Talk:XFF project

From Meta, a Wikimedia project coordination wiki

Contact xff AT wikimedia DOT org for listing and delisting inquiries. Requests placed here will not be seen in a timely manner.

Thank you for this excellent explanation of both the philosophical basis and technical application of this tool. Great work!--BradPatrick 14:46, 29 March 2006 (UTC)

In Italy we are suffering a major vandalism campaign from one or more users with IPs by TIM mobile GPRS. It is going on since weeks ago, and situation is becoming critical.

TIM uses a proxy system similar to the one listed in this page. Is it possible to have XFF check activated for TIM too?

It could be useful for italian Fastweb users, too. This ISP uses a proxy system (but I don't know details). Please leave feedback to it:Utente:Jollyroger - --Jollyroger 14:26, 16 June 2006 (UTC)

What are the proxy addresses? -- Tim Starling 06:34, 18 June 2006 (UTC)

Contents 1 XFF IP limitations 2 Qtel proxies 3 TPG Internet 4 usage 5 Question - website to show if XFF is enabled? 6 Opera Mini

[edit] XFF IP limitations

Does this system have a sort of safety feature in the event that someone misusing (think malicious person controlling a proxy server due to exploits or the like) one of these proxy servers in which their hidden XFF IP is limited to a range.

1. To be clear, a limitation such as 212.113.164.97 (the first one on the list) can only forward IPs of 212.113.160.0/24, and nothing else. That way if one of these proxy servers is comprimised, which could happen, someone cannot just spoof the IP to anything they feel like, they'd be limited to a pre-determined range which could be blocked then traced back to the proxy server that is comprimised. 4.181.9.203 03:18, 12 July 2006 (UTC)

We have a log of X-Forwarded-For headers for POST requests which can be used to investigate any claim of IP address spoofing. -- Tim Starling 17:07, 20 February 2007 (UTC)

[edit] Qtel proxies

The Qtel proxy 82.148.97.69 was recently the subject of much controversy (see en:User talk:82.148.97.69). I notice that two other addresses from the same block appear to be on the XFF list

 82.148.97.67  proxy.qatar.net.qa
 82.148.97.68  proxy.qatar.net.qa

Both of these reverse-lookup to proxy.qatar.net.qa However, 82.148.97.69, although it is numerically the next IP address in sequence, does not have a PTR record at all.

If 82.148.97.69 is also XFF-enabled, and can be trusted as being run by the ISP itself, could it also be added to the XFF list? Perhaps this needs someone from the XFF project to get in touch with Qtel to confirm this, and Qtel themselves to set up a PTR record? -- The Anome 15:09, 8 January 2007 (UTC)

82.148.97.69 is not giving XFF headers. -- Tim Starling 19:52, 18 February 2007 (UTC)

[edit] TPG Internet

I noticed that TPG Internet is on the trusted XFF list, however, some of their proxies are missing from the listing. A full list of their proxies is available at http://forums.whirlpool.net.au/forum-replies-archive.cfm/493725.html. These proxies all correctly send the X-Forwarded-For header. -- Daniel15 13:42, 10 April 2007 (UTC)

[edit] usage

can mediawiki installations other than wikipedia check/block by XFF? if so, how is this achieved? --Hexvoodoo 06:46, 27 April 2007 (UTC)

There are no XFF blocks, you can only flag ISPs as trusted, which causes the XFF client IP (first of the chain) to be reported as the user's IP, allowing for it to be blocked normally. Voice-of-All 17:57, 29 May 2007 (UTC)

[edit] Question - website to show if XFF is enabled?

My ISP's proxy server, proxy.idl.net.au (202.92.102.220) is, as far as I know, running squid. It actually appears to have a current block on en.wikipedia: block log for User:202.92.102.220

Is there a web site that can be used to show whether XFF is enabled or not? A link to such a site would seem useful to include in this article.

(Note that I configured privoxy to not use the proxy due to blocking problems, so log info from this edit wouldn't help.) --AtholM 12:02, 22 September 2007 (UTC)

[edit] Opera Mini

There's been some discussion about the Opera Mini mobile browser on the English Wikipedia. It seems that any edits made with that browser, including those using its online demo applet, go through a proxy network and come out of multiple IPs in the 195.189.142.0/23 range. However, the requests do seem to carry X-Forwarded-For headers, which, for the demo applet at least, point to a single host, demo.opera-mini.net (195.189.142.176). I suspect that, for actual mobile users, the headers will point to the address at which the request entered the proxy network, which may be more stable than the address at which they emerge.

Thus, adding the Opera Mini proxy network to the trusted XFF list should at least allow us to distinguish genuine mobile Opera Mini users from those (ab)using the demo applet. Does this seem like a good idea? Of course, it'd be even better if we could persuade the folks at Opera to provide a full chain of XFF headers pointing back to the user's actual IP address, for the demo interface at least. --Ilmari Karonen 16:15, 30 September 2007 (UTC)

Update: It seems that, for mobile users, the proxies do pass existing XFF headers; it's only the demo interface which cuts the list at the entry point. So I'd definitely support adding these proxies (which all seem to have hostnames of the form pNN-NN.opera-mini.net) to the trusted XFF list. Now if we could only get them to fix the demo interface...--Ilmari Karonen 21:46, 30 September 2007 (UTC)

I've compiled what may or may not be a complete list of the proxies at en:User:Ilmari Karonen/sandbox/Opera Mini. The range of the second number pair seems to be 01–16; the first number pair (currently?) goes from 01 to 11, with gaps at 02 and 06. Incidentally, the list shows that four of the proxies seem to be in a different IP range (80.232.117.0/24) than the others. --Ilmari Karonen 01:14, 1 October 2007 (UTC)

Bump - please can the list Ilmari has built above be added? The conversation at w:Wikipedia:Administrators'_noticeboard#Opera-Mini might be of interest. Proto 08:49, 2 July 2008 (UTC)

See the request on Bugzilla:14700 from yesterday. Raymond 09:00, 2 July 2008 (UTC)