Wikinews:Requests for CheckUser/Archive 4

Sherif23


These quack identically. Both posting the same spammy stuff-for-sale ad. I'm all for a block of a day or two on the IP as I think it's fairly clearly the user previously warned, but would appreciate confirmation. Blood Red Sandman (Talk)   (Contribs) 15:56, 27 June 2011 (UTC)
 * ✅, both blocked. -- Cirt (talk) 15:54, 28 June 2011 (UTC)

Burning


The first looks to me like our auld friend Mr Kitties, the second was created close by with a comparable name. The third has exactly the kind of name I'd expect from xyr; would normally not req check but it was created ~1 min from the first. Request confirmation or exhoneration, and weeding out of any sleepers; also, a block on underlying IP if confirmed. It it is xyr, I expect the following to be connected (also want underlying IP and sleepers searched for on these, if they are unrelated to the above):



I suspect open proxies being (ab)used; confirming and indeffing any would help. Blood Red Sandman (Talk)   (Contribs) 10:04, 24 June 2011 (UTC)

= ✅ = appears to be unrelated, see also en.wikipedia contribs for that one.

-- Cirt (talk) 19:17, 24 June 2011 (UTC)


 * As you might imagine, I intended Zzyxzaa26 to be the second user on my list for my comment to make sense. :p At any rate, thanks once again. Blood Red Sandman  (Talk)   (Contribs) 12:39, 26 June 2011 (UTC)
 * You're welcome! :) -- Cirt (talk) 03:44, 27 June 2011 (UTC)

Creation within a few moments of each other, obvious quacking and waddling, but confirm needed all the same before doing whatever needs doing:



Any passing CU, thoughts are welcomed. BarkingFish (talk) 21:51, 14 June 2011 (UTC)
 * ✅. -- Cirt (talk) 23:01, 14 June 2011 (UTC)

Quacks like /. Can we confirm? --Pi zero (talk) 16:42, 7 June 2011 (UTC)
 * ✅, blocked one IP address, also one rangeblock. Cheers, -- Cirt (talk) 18:53, 7 June 2011 (UTC)
 * Thanks. --Pi zero (talk) 19:34, 7 June 2011 (UTC)
 * You are welcome! -- Cirt (talk) 14:17, 8 June 2011 (UTC)

,, and appropriate range
One of these IPs performed a slew of Anti-Semitic vandalism in the early hours of today. I find it most suspicious that someone else, in the same /22, would then choose to edit the blocked IP's talk. Thanks for looking into this. --Brian McNeil / talk 21:24, 4 June 2011 (UTC)
 * Do browser strings match? (And, thus should we be watching carefully).
 * Is there additional disruption from within the /22?
 * Would a rangeblock impact any legitimate users?
 * This may be another case of our cat-lover vandal. アンパロ Io ti odio! 21:26, 4 June 2011 (UTC)

Cheers, -- Cirt (talk) 02:27, 5 June 2011 (UTC)
 * ✅, browser strings match.
 * 1) No other disruption from within the range.
 * ✅, Rangeblock would not impact any legitimate users.
 * ✅, rangeblock applied.
 * Thanks. An ounce of prevention – enough prophylactics to block any sewage outlet. ;-) --Brian McNeil / talk 04:17, 5 June 2011 (UTC)
 * You are most welcome! ;) -- Cirt (talk) 07:12, 5 June 2011 (UTC)

Jeanpaul


Similar edits content (advertising). Gryllida 11:11, 2 June 2011 (UTC)
 * No need for a check, it is w:WP:DUCK, and I am sure an admin can make their own decision about blocking with that in mind. -- Cirt (talk) 13:43, 2 June 2011 (UTC)
 * Went ahead and blocked them both per w:WP:DUCK. -- Cirt (talk) 06:14, 3 June 2011 (UTC)

Thanks, Gryllida 01:56, 5 June 2011 (UTC)
 * You are welcome! -- Cirt (talk) 02:27, 5 June 2011 (UTC)

and
These appear to be the same vandal abusing multiple accounts. Seems it could be useful moving forward to have confirmation of this. --Pi zero (talk) 12:23, 28 May 2011 (UTC)
 * Not seeing technical connection, at least not obvious one. Can you give more behavioral evidence? -- Cirt (talk) 17:57, 28 May 2011 (UTC)
 * The behavioral evidence seems reasonably solid, imo. Within a few days of each other, each spammed numerous users' talk pages with a message about being with an alien faction that will enslave humankind; different alien factions, Orso's was the Ku Ku Laka while Shalam Kumbar's was The Way of Orso.  It would have been cleaner to have technical evidence, though.  Sigh.  --Pi zero (talk) 18:42, 28 May 2011 (UTC)

