Open main menu

lensowiki β

Help:CheckUser

Revision as of 12:02, 17 July 2006 by Bdk (talk) (+screenshots)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

 

This is a user manual page, not a policy discussion page. For discussion on CheckUser policy on Wikimedia, see m:CheckUser and m:CheckUser Policy. Technical info, feature updates and corrections are most welcomed.

The Special:CheckUser function allows a user with checkuser permission to check which IPs are used by a given username, and which usernames are used by a given IP, without having to run queries directly against the database by hand. This lets the system administrators get on with running the systems.

The usual use of this is to check for blocked users coming back with sockpuppet accounts.

(Users without checkuser permission get an error message.)

Wikimedia privacy policy

On Wikimedia wikis, privacy policy considerations are of tremendous importance. Unless someone is definitely violating policy with their actions (e.g. massive bot vandalism or spam), revealing their IP, whereabouts or other information sufficient to identify them is likely a violation.

CheckUser is essentially a system administrator level function ("developer" in Wikimedia jargon), and requires the level of confidentiality one would apply to our most confidential user data.

The relevant section of the privacy policy is:

Policy on release of data derived from page logs
It is the policy of Wikimedia that personally identifiable data collected in the server logs will not be released by the developers who have access to it, except as follows:
  1. In response to a valid subpoena or other compulsory request from law enforcement
  2. With permission of the affected user
  3. To Jimbo Wales, his legal counsel, or his designee, when necessary for investigation of abuse complaints.
  4. Where the information pertains to page views generated by a spider or bot and its dissemination is necessary to illustrate or resolve technical issues.
  5. Where the user has been vandalising articles or persistently behaving in a disruptive way, data may be released to assist in the targetting of IP blocks, or to assist in the formulation of a complaint to relevant Internet Service Providers
  6. Where it is reasonably necessary to protect the rights, property or safety of the Wikimedia Foundation, its users or the public.
Wikimedia policy does not permit public distribution of such information under any circumstances, except as described above.

Information release

Note: CheckUser information release is governed by the CheckUser Policy.

Even if the user is committing abuse, it's best not to reveal personal information if possible.

  • If the user has said they're from somewhere and the IP confirms it, it's not releasing private information to confirm it if appropriate.
  • If they're on a large ISP (e.g. AOL, NTL, BT, Telstra), they're one of millions and it's not personally identifiable.
  • Revealing the country is generally not personally identifiable (e.g. "User:Querulous is coming in from the UK, User:Sockpuppet is coming in from Canada").
  • If you're in any doubt at all, give no detail and answer like a magic 8-ball.

Mailing list

For Wikimedia checkers, there is a mailing list, checkuser-l. This is a closed list. Use this list to ask for help, ideas and second opinions if you're not sure what the data means.

Typical use

User:Querulous is doing something highly antisocial and abusive in a way that makes you suspect them of being the sockpuppet of a blocked user. You have CheckUser and your wiki policy allows you to look up Querulous.

  1. Go to Special:CheckUser.
  2. In "User:", enter Querulous (not User:Querulous) and click the "OK" button next to it. (It won't work if you just hit Enter!)
  3. You will get back all IPs matching User:Querulous in the recentchanges table.
  4. Look up the IPs using whois and nslookup.
  5. If the previous step doesn't make it futile, click on each of the listed IPs. (You may find it useful to open each IP page in a new window or tab)
  6. Click the "OK" button next to "IP:" in each of the IP windows. This will then list all entries from the recentchanges table for that IP. You now have a list of all usernames that have edited using that IP.
  7. You may then wish to check any new usernames to see if the editing patterns are suspiciously similar.

IP range checking

You can check an IP range of /16 or /24, not just a single IP. Enter aaa.bbb.ccc.0/24 or aaa.bbb.0.0/16 as the IP and you will get all edits from that IP range, e.g. 172.216.0.0/16 will give all edits from one of the AOL proxy ranges. (Note: using a useless query for an example.)

(You can only check /16 or /24, not other ranges. IPs are stored as text, so /16 or /24 is easy to compare but other ranges would require calculation.)

Hints and tips

  • CheckUser is not magic wiki pixie dust. Almost all queries about IPs will be because two editors were behaving the same way. An editing pattern match is the important thing; the IP match is really just extra evidence (or not).
  • Most dialup and a lot of DSL and cable IPs are dynamic. They might change every session, every day, every week, every few months or hardly ever. Unless the access times are right next to each other, be cautious in declaring a match. After a while, you get to know which ISPs change fast or slow.
  • If it's a proxy, it might not be a match, depending on the size of the organisation running the proxy (per whois output). If it's an ISP proxy, it is not so likely to be a match.
  • If it's an AOL address, you're out of luck — AOL sends each page request through a different proxy.
  • If a username is using lots of different IPs in various countries, the IPs may well be open proxies. Check with an open proxy checker.
  • Edits from addresses allocated to hosting facilities almost always indicates the use of compromised hosting servers to nefarious ends. Note, however, that the user may have a legitimate shell account on the machine.

Useful tools

"Unix" here includes Unix-like, Linux and Mac OS X computers.

  • whois: On Unix, start a terminal and type whois [IP address] at the command line. This should tell you who owns the IP, what the range is and may also note what they use it for. On Windows, All Net Tools has a pretty good web-based whois (which does an nslookup as well).
  • nslookup: On Unix or Windows, nslookup [IP address] at the command line will give you the fully qualified domain name associated with the IP. Note that not all IPs have a domain name, so don't worry if nothing comes back. If you're on Windows, the All Net Tools whois also gives you the FQDN.
  • traceroute: With IP's from some Internet Service Providers it may be useful to use the traceroute command and compare the results between two or more IP. The site All Net Tools also gives you traceroute function if you don't have it as a command line.
    • tcptraceroute: A version of traceroute that uses TCP packets, which get through some firewalls and packet filters that stop ICMP packets. Source code for Unix-like systems is here; most Linux distributions have a package available with it.
  • Open proxy checking: David has yet to find a good tool for this. (proxycheck doesn't do what I want.) There are a number of online proxy checkers: [1]. (I have not tried them.) Help needed. I usually work on a combination of online proxy list checking and educated guesswork ;-) en:User:Tawker runs a web-based proxy checker. To request access to it, contact him on his talk page.
  • Checks for other abuse of an IP: http://www.rbls.org/ gives the status of any IP address on a number of Realtime Blackhole Lists. Note that some RBL blocks should be expected, e.g. many block home dynamic IPs for SMTP, but that's not a problem for a wiki. If a user only uses open proxies or addresses marked as sources of abuse, your suspicions may be raised.

How it works

CheckUser checks against the recentchanges table. This means you can only query data as far back as recentchanges goes. (On Wikimedia wikis, this is nominally a week to a month, though it may be more if the database administrators want to keep more data and have room for it.)

The username check is a fairly intensive query, and if the database is under heavy load it may time out before returning. The IP check is much faster.

The source code is at http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/CheckUser/CheckUser.php?view=markup.

http://www.fayeunrauphotography.com/ kjøp cialis 520853 http://www.primetermites.com/ ジェネリックバイアグラ 5575 http://www.witch-ring.com/Generic-Viagra/ Comprando viagra sfnjy http://www.flweaver.com/ online Cialis kmt http://www.blogdemoteros.com/ tadalafil 5271