Jump to content

Help:CheckUser

Add links
From Meta, a Wikimedia project coordination wiki
This is an archived version of this page, as edited by Magister Mathematicae (talk | contribs) at 07:04, 15 May 2007 (Reverted edits by 190.48.159.29 (Talk); changed back to last version by Voice of All). It may differ significantly from the current version.
This is a technical manual; for the policy, see CheckUser policy.

Special:CheckUser allows a user with a checkuser flag to access confidential data stored about a user, IP address, or CIDR range. This data includes IP addresses used by a user, all users who edited from an IP address or range, all edits from an IP address or range, User agent strings, and X-Forwarded-For headers.

This tool is usually used to counter users creating bad-faith sock puppet accounts. (Note: checkuser may refer to an access to confidential information, a user with permission to do so, or the technical flag.)

Considerations

Wikimedia privacy policy

Checkusers under the Wikimedia Foundation are subject to the privacy policy and CheckUser policy. Revealing stored confidential data about a user is prohibited unless this is necessary to prevent significant violation of policy or disruption that cannot otherwise be dealt with.

If possible, the checkuser should attempt to resolve the situation without releasing any information, or by releasing the minimum possible information. The following information is commonly permissible. This list is not comprehensive, and cannot replace the checkuser's judgment. If the checkuser is at all doubtful, they should give no detail and answer like a magic 8-ball.

  • confirmation that a user is a sockpuppet without noting personal information;
  • information released by the user;
  • the ISP edited from, if it is large enough that the information is not personally identifiable;
  • the country, which is generally not personally identifiable.

The relevant section of the privacy policy states:

It is the policy of Wikimedia that personally identifiable data collected in the server logs, or through records in the database via the CheckUser feature, may be released by the system administrators or users with CheckUser access, in the following situations:

  1. In response to a valid subpoena or other compulsory request from law enforcement
  2. With permission of the affected user
  3. To the chair of Wikimedia Foundation, his/her legal counsel, or his/her designee, when necessary for investigation of abuse complaints.
  4. Where the information pertains to page views generated by a spider or bot and its dissemination is necessary to illustrate or resolve technical issues.
  5. Where the user has been vandalising articles or persistently behaving in a disruptive way, data may be released to assist in the targeting of IP blocks, or to assist in the formulation of a complaint to relevant Internet Service Providers
  6. Where it is reasonably necessary to protect the rights, property or safety of the Wikimedia Foundation, its users or the public.

Wikimedia policy does not permit public distribution of such information under any circumstances, except as described above.

Mailing list

Wikimedia checkusers have access to the private mailing list checkuser-l. They may use this list to discuss or get help, ideas and second opinions.

Notes

  • CheckUser is not magic wiki pixie dust. Almost all queries about IPs will be because two editors were behaving the same way. An editing pattern match is the important thing; the IP match is really just extra evidence (or not).
  • Most dialup and a lot of DSL and cable IPs are dynamic. They might change every session, every day, every week, every few months or hardly ever. Unless the access times are right next to each other, be cautious in declaring a match. After a while, you get to know which ISPs change quickly or slowly.
  • If it's a proxy, it might not be a match, depending on the size of the organisation running the proxy (per whois output). If it's an ISP proxy, it is not so likely to be a match.
  • If it's an AOL address, you're out of luck — AOL sends each page request through a different proxy.
  • If a username is using lots of different IPs in various countries, the IPs may well be open proxies. Check with an open proxy checker.
  • Edits from addresses allocated to hosting facilities almost always indicates the use of compromised hosting servers to nefarious ends. Note, however, that the user may have a legitimate shell account on the machine.

Useful tools

"Unix" here includes Unix-like, Linux and Mac OS X computers.