-- Cirt (talk) 20:37, 28 May 2011 (UTC)
 * Update: ✅. Two underlying IPs blocked. -- Cirt (talk) 20:39, 28 May 2011 (UTC)
 * Thanks. --Pi zero (talk) 20:54, 28 May 2011 (UTC)
 * You are welcome! ;) -- Cirt (talk) 21:14, 28 May 2011 (UTC)

Another litter
Created in rapid succession:, , , , ,. Can we confirm that these are all socks? --Pi zero (talk) 04:20, 20 May 2011 (UTC)
 * ✅. Underlying IP blocked. Thanks, -- Cirt (talk) 05:12, 20 May 2011 (UTC)

Socks?
and were created in a little period of time, and I'd say they are socks, possibly of the cats fanatic guy. I blocked the first one as an unacceptable username, the other ones... I'm not so sure, and it'd been kinda controversial if I blocked them for "abusing multiple accounts" since there is no reason to say it actually apart from being created almost immediately one apart from the other. Thank you in advance アンパロ Io ti odio! 03:05, 15 May 2011 (UTC)
 * ✅. Also, one more: = this account has already also been locked. I also blocked one underlying IP. Cheers, -- Cirt (talk) 03:52, 15 May 2011 (UTC)
 * Thank you again! アンパロ Io ti odio! 03:54, 15 May 2011 (UTC)
 * You're welcome! ;) -- Cirt (talk) 04:49, 15 May 2011 (UTC)

Series of spamming SPAs
The following have all, near-immediately after registering, posted pisspoor spammy nonsense. Could they please be checked with a view to a more prolonged IP, or range, block?


 * Offenders:, , , , , and . --Brian McNeil / talk 12:30, 11 May 2011 (UTC)


 * ✅. I carried out a rangeblock and another IP block for the underlying IPs. Cheers, -- Cirt (talk) 15:50, 11 May 2011 (UTC)
 * Thanks Cirt; sure they'll be velly annoyed. --Brian McNeil / talk 18:18, 12 May 2011 (UTC)
 * You are most welcome. ;) -- Cirt (talk) 20:53, 12 May 2011 (UTC)

Possible connections


Possible connection indicated by recent string of vandalism. Tyrol5 (talk) 17:03, 29 June 2011 (UTC)
 * You forgot about meeeeee!!!!! )': MaximumK!ttiesonf!re (talk) 17:05, 29 June 2011 (UTC)
 * That sounded like an admission, so I went ahead and blocked MaximumK!ttiesonf!re. I'll also do K!ttiesonf!reFOREVER!, since that one's blatant. I'll leave the other two for a CU to take a look at, though. DEN  DODGE  George Watson  17:08, 29 June 2011 (UTC)
 * Also went ahead and blocked, also blatant. Tyrol5 (talk) 17:12, 29 June 2011 (UTC)
 * . --Pi zero (talk) 17:19, 29 June 2011 (UTC)


 * ✅, blocked underlying IP. -- Cirt (talk) 22:40, 29 June 2011 (UTC)
 * Thanks! Tyrol5 (talk) 23:34, 29 June 2011 (UTC)
 * You're welcome! -- Cirt (talk) 23:49, 29 June 2011 (UTC)

I just did a block on 173.23.200.0/22 as the current burning feline operating range. Can this be checked to see no collateral damage? --Brian McNeil / talk 17:06, 30 June 2011 (UTC) Please confirm these suckers:
 * beats this rangeblock; can all IPs used by KittiesOnFire be checked with nmap as possible proxies, or as webhosting which may have a proxy installed? --Brian McNeil / talk 17:15, 30 June 2011 (UTC)
 * Range from rangeblock checked. Zero collateral damage. The other IPs used are so different from each other that it's hard to do any other rangeblocks. The sockmaster is likely jumping to different types of proxies. -- Cirt (talk) 19:34, 30 June 2011 (UTC)
 * I like running nmap. ;-) --Brian McNeil / talk 20:17, 30 June 2011 (UTC)
 * Feel free to if you wish, in this case it's obvious and the IPs are already blocked. -- Cirt (talk) 20:27, 1 July 2011 (UTC)
 * I must say, I'm really tempted to block the IPs for a looong time as obvious proxies. Blood Red Sandman  (Talk)   (Contribs) 20:34, 1 July 2011 (UTC)
 * I would have no objections to that. :) -- Cirt (talk) 01:16, 2 July 2011 (UTC)

