  1. F6i4pi7d3g (talk contribs deleted contribs logs block user block log checkuser) x Created Aug 16

Update: I'll drill down deeper into this investigation shortly. -- Cirt (talk) 12:41, 27 August 2012 (UTC)[reply]

Another 'suspect'
Anything at-all that can be fed back from checkuser-l, even if privately and in-confidence? Since my guess is this is using a username generation routine derived from a password generator, my best-guess is the amount of entropy in the usernames compared to their length would give a high probability of identifying possible suspects. --Brian McNeil / talk 11:02, 6 September 2012 (UTC)[reply]
Here's two I caught in recent days spamming with the m.o. I associate with this phenomenon. --Pi zero (talk) 11:23, 6 September 2012 (UTC)[reply]

This one may not be technically related, but no objections to the block on spam grounds. -- Cirt (talk) 02:09, 7 September 2012 (UTC)[reply]


Perhaps another [two]? --Pi zero (talk) 17:48, 18 September 2012 (UTC)[reply]

'Nother this morning. I'd wait and present these in batches, but tend to lose track of them that way. --Pi zero (talk) 11:43, 19 September 2012 (UTC)[reply]

  Confirmed, blocked it, another sleeper sock, and some IPs.   Confirmed as socks of Loiedfedd (talk · contribs). Geolocates to China. -- Cirt (talk) 15:44, 19 September 2012 (UTC)[reply]

And moar

Latest --Pi zero (talk) 15:22, 22 September 2012 (UTC)[reply]

Another:

I assume you're keeping tabs on the IPs causing this problem; are we yet at a stage we could zap 80%+ of these pests with a /18 or /20 rangeblock? --Brian McNeil / talk 08:19, 24 September 2012 (UTC)[reply]
  •   Confirmed. Yeah, if you check my block log I've been blocking related IPs and other users discovered as   Confirmed, and we've been doing global blocks and rangeblocks discussed on CU list. -- Cirt (talk) 15:13, 24 September 2012 (UTC)[reply]
  • Feel free to modify any of them without any objections from me. :) So far no collateral damage after checks related to the blocks. The blocks are mostly those similar to others on other wikis related to the Chinese spammer / Chinese spambots. -- Cirt (talk) 03:12, 25 September 2012 (UTC)[reply]
Yet-more

IPs

Another one:

Comes up as:
NetRange: 61.0.0.0 - 61.255.255.255
CIDR: 61.0.0.0/8
OriginAS:
NetName: APNIC3
NetHandle: NET-61-0-0-0-1
Parent:
NetType: Allocated to APNIC

Found a referral to whois.apnic.net.

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 61.147.0.0 - 61.147.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088

route: 61.147.0.0/16
descr: CHINANET jiangsu province network
country: CN
origin: AS23650
mnt-by: MAINT-CHINANET-JS
changed: ip@jsinfo.net 20030414
source: APNIC
Based on the route, I'm going to block 61.147.0.0/16. Please verify such has no adverse impact. --Brian McNeil / talk 10:26, 27 September 2012 (UTC)[reply]
  Confirmed, zero collateral damage. -- Cirt (talk) 15:10, 27 September 2012 (UTC)[reply]

Usernames

  Confirmed. -- Cirt (talk) 04:40, 7 October 2012 (UTC)[reply]
  Confirmed. -- Cirt (talk) 02:31, 12 October 2012 (UTC)[reply]
  Confirmed. -- Cirt (talk) 18:22, 15 October 2012 (UTC)[reply]
  Confirmed. -- Cirt (talk) 15:32, 16 October 2012 (UTC)[reply]
Technically unrelated, though no problem with blocking on behavioral evidence. Cheers, -- Cirt (talk) 14:29, 17 October 2012 (UTC)[reply]
  Confirmed. Also blocked a buncha stuffs. -- Cirt (talk) 17:08, 23 October 2012 (UTC)[reply]
  Confirmed, blocked some stuff. -- Cirt (talk) 14:34, 24 October 2012 (UTC)[reply]
Although I'm very tired of this, I figure each one should be reported here as found; to not report them would be like stopping a course of antibiotics partway through, it'donly make things worse. --Pi zero (talk) 12:08, 4 November 2012 (UTC)[reply]
  Confirmed, agreed, us local checkusers should really get on doing more rangeblocks from the cu list, it just takes time to separate the wheat from the chaff. -- Cirt (talk) 17:27, 4 November 2012 (UTC)[reply]

Yet more usernames

These next two are obviously the same party; the IP is a repeat offender rematerializing at about the same time. --Pi zero (talk) 13:39, 8 December 2012 (UTC)[reply]

  Done Outle9683, Buycwi112, Shoppingtr09 match. New ip ranges then before. The IP does not match at all. It's edits were made using Sevenval software on a Sevenval owned ip (maybe a mobile proxy?). --Cspurrier (talk) 16:38, 8 December 2012 (UTC)[reply]

That fscking cat's back

Yes, FelineHasCaughtFire (talk contribs deleted contribs logs block user block log checkuser) is back - or has an admirer. --Brian McNeil / talk 15:54, 28 August 2012 (UTC)[reply]

  1. FelineHasCaughtFire (talk contribs deleted contribs logs block user block log checkuser)
  2. LongJohnBellyLicker (talk contribs deleted contribs logs block user block log checkuser)

These are   Confirmed. -- Cirt (talk) 20:55, 28 August 2012 (UTC)[reply]

Huangfu86365

Recently, a group of pattern (Huangfu...) spambots have been created cross-wiki. Some of them have already spammed. Please consider investigating Huangfu86365 (talk contribs deleted contribs logs block user block log checkuser) and Huangfu26365 (talk contribs deleted contribs logs block user block log checkuser). Mathonius (talk) 07:53, 7 September 2012 (UTC)[reply]