  • whois: On Unix, start a terminal and type whois [IP address] at the command line. This should tell you who owns the IP, what the range is and may also note what they use it for. On Windows, All Net Tools has a pretty good web-based whois (which does an nslookup as well).
  • nslookup: On Unix or Windows, nslookup [IP address] at the command line will give you the fully qualified domain name associated with the IP. Note that not all IPs have a domain name, so don't worry if nothing comes back. If you're on Windows, the All Net Tools whois also gives you the FQDN.
  • traceroute: With IPs from some Internet Service Providers it may be useful to use the traceroute command and compare the results between two or more IPs. The site All Net Tools also gives you traceroute function if you don't have it as a command line.
    • tcptraceroute: A version of traceroute that uses TCP packets, which get through some firewalls and packet filters that stop ICMP packets. Source code for Unix-like systems is here; most Linux distributions have a package available with it.
  • Open proxy checking: David has yet to find a good tool for this. (proxycheck doesn't do what I want.) There are a number of online proxy checkers: [1], w:nmap. (I have not tried them.) Help needed. I usually work on a combination of online proxy list checking and educated guesswork ;-) en:User:Tawker runs a web-based proxy checker. To request access to it, contact him on his talk page.
  • Checks for other abuse of an IP: http://www.rbls.org/ gives the status of any IP address on a number of Realtime Blackhole Lists. Note that some RBL blocks should be expected, e.g. many block home dynamic IPs for SMTP, but that's not a problem for a wiki. If a user only uses open proxies or addresses marked as sources of abuse, your suspicions may be raised.

Usage

This page is mirrored from mw:Extension:CheckUser, which usually has the latest version. Please edit that page instead, and merge edits here when updating it from the main copy.

Basic interface

  1. Go to Special:CheckUser.
  2. In the user field, type in the username (without the 'user:' prefix), IP address, or CIDR range.
    • IP: any IPv4 or IPv6 address.
    • CIDR: you can check a range of IP addresses by appending the CIDR prefix (up to /16 for IPv4 or /64 for IPv6, or 65,536 addresses). For notation, see Range blocks.
    • XFF: you can check an IP address provided by X-Forwarded-For headers by appending /xff (for example, 127.0.0.1/xff).
  3. Select the information you want to retrieve.
    • Get IPs: returns IP addresses used by a registered user.
    • Get edits from IP: returns all edits made by a user (registered or anonymous) from an IP address or range.
    • Get users: returns user accounts that have edited from an IP or range.
  4. In the reason field, type in the reason you are accessing the confidential data. Try to succinctly summarise the situation (for example, "cross-wiki spam"); this will be logged and may be needed by the Ombudsman commission.
  • Screenshots
  • CheckUser interface
    CheckUser interface
  • IP check, exemplary results
    IP check, exemplary results
  • Username check, exemplary results
    Username check, exemplary results
  • Log
    Log

Information returned

A typical entry in the checkuser results for a user summary ("get users") is as follows:

  • Example (Talk | contribs) (20:11, 27 June 2024 -- 20:12, 27 June 2024) [5]
    1. 127.0.0.37 XFF: 127.0.0.1, 127.0.0.5
      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11

This is formatted to fit a lot of information into a format that can very easily be listed and skimmed, but is difficult to read unless you know what the information provided is. The information is laid out as follows:

  • username (user links) (time period when they edited from the given IP or range) [number of edits from the IP or range]
    1. IP address edited from XFF: XFF information provided (can be spoofed)
      user agent: browser, operating system, system language, and versions

Each IP/XFF combination used to edit is listed, in order of use. The last user agent data for each of those edits is listed below.


Installation

See mw:Extension:CheckUser.

Links to other help pages

Help contents
Meta · Wikinews · Wikipedia · Wikiquote · Wiktionary · Commons: · Wikidata · MediaWiki · Wikibooks · Wikisource · MediaWiki: Manual · Google
Versions of this help page (for other languages see further)
What links here on Meta or from Meta · Wikipedia · MediaWiki
Reading
Go · Search · Namespace · Page name · Section · Backlinks · Redirect · Category · Image page · Special pages · Printing
Tracking changes
Recent changes (enhanced) | Related changes · Watching pages · Diff · Page history · Edit summary · User contributions · Minor edit · Patrolled edit
Logging in and preferences
Logging in · Preferences
Editing
Starting a new page · Advanced editing · Editing FAQ · Export · Import · Shortcuts · Edit conflict · Page size
Referencing
Links · URL ·  · Footnotes
Style and formatting
Wikitext examples · CSS · Reference card · HTML in wikitext · Formula · Lists · Table · Sorting · Colors · Images and file uploads
Fixing mistakes
Show preview · Reverting edits
Advanced functioning
Expansion · Template · Advanced templates · Parser function · Parameter default · Magic words · System message · Substitution · Array · Calculation · Transclusion
Others
Special characters · Renaming (moving) a page · Preparing a page for translation · Talk page · Signatures · Sandbox · Legal issues for editors
Retrieved from "https://meta.wikimedia.org/w/index.php?title=Help:CheckUser&oldid=583136"