Pretty sure they're all our burning feline friend. --Brian McNeil / talk 22:38, 2 July 2011 (UTC)

The usual, please. A possibly unrealted pair: and  are clearly the same user, but there seems to be a knowledge of process here: Who owns these socks? Blood Red Sandman (Talk)   (Contribs) 22:43, 2 July 2011 (UTC)


 * Note, I'm merging some of mine into Brian's list. Blood Red Sandman  (Talk)   (Contribs) 22:50, 2 July 2011 (UTC)


 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)
 * These are all ✅. Underlying IP blocked. Looking into a rangeblock. -- Cirt (talk) 23:18, 2 July 2011 (UTC)


 * And what of the other two I asked about? Blood Red Sandman  (Talk)   (Contribs) 11:13, 3 July 2011 (UTC)
 * Could we get some more behavioral evidence on them, and timing, etc? Technical is not showing it at first glance. -- Cirt (talk) 11:53, 3 July 2011 (UTC)
 * They both have time-y usernames, showed up and left edits on Talk:Lucas Glover beats Bryd in playoff about timeliness. The second also did similar for a second now-deleted article. They're harmless on their own, but the knowledge of what terms to use ('stale', 'abandoned') made me feel someone's playing silly buggers and that there'd be a third account to tie in to. However, I obviously cannot rule out a simple lurker. Blood Red Sandman  (Talk)   (Contribs) 16:04, 3 July 2011 (UTC)
 * ✅, that those 2 are at the very least as far as technical evidence, socks of each other. Blocked. -- Cirt (talk) 15:01, 4 July 2011 (UTC)

Note: This user is known on other wikis as: Dantherocker1. -- Cirt (talk) 16:24, 4 July 2011 (UTC)

Robajz / Leo El Marinero
I ask for a checkusering on, since it appears to be a sockpuppet of.

Aside, can you please also check the recent sockpuppets of Kitiesonfire and apply a IP block please? Thank you! I blocked all the sockpuppets on sight. --アンパロ Io ti odio! 20:44, 22 July 2011 (UTC)


 * I suspect you'll find may actually be a sock of . --Brian McNeil / talk 21:46, 22 July 2011 (UTC)


 * unrelated fr33k man t 18:49, 3 August 2011 (UTC)

Herd of cats
Please confirm these, all created in the space of about two minutes: There is an additional account that could be unrelated, so I haven't (as of this writing) blocked it; it was created six minutes later and is only indirectly implicated: this batch of socks mostly vandalized each others' talk pages, but they also vandalized this one other user's. .  Misdirection is possible, hence my non-block. --Pi zero (talk) 16:29, 26 July 2011 (UTC)

^^Additional to the above, please also include: Thank you, BarkingFish (talk) 10:18, 28 July 2011 (UTC)

^^In addition to the additional addition above, please add these :P

I'm 99.99% sure these are Kittiesonfire5 - all currently indeffed with no talk page access due to previous misuse of the unblock request facility.

BarkingFish (talk) 16:01, 2 August 2011 (UTC)
 * Is it possible to actually apply a decent rangeblock and stop this "special needs" contributor? If not, are these proxies to be permanently blocked? This is becoming tiresome. --Brian McNeil / talk 18:01, 2 August 2011 (UTC)
 * I've emailed Cirt as we've a growing backlog of RfCUs. If no response within 24 hrs, I'll chase up a steward to handle all pending requests.
 * It is particularly irksome that I used to have this right, never actually abused it, but confrontationally raised its use with some idiot and was put in a position of resigning it. We need this work carried out promptly, somewhat proactively, and very, very thoroughly. --Brian McNeil / talk 18:06, 2 August 2011 (UTC)
 * I'm in the process of working on the AbuseFilter at the moment Brian, I've added some useful ones from enwp, who've kindly given me permission to access their private filters for import, and I'm also working on putting a very stringent filter in place to hit this guy right where it hurts. I will let you know when the filter is in place and active :) The only other CU's I know of are Craig Spurrier and Skenmy - who I done thunk is inactive :P  BarkingFish (talk) 18:38, 2 August 2011 (UTC)
 * ✅ all of them. I have range blocked the appropriate range. That should keep down the problems for a while. fr33k man t 18:45, 3 August 2011 (UTC)


 * More suspected socks

— Mike moral  ♪♫  04:23, 8 August 2011 (UTC)

Also highly suspicious based on moment of account creation:
 * (no SUL, though same name as some accounts elsewhere)

--Pi zero (talk) 17:18, 8 August 2011 (UTC)
 * And more

— Mike moral  ♪♫  00:52, 10 August 2011 (UTC)


