Jump to content

Proxy blocking

From Meta, a Wikimedia project coordination wiki

Since March 28th 2005, Wikipedia has started automatically blocking edits coming from open proxies. The feature is still very much in testing. Suggestions and bug reports to en:User:Tim Starling.

Here's a short description of this new feature:

Why

[edit]
  • Vandals are increasingly using open proxies to cover their tracks and make complaints to ISPs impossible.
  • Wiki Spammers commonly use such proxies for the same reason.

How

[edit]
  • Blocking is done for edits only, reading is not affected.
  • Blocking is done based on the SORBS DNSBL.
  • Blocking is performed by a pseudo-admin-account, per default User:SORBS DNSBL on each wiki. The name of this account can be configured by editing the system message MediaWiki:Sorbs on that wiki. Please put a short explanation on that pseudo-users page, and a link to this meta page there.
  • Blocks are not logged anywhere (yet)
  • False positives should be reported to http://www.au.sorbs.net/faq/retest.shtml, so they can be re-scanned and taken off the list.
  • There is a "graylist" of "partially trusted proxies", that is, of proxies that are trusted to give a true XFF (X-Forwarded-For) Header which tells the server the "real" address of the users. For proxies on that list, blocking is done based on the XFF value instead of the proxies IP. See XFF project.
  • SORBS-based blocking can be switched on and off on a per-wiki basis. This way each commuity can decide for themselves if they want to use it.
  • To turn it on for your wiki installation : set $wgEnableDnsBlacklist = true; in your LocalSettings.php

Possible exemptions from the blocks

[edit]
  • Users logged in as admins
  • Users logged in as non-newbies
  • Any logged-in user (as of March 31, this is the current state; but vandals can fairly easily get around this, as Dori and TimStarling note)
  • Users using proxies on the "graylist", see above section.
  • related bug reports/feature requests: Bugzilla:550, Bugzilla:1779

Problems/ideas

[edit]

technical problems

[edit]
  • Some large ISPs force their customers to use adresses that are also used by open proxies. Most notably, this is true for Asianet, which serves many users in Thailand. Some type of whitelist is probably needed to get around this (see above).
  • Blocked IPs should also not be able to create an account. This feature is pending.
  • SORBS has many false positives, esp. in dynamic ip ranges. We should have a central location for reporting this (and also for reporting suspected proxies?)
  • It was suggested to use Blitzed OPM [1] instead of SORBS. It is rumored to have fewer false positives (but also fewer correct positives?)
  • SORBS misses a lot of proxies. We should probably scan for proxies ourselves (see below).

ideological problems

[edit]
  • We are supposed to be an open project
  • By blocking open proxies we are blocking millions of potential editors from around the world (at least 500.000 in Thailand alone) only to combat a few persistent vandals. It is like killing a mosquito with a flamethrower.
  • Vandalism so far has been recovered in a couple of hours by the community. Why all of a sudden change this?

Alternatives

[edit]

Use captchas for editing under an open proxy rather than blocking them.

Information given to blocked users

[edit]

By default, blocked users are told:

Your IP address is listed as an open proxy in the SORBS DNSBL. You cannot create an account

This can be edited at MediaWiki:Sorbsreason and MediaWiki:Sorbs create account reason. The message should be translated for non-English wikis. Directing users to a mailing list, where they can ask to be whitelisted, may be better than directing them to SORBS.

About scanning for proxies

[edit]
  • Could be done by a dedicated server (proxyscanner.wikimedia.org or some such)
  • The scanning server should also run apache, serving a page explaining the scans.
  • Scans would be triggered by the request of the edit-page. The results should be cached (for a while)
  • Scanning could be done by a script based on nmap or libopm
[edit]

There could be legal issues with scanning for proxies: portscans may be considered an hacking-attempt according to the laws of some countries (france? germany? us?). However, portscans are a common practice.

France

[edit]

The relevant law states:

Accessing or staying inside, fraudulently, inside all or part of a computing system is punished...

Note the "fraudulently" (frauduleusement) restriction; our resident French legal experts explained to me that this implied that the action should have the intent to defraud the lawful operators of the system (or another characteristic such as having obtained access by other illegal means, such as stealing keys). Thus, scanning a system for open proxies is not criminal, because no attempt is made to defraud the owner of the system, nor is the action performed in order to allow future defrauding, nor is the action performed using illegally acquired accesses. (The same action would probably be illegal if performed in the intent of getting unauthorized access.)