Potentially compromised account

It has been (credibly) alleged to me, off-wiki, that Diego Grez (talk contribs deleted contribs logs block user block log checkuser) has had his account hacked. Would like that checked out. Further details can be supplied privately if needed but to be honest, that's about as much as I know at present. Blood Red Sandman (Talk) (Contribs) 23:06, 9 September 2012 (UTC)[reply]

Also note this will likely need brought up on the mailing list, since the account being clean on this project might not indicate the full story. Blood Red Sandman (Talk) (Contribs) 23:08, 9 September 2012 (UTC)[reply]
Would recommend, in somewhat of an exception to usual practice, that all CU-confirmed socks of this user on enWP also be blocked here. We can well-do without Master-Baiters from Encyclopedia Dramatica trying to disrupt process. --Brian McNeil / talk 06:35, 10 September 2012 (UTC)[reply]

Nicked Nike Spammers

And, at the same time, I blocked this muppet:

  • Yay! I win, ... again.
Sorry for giving you all this work, but I think I've made enough on-wiki 'enemies' to find re-requesting CU privs a rather fraught process.
I'm slightly annoyed by that; mainly because I'm proven right more-often-than-not with my suspicions. But, I still have a 'slight' anger management issue (don't suffer fools). If we'd another Tempo weaselled their way into the community and sought to poison it with attitudes only appropriate to Wikipedia, I'd perhaps be more circumspect in my choice of language, but would not tolerate Wikinews being destroyed in that way.
The more mainstream media hide behind paywalls, the more archived stuff is only accessible for a fee, the more important Wikinews becomes.
We've a killer review process (more in that it kills reviewers through exhaustion than anything else). However, I'd dearly love to see Robert McHenry give us the apology he owes us. We need a bucketload of tools to make life easier for contributors and, more importantly, for reviewers. Even with just half of them, we've a platform that your average school of journalism would pay a fortune for.
Wikinews is ailing at the moment because of low contributor levels, and so few active reviewers, but we're so-close to an environment that betters what most schools of journalism throw their students into, paying tens of thousands of $ per semester for, that we need to keep pushing on. --Brian McNeil / talk 14:48, 15 September 2012 (UTC)[reply]
Well I certainly agree with you as to the last sentence! :) -- Cirt (talk) 19:10, 15 September 2012 (UTC)[reply]

Update on Chinese spammer

Update on Chinese spammer: I've carried out about 7 rangeblocks which were set for one year which should stop or at least slow things down from the spamming and socking of late. These were checked by CU tool and had zero collateral impact, at least so far. -- Cirt (talk) 15:28, 24 September 2012 (UTC)[reply]

Other admins feel free to modify any of these blocks without objections from me. :) -- Cirt (talk) 03:12, 25 September 2012 (UTC)[reply]
  • Not surprised tech details differ, I'm pretty sure this is a Bangalore address; or, worse still, a spoofed IP (which is extremely hard to do and get enough packets through to edit. If the subnet block is 117.197.57.128/25 (well, something like that), then this is the 'broadcast' address for that range; could originate from any of the 128-odd PCs at the block.
I suggest if any other IP spams from within 117.197.56.0/23, and no collateral visible, block the range. --Brian McNeil / talk 13:27, 8 October 2012 (UTC)[reply]
  Confirmed, there was another account on that range, an account already indef blocked on en.wikipedia. Blocked the range. Good thinking, thank you! ;) -- Cirt (talk) 16:29, 8 October 2012 (UTC)[reply]
Glad to help clobber spammers. :) --Brian McNeil / talk 16:46, 8 October 2012 (UTC)[reply]

Moar spammers

All spamming links to the sweatshop shoes with a big tick on them. I've one important question, which goes back to the much older alert about creating accounts for spamming: Were the spam edits from significantly different IPs than those used to register the accounts? --Brian McNeil / talk 10:53, 11 October 2012 (UTC)[reply]

And more 'potential' spam accounts:

Wouldn't be surprised if there are others too, these are just the ones I picked out of RC. --Brian McNeil / talk 08:04, 12 October 2012 (UTC)[reply]

  Confirmed. -- Cirt (talk) 15:54, 12 October 2012 (UTC)[reply]

Spamming socks

Aksharadeoll re-created the self-promotional spam of the second user, so some block-evasion here I suspect. --Brian McNeil / talk 12:37, 13 October 2012 (UTC)[reply]

  Confirmed. Geolocates to India so probably not the Chinese spammer, but could be related somehow. -- Cirt (talk) 16:55, 13 October 2012 (UTC)[reply]

Attention-seeking spammer

This user is probably someone we've seen before, probably in association with the Diego Grez business. Can we associate them with anyone? (There was a user blocked at the time, I seem to recall.) Created lots of pages quickly, for apparently no purpose except to draw attention to xyrself obnoxiously. The list of pages created contains various hints at possible identity. --Pi zero (talk) 02:44, 5 December 2012 (UTC)[reply]

  Done Same (national) ISP as Diego Grez--Cspurrier (talk) 03:25, 5 December 2012 (UTC)[reply]

ID-10-T

  • 50.134.234.158.
Attempted, but foiled by FlaggedRevs, vandalism. Then, announced xyrself as planning a campaign of disruption on WN:AAA.
Would like to see the /24 checked on the assumption may-well have created multiple sleeper accounts for disruption. --Brian McNeil / talk 10:04, 19 December 2012 (UTC)[reply]
  Nothing found - two edits, no registered users on the /24. --Skenmy talk 11:56, 19 December 2012 (UTC)[reply]