 * Note, checkusered the accounts and told me via IRC to apply a range block for 70.224.32.0/20 as well as other blocks to apply. — Mike  moral  ♪♫  01:20, 10 August 2011 (UTC)

Quacking like a cat
Can we confirm these are our cat-hater? (Created in a batch) --Pi zero (talk) 18:24, 25 August 2011 (UTC)
 * ✅. -- Cirt (talk) 20:42, 25 August 2011 (UTC)
 * Thanks! --Pi zero (talk) 21:42, 25 August 2011 (UTC)

These too please, Cirt :)



BarkingFish (talk) 20:39, 26 August 2011 (UTC)


 * I've expanded the prior Steward-imposed block to 70.224.32.0/23 (six-month duration) as the prior block of a /24 stopped kitty crapping on the floor for about 5 days. If this impacts any "real" contributors, please overturn. If our feline friend has an entirely different range at xyr disposal, please block as-appropriate. --Brian McNeil / talk 16:41, 29 August 2011 (UTC)
 * ✅, yet again, three different confirmed and related IPs. -- Cirt (talk) 17:51, 30 August 2011 (UTC)

78.149.114.62
Made a clear attempt to sneak copyrighted material through the review process, but failed. (This was not a misunderstanding of the rules/law but a deliberate act, in this case, unlike most copyvios.) With no other contribs till today, I'm suspicious; this is someone who already knows a thing or two about the project. Can we see if we can link this to any troll accounts, or at least confirm open proxy use? Blood Red Sandman (Talk)   (Contribs) 20:09, 13 September 2011 (UTC)
 * Nothing came up. Only edits to 2 different articles, Bomb blast in Delhi kills 12, injures 62 and British "Father of Pop Art" Richard Hamilton dies aged 89. -- Cirt (talk) 04:35, 25 October 2011 (UTC)

Old cats
Two old kitties accounts have been vandalizing their user talk pages. These are part of a set blocked on May 20. I've revoked remaining privs for the whole set, but note that apparently IP measures taken did not suffice. Can we do better?

The two: Others in the set: --Pi zero (talk) 01:55, 15 October 2011 (UTC)
 * ✅, added an IP block. -- Cirt (talk) 04:38, 25 October 2011 (UTC)

Onewhohelps
and his mobile account are likely socks of a known crosswiki troll. This user follows similar patterns off-wiki - mainly IRC spam and harassment. This user has been determined elsewhere to be w:User:Surasaman aka w:User:Thepoliticalmaster. Similar block exists on Outreachwiki. I've been informed of similar disruption to members of at least one non-WMF wiki. This user uses a variety of IP addresses, based on IRC evidence, and so cross-project CU collaboration may be in order. Blood Red Sandman (Talk)   (Contribs) 16:24, 17 November 2011 (UTC)

The above are ✅. Beginning coordination process with crosswiki CUs. Thank you for alerting us to this. ;) -- Cirt (talk) 17:48, 17 November 2011 (UTC)

Triplet spammers
The following accounts all showed up at the same time, posting faux-news "articles" (with no Wikinews formatting and no sources) ending with an unrelated paragraph containing spam links. (Actually, I think at least two of the three had the same spam links.) --Pi zero (talk) 09:40, 1 January 2012 (UTC) All above including added 4th one, are ✅. Blocked underlying IP for one week. -- Cirt (talk) 01:52, 2 January 2012 (UTC)

All ✅. -- Cirt (talk) 02:27, 5 March 2012 (UTC)
 * Here's another, same mo, looks like includeing the same spam link. --Pi zero (talk) 12:56, 4 March 2012 (UTC)

Kittiesonfire is Dantherocker1
Just an FYI heads up, the "Kittiesonfire" socks = ✅ as Dantherocker1 from en.wikipedia. All related socks can be blocked on sight. Thank you for your time, -- Cirt (talk) 04:24, 7 January 2012 (UTC)

Feline rocker
Blocked two more: --Pi zero (talk) 15:46, 8 January 2012 (UTC)
 * 1) &mdash; replaced AAA with something about kitties; I blocked it for a week, fwiw.
 * 2) &mdash; indefblocked on sight.

