Hilfe:Checkuser
Special:CheckUser bietet Benutzern mit CheckUser-Rechten Zugang zu vertraulichen Daten eines angemeldeten Benutzers, einer IP-Adresse oder eines CIDR-Bereichs. Diese Daten umfassen die von einem Benutzer verwendeten IP-Adressen, alle Benutzer, die von einer bestimmten IP oder einem IP-Bereich aus editiert haben, alle Beiträge einer IP oder eines IP-Bereichs, User-Agent-Daten und X-Forwarded-For-Daten.
Dieses Werkzeug wird in der Regel dazu eingesetzt, um den böswilligen Einsatz von Sockenpuppen zu unterbinden. (Hinweis: „CheckUser” kann sich auf den Zugang zu diesen Daten, einen dazu berechtigten Benutzer oder aber auf das zugehörige Benutzerrecht beziehen.)
Zu berücksichtigen
Wikimedia Datenschutz- und Vertraulichkeitsrichtichtlinien
Checkusers under the Wikimedia Foundation are subject to the terms of use, the privacy policy, the access to nonpublic information policy, the CheckUser policy and a confidentiality agreement for nonpublic information. Revealing stored confidential data about a user is prohibited except on a limited set of cases detailed in the policies mentioned above.
If possible, the checkuser should attempt to resolve the situation without releasing any information, or by releasing the minimum possible information. The following information is commonly permissible. This list is not comprehensive, and cannot replace the checkuser's judgment:
- Confirmation that a user is a sockpuppet without noting personal information;
- Information already released by the user;
- The ISP used to edit from, if it is large enough that the information is not personally identifiable;
- The country their IP address geolocates to, which is generally not personally identifiable.
If the checkuser is at all doubtful, they should give no detail and answer like a Magic 8-Ball.
Mailing list
Wikimedia CheckUsers have access to the private mailing list checkuser-l. They may use this list to discuss or get help, ideas and second opinions.
Best practices
- Focus on behavioral patterns: CheckUser is not magic wiki pixie dust. Almost all queries about IPs will be because two editors were behaving the same way. An editing pattern match is the important thing; the IP match is really just extra evidence (or not).
- Dynamic IP addresses: Most dialup and a lot of DSL and cable IPs are dynamic. They might change every session, every day, every week, every few months or hardly ever. Unless the access times are right next to each other, be cautious in declaring a match. After a while, you get to know which ISPs change quickly or slowly.
- Handling proxies: If it's a proxy, it might not be a match, depending on the size of the organisation running the proxy (per whois output). If it's an ISP proxy, it is not so likely to be a match. Investigate the type of proxy used before making a conclusion.
- AOL users: If it's an AOL address, you're out of luck — AOL sends each page request through a different proxy.
- Open proxy use: If a username is using lots of different IP addresses in various countries, they may well be open proxies. Check with an open proxy checker.
- Hosting servers: Edits from addresses allocated to hosting facilities almost always indicates the use of compromised hosting servers to nefarious ends. Note, however, that the user may have a legitimate shell account on the machine.
- IPv6 subnets: For IPv6 addresses, you may wish to check the user's entire /64 subnet, because it is possible that the user may be using more than one address out of their range.
Useful tools
IP address and domain lookup
- whois: On Unix, start a terminal and type
whois [IP address]
at the command line. This should tell you who owns the IP, what the range is and may also note what they use it for. On Windows, All Net Tools has a pretty good web-based whois (which does an nslookup as well).
- nslookup: On Unix or Windows,
nslookup [IP address]
at the command line will give you the fully qualified domain name associated with the IP. Note that not all IPs have a domain name, so don't worry if nothing comes back. If you're on Windows, the All Net Tools whois also gives you the FQDN.
- traceroute: With IPs from some Internet Service Providers it may be useful to use the traceroute command and compare the results between two or more IPs. The site All Net Tools also gives you traceroute function if you don't have it as a command line.
- tcptraceroute: A version of traceroute that uses TCP packets, which get through some firewalls and packet filters that stop ICMP packets. You can get source code for Unix-like systems; else, most Linux distributions have a package available with it.
Open proxy checking
- Various online proxy checking tools, such as Nmap, can help you determine if a user is connecting via open proxies.
Blacklist checks
- Checks for other abuse of an IP: rbls.org gives the status of any IP address on a number of Realtime Blackhole Lists. Note that some RBL blocks should be expected, e.g. many block home dynamic IPs for SMTP, but that's not a problem for a wiki. If a user only uses open proxies or addresses marked as sources of abuse, your suspicions may be raised.
- Related anon contributions: rangecontribs tool gives anon edits from a given subnet (dead link).
Verwendung
Normale Ansicht
- Go to Special:CheckUser (make sure you are on a wiki where you have access).
- In the user field, type in the username (without the 'user:' prefix), IP address, or CIDR range.
- IP: any IPv4 (most common) or IPv6 address.
- CIDR: you can check a range of IP addresses by appending the CIDR prefix (up to /16 for IPv4 (65,536 addresses) or /48 (1,208,925,819,614,629,174,706,176 addresses) for IPv6). For notation, see Range blocks.
- XFF: you can check a client IP address provided by X-Forwarded-For headers by appending /xff (for example, 127.0.0.1/xff).
- Select the information you want to retrieve.
- Get IPs: returns IP addresses used by a registered user.
- Get edits from IP: returns all edits made by a user (registered or anonymous) from an IP address or range.
- Get users: returns user accounts that have edited from an IP or range.
- In the reason field, type in the reason you are accessing the confidential data. Try to succinctly summarise the situation (for example, "cross-wiki spam"); this will be logged. This may be needed by the Ombudsman Commission.
Ausgegebene Informationen
Ein typischer Eintrag in den CheckUser-Ergebnissen für eine Benutzerzusammenfassung ("zeige Benutzer") sieht folgendermaßen aus:
- Beispiel (Diskussion | Beiträge) (20:11, 02 Dezember 2024 -- 20:12, 02 Dezember 2024) [5]
- 127.0.0.37 XFF: 127.0.0.1, 127.0.0.5
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
Diese Ausgaben sind so formatiert, dass eine Menge Informationen in eine kompakte Zeile passt, wodurch sie für den ungeübten Benutzer schwer zu lesen sind. Hier eine Erläuterung der ausgegeben Informationen:
- Benutzername (Diskussion | Beiträge) (Zeitrahmen, in welchem der Benutzer editiert hat) [Beitragszahl des Benutzers]
- IP-Adresse editierte per XFF: XFF-Daten (können täuschend sein)
- User agent information
Jede IP/XFF-Kombination, die zum Editieren verwendet wurde, wird aufgelistet, in Reihenfolge der Benutzung.
Die letzten zehn User-Agent-Daten (Browser, Betriebssystem, Systemsprache, Softwareversionen) jedes Benutzers, der mit der IP oder des IP-Bereichs editiert hat, werden darunter aufgeführt.
XFF-Format
XFF (X-Forwarded-For) headers indicate the series of IP addresses used from the user's computer (first) to the server hosting MediaWiki (last).
In this example:
aaa.aaa.aaa.aaa XFF: 10.4.46.42, 127.0.0.1, aaa.aaa.aaa.aaa, 208.80.152.46
- The first two addresses (10.4.46.42, 127.0.0.1) are private to the originating network and can't be reached directly from the public Internet,
- The third address (aaa.aaa.aaa.aaa) is the "public face" of the editor, usually a broadband or dialup ISP, a company gateway, (but possibly an anonymizer or a malware-compromised server),
- The last address (208.80.152.46) is one of the Wikimedia squids (sq36.wikimedia.org).