Another set: --Pi zero (talk) 14:08, 9 January 2012 (UTC)
 * 1) --Pi zero (talk) 22:55, 9 January 2012 (UTC)
 * 1) --Pi zero (talk) 22:55, 9 January 2012 (UTC)
 * 1) --Pi zero (talk) 22:55, 9 January 2012 (UTC)
 * 1) --Pi zero (talk) 22:55, 9 January 2012 (UTC)
 * 1) --Pi zero (talk) 22:55, 9 January 2012 (UTC)
 * 1) --Pi zero (talk) 22:55, 9 January 2012 (UTC)
 * 1) --Pi zero (talk) 22:55, 9 January 2012 (UTC)
 * All above are ✅. -- Cirt (talk) 17:13, 10 January 2012 (UTC)


 * 1) --Pi zero (talk) 21:07, 10 January 2012 (UTC)
 * ✅, again. -- Cirt (talk) 21:26, 10 January 2012 (UTC)


 * 1) --Pi zero (talk) 00:35, 11 January 2012 (UTC)
 * ✅. -- Cirt (talk) 05:56, 11 January 2012 (UTC)


 * IP claiming to be impacted by Kitty-blocking; can you take a look at the technical details? --Brian McNeil / talk 23:48, 25 January 2012 (UTC)
 * Most likely that is Dantherocker1 socking to post the request on that IP talk page. He's done it before multiple times in the past. -- Cirt (talk) 01:23, 26 January 2012 (UTC)
 * ✅ that the user posting that was Dantherocker1. -- Cirt (talk) 02:18, 26 January 2012 (UTC)
 * Yeah, kinda thought it would be, but some HTTP headers do help. On which note, UK cellular company O2 had a screwup that left customers using mobile phones browsing (other than via a WiFi connection) posting the customer's phone number for nearly two weeks. Sadly, couldn't pick that up and run with it. A: COI B: Davos story. --Brian McNeil / talk 04:25, 26 January 2012 (UTC)

Can we make a technical connection with this one? --Pi zero (talk) 06:45, 27 March 2012 (UTC)
 * ✅, blocked the underlying IP, it was a hacked mail server proxy. -- Cirt (talk) 17:05, 27 March 2012 (UTC)
 * ✅, blocked the underlying IP, it was a hacked mail server proxy. -- Cirt (talk) 17:05, 27 March 2012 (UTC)

Another set, created in under three minutes. --Pi zero (talk) 01:49, 29 March 2012 (UTC)
 * ✅, blocked underlying IP, will confer with other CUs on this. -- Cirt (talk) 06:50, 29 March 2012 (UTC)
 * ✅, blocked underlying IP, will confer with other CUs on this. -- Cirt (talk) 06:50, 29 March 2012 (UTC)
 * ✅, blocked underlying IP, will confer with other CUs on this. -- Cirt (talk) 06:50, 29 March 2012 (UTC)
 * ✅, blocked underlying IP, will confer with other CUs on this. -- Cirt (talk) 06:50, 29 March 2012 (UTC)
 * ✅, blocked underlying IP, will confer with other CUs on this. -- Cirt (talk) 06:50, 29 March 2012 (UTC)
 * ✅, blocked underlying IP, will confer with other CUs on this. -- Cirt (talk) 06:50, 29 March 2012 (UTC)
 * ✅, blocked underlying IP, will confer with other CUs on this. -- Cirt (talk) 06:50, 29 March 2012 (UTC)

Latest. --Pi zero (talk) 20:10, 8 April 2012 (UTC)
 * 1) &mdash; left an effectively signed note on User talk:Cirt
 * Yes, ✅, -- Cirt (talk) 06:59, 9 April 2012 (UTC)
 * 1) &mdash; left an effectively signed note on User talk:Cirt
 * Yes, ✅, -- Cirt (talk) 06:59, 9 April 2012 (UTC)
 * 1) &mdash; left an effectively signed note on User talk:Cirt
 * Yes, ✅, -- Cirt (talk) 06:59, 9 April 2012 (UTC)
 * 1) &mdash; left an effectively signed note on User talk:Cirt
 * Yes, ✅, -- Cirt (talk) 06:59, 9 April 2012 (UTC)

Multi-account spammer
I've blocked the following users, all of whom posted substantially the same advertising/spam to (usually their own) user pages. (Fegistered blocks indefinite; IP, a mere three days.) --Pi zero (talk) 23:31, 12 January 2012 (UTC)
 * ✅, blocked another IP. -- Cirt (talk) 00:16, 13 January 2012 (UTC)

Marciano
A user has just been threatening various users with wiki-watch.com, using the same modus operandi as the IP that was recently doing that cross-wiki over, supposedly, the Rocky Marciano article. The IP is globally blocked for six months for cross-wiki abuse. I'm wondering if any technical connection can be made between these. Also possibly related &mdash;I offer it for consideration if deemed appropriate&mdash; is the user who originally created the Marciano pages cross-wiki; xe hasn't gotten xyrself blocked anywhere but Wikispecies that I can see (there, indef without ability to edit own talk page, as a vandalism-only account), though I do note a somewhat suggestive similar predilection for edit summaries in ALL CAPS. --Pi zero (talk) 17:44, 14 January 2012 (UTC)
 * - No technical correlation between the above three yet. The last account has another account tied to its IP (not the one in the above list, another unrelated one), but I don't see any abusive editing with that account yet. Please do keep an eye on it, and feel free to post a re-check if there is further behavioral evidence on this wiki or from others. Thank you, -- Cirt (talk) 04:48, 15 January 2012 (UTC)

This IP seems to be claiming to be the same idiot (judging by the content of the vandalism). --Pi zero (talk) 01:22, 28 January 2012 (UTC)
 * ✅ match to BakerMarciano and Historicalguy --Cspurrier (talk) 05:06, 28 January 2012 (UTC)
 * ✅ match to BakerMarciano and Historicalguy --Cspurrier (talk) 05:06, 28 January 2012 (UTC)

SPA,… Spammer(s)
Three accounts, created in succession, and used to create SEO support-type for spammed links.

I'm keen to know if there is a shared underlying IP, if it has a history of this activity (I've seen this sort of SEO spam in the past few weeks - also a small volume). Lastly, this is a new spamming method for here, so a yes/no on "have other projects seen similar?" is something I'm curious on. Since WMF username captchas are pretty simple, it would concern me that a scripted spam run could hit us 3 times in an hour, and just be the tip of a wiki-spamming iceberg. --Brian McNeil / talk 09:21, 25 January 2012 (UTC)
 * ✅, will confer with other CUs bout this. -- Cirt (talk) 01:25, 26 January 2012 (UTC)
 * This is a interesting one. i see that Cirt has already put a block on that IP, so i will wait and see if there will be any more Brian &#124; (Talk) &#124; New Zealand Portal 06:14, 26 January 2012 (UTC)

Block-evading spammer
Identical mo, even same company site linked to; I indefblocked the first yesterday, then the second when it cropped up today. I see one of them has non-zero edits on another sister (en.wp), and has been indefblocked there. --Pi zero (talk) 15:21, 26 January 2012 (UTC)
 * ✅, blocked a slew of IPs. -- Cirt (talk) 15:49, 26 January 2012 (UTC)
 * ✅, blocked a slew of IPs. -- Cirt (talk) 15:49, 26 January 2012 (UTC)
 * ✅, blocked a slew of IPs. -- Cirt (talk) 15:49, 26 January 2012 (UTC)

Spammers with same MO
Two accounts, created maybe five hours apart, each account immediately creating a user page containing only a spam link. That's a distinctive MO, twice in a quarter day. The two spam links are thematically similar, too. So I'd like to know if these two accounts have any technical connection. --Pi zero (talk) 15:36, 1 February 2012 (UTC)
 * ✅. -- Cirt (talk) 15:38, 1 February 2012 (UTC)
 * ✅. -- Cirt (talk) 15:38, 1 February 2012 (UTC)
 * ✅. -- Cirt (talk) 15:38, 1 February 2012 (UTC)

Katherine


Similar usernames, similar pattern of 13-year-old-girl-style edits. Are there any more of these lurking? Blood Red Sandman (Talk)   (Contribs) 18:38, 2 February 2012 (UTC)
 * ✅. Nothing else shows up at the time being. -- Cirt (talk) 22:52, 2 February 2012 (UTC)

Nauseous green
I've noted three users (two registered and an IP) recently that put me in mind of recently banned Viriditas, and would like to know whether technical connections can be made.

The IP and user Free Web Defence have in the past few days been resubmitting Viriditas's Black History Month article for review without improvement. Free Web Defense has no other edits here; elsewhere are two edits on en.wp, only one of which is publicly visible (spurious result from tool? edit to deleted page?), from late January &mdash; predating Viriditas's disruption here. In the case of Viriditas, I'm not prepared to dismiss suspicion of the account on that basis. The other registered user, Fkjsdnkjfndsjfsd, submitted a minimal article with ten sources, and did nothing when asked to repair misformatted source templates and questioned on the need for so many sources; the account was created yesterday and made some contributions to two Wikipedias &mdash; Filipino and Latin (appears to be an experienced user adopting a random-keystrokes username; keeping in mind, Viriditas claims to be based in Hawaii and, well, chose the username Viriditas). --Pi zero (talk) 17:35, 8 February 2012 (UTC)
 * . -- Cirt (talk) 18:03, 8 February 2012 (UTC)
 * Going to confer with other fellow Checkusers on this one. -- Cirt (talk) 18:30, 8 February 2012 (UTC)
 * . -- Cirt (talk) 18:03, 8 February 2012 (UTC)
 * Going to confer with other fellow Checkusers on this one. -- Cirt (talk) 18:30, 8 February 2012 (UTC)
 * . -- Cirt (talk) 18:03, 8 February 2012 (UTC)
 * Going to confer with other fellow Checkusers on this one. -- Cirt (talk) 18:30, 8 February 2012 (UTC)


 * The IP has now got the idea that rather than simply requesting review, xe'd replace the review template with publish. Xe did that to two aritcles this morning (Black History Month and another).  I've given xem a three day block, but this behavior is so very like Viriditas that if it's a meatpuppet rather than a sockpuppet, it looks to be a meatpuppet with remarkably short strings.  --Pi zero (talk) 13:06, 9 February 2012 (UTC)

These first 2 are the same, blocked as ✅. The others are less conclusive. Feel free to block on behavioral evidence as an admin judgment decision, as they appear to be using mobile phones to edit which obscures changing IPs somewhat. -- Cirt (talk) 16:17, 9 February 2012 (UTC)


 * I've just whammed as clearly part of the same, if we can dig any new info out from that one would be cool.  Blood Red Sandman  (Talk)   (Contribs) 22:34, 9 February 2012 (UTC)
 * Nothing much turns up, will confer with others. -- Cirt (talk) 23:33, 9 February 2012 (UTC)
 * 193.62.43.202 and 77.28.104.213 are hacked mail severs acting as proxies. Fkjsdnkjfndsjfsd's ip also appears to be a proxy. From a technical match perspective, Viriditas may not be the same user as the others, however given the near perfectness of the lack of overlap and the response to Cirt I would lean towards them being carefully done socks of Viriditas --Cspurrier (talk) 23:07, 11 February 2012 (UTC)

These all share very similar useragent info. I'd suspect is another proxy, but I'd like to hear thoughts of  on this. -- Cirt (talk) 17:38, 22 February 2012 (UTC)
 * appears to be linked, with a similar history of largely (or entirely) ignoring review responses in order to push an article back into the queue. Blood Red Sandman  (Talk)   (Contribs) 16:16, 22 February 2012 (UTC)
 * Update: Yes, 117.193.166.194 does indeed appear to be a hacked mail server proxy. I'd still of course appreciate comments from any other CUs or experienced users with regard to proxies. -- Cirt (talk) 17:39, 22 February 2012 (UTC)


 * See also . Blood Red Sandman  (Talk)   (Contribs) 18:52, 22 February 2012 (UTC)
 * Again, same user agent info. Quite likely another proxy. -- Cirt (talk) 22:49, 22 February 2012 (UTC)


 * NOTE: Check this out: One of the socks on the IP range,, technically is ✅ as . Compare en.wikipedia sock investigation case page and en.wikipedia block log on one of the socks. -- Cirt (talk) 23:35, 22 February 2012 (UTC)
 * Cleaning out the latest batch of abandoned efforts, shows up as a possible.  Blood Red Sandman  (Talk)   (Contribs) 18:30, 27 February 2012 (UTC)
 * ✅ as a sock, will discuss more on this with other CUs. -- Cirt (talk) 19:15, 27 February 2012 (UTC)
 * Thanks. is again a possible. (One thing to be careful of is the pattern of disruption closely follows a pattern of innocent mistakes new users often make. I'm trying hard to make sure only strong candidates wind up reported here.)  Blood Red Sandman  (Talk)   (Contribs) 12:38, 28 February 2012 (UTC)
 * This latest one is most likely ❌. Therefore a block here would be up to behavioral evidence alone. -- Cirt (talk) 15:00, 28 February 2012 (UTC)

Labor reporter
resubmitted an article without addressing the concerns. The next diff shows the user being warned this was disruptive, and the diff after that shows an IP doing the same thing. Is the IP in fact the same user, logging out to be disruptive? Is the IP from the set of disruptive IPs above? Or are they all totally unrelated and coincidental? Blood Red Sandman (Talk)   (Contribs) 14:58, 2 April 2012 (UTC)
 * These two are ✅ as the same, see also this diff. The associated IP is technically unrelated, (though I'm going to do further investigation), but it is an IP of an android cellphone, apparently. Feel free to block it on admin judgment based on the strong behavioral evidence. If there is admin action taken, blocks, etc, please note it here, below, and then please also note it at WN:AAA. Thank you! Cheers, -- Cirt (talk) 05:04, 3 April 2012 (UTC)
 * For some reason, I get a 404 on the diff so here is a direct link. I'm going to block Newport Backpay indef and the IP a week as this is now a user who is otherwise disruptive, so mmultiple accounts are not acceptable. Blood Red Sandman  (Talk)   (Contribs) 14:47, 4 April 2012 (UTC)
 * These two are ✅ as the same, see also this diff. The associated IP is technically unrelated, (though I'm going to do further investigation), but it is an IP of an android cellphone, apparently. Feel free to block it on admin judgment based on the strong behavioral evidence. If there is admin action taken, blocks, etc, please note it here, below, and then please also note it at WN:AAA. Thank you! Cheers, -- Cirt (talk) 05:04, 3 April 2012 (UTC)
 * For some reason, I get a 404 on the diff so here is a direct link. I'm going to block Newport Backpay indef and the IP a week as this is now a user who is otherwise disruptive, so mmultiple accounts are not acceptable. Blood Red Sandman  (Talk)   (Contribs) 14:47, 4 April 2012 (UTC)


 * Update: Please see also English Wikipedia case investigation and its archives, at w:Wikipedia:Sockpuppet investigations/Labor Watch. -- Cirt (talk) 15:05, 4 April 2012 (UTC)
 * ✅ and updated results at w:Wikipedia:Sockpuppet investigations/Labor Watch. -- Cirt (talk) 16:59, 6 April 2012 (UTC)

Two spamming IPs
I don't have a clue what to make of this, but figured I'd turn it over to someone who could possibly have a clue.

The first of these IPs just created page Category talk:Baseball, containing a blurb about sunglasses and eyeglasses. Seems familiar, but I don't know from where. The IP has no other edits on Wikinews. I checked for same IP contributions on sister projects, and found one on en.wp, from yesterday. That is a blurb about cellphone jammers. Which also seemed familiar. Coming back to Wikinews, I looked again at the deleted Category talk:Baseball, and discovered two deleted revisions; the earlier, from four days ago, was a blurb about cellphone jammers. Er... --Pi zero (talk) 01:55, 8 April 2012 (UTC)


 * ✅, to each other, but not much else at the moment. -- Cirt (talk) 05:38, 8 April 2012 (UTC)
 * ✅, to each other, but not much else at the moment. -- Cirt (talk) 05:38, 8 April 2012 (UTC)
 * ✅, to each other, but not much else at the moment. -- Cirt (talk) 05:38, 8 April 2012 (UTC)
 * ✅, to each other, but not much else at the moment. -- Cirt (talk) 05:38, 8 April 2012 (UTC)

Jshellmann and other accounts
Bringing this to local community attention: I'd like thoughts from local admins and the community about what to do about this. I'll defer to other admins as far as admin action, blocking, etc, just bringing here for review. Cheers, -- Cirt (talk) 02:44, 12 April 2012 (UTC)
 * I initially checked into this due to behavior that seemed similar to Requests_for_CheckUser on an article written by one of these accounts.
 * They are all ✅ on a purely technical basis, without respect to behavioral evidence.
 * The majority of them in multiple cases use very similar, and sometimes identical, useragent info as well.
 * I initially checked into this due to behavior that seemed similar to Requests_for_CheckUser on an article written by one of these accounts.
 * They are all ✅ on a purely technical basis, without respect to behavioral evidence.
 * The majority of them in multiple cases use very similar, and sometimes identical, useragent info as well.
 * I initially checked into this due to behavior that seemed similar to Requests_for_CheckUser on an article written by one of these accounts.
 * They are all ✅ on a purely technical basis, without respect to behavioral evidence.
 * The majority of them in multiple cases use very similar, and sometimes identical, useragent info as well.
 * I initially checked into this due to behavior that seemed similar to Requests_for_CheckUser on an article written by one of these accounts.
 * They are all ✅ on a purely technical basis, without respect to behavioral evidence.
 * The majority of them in multiple cases use very similar, and sometimes identical, useragent info as well.
 * I initially checked into this due to behavior that seemed similar to Requests_for_CheckUser on an article written by one of these accounts.
 * They are all ✅ on a purely technical basis, without respect to behavioral evidence.
 * The majority of them in multiple cases use very similar, and sometimes identical, useragent info as well.
 * I initially checked into this due to behavior that seemed similar to Requests_for_CheckUser on an article written by one of these accounts.
 * They are all ✅ on a purely technical basis, without respect to behavioral evidence.
 * The majority of them in multiple cases use very similar, and sometimes identical, useragent info as well.
 * They are all ✅ on a purely technical basis, without respect to behavioral evidence.
 * The majority of them in multiple cases use very similar, and sometimes identical, useragent info as well.


 * Did we do anything wrong? I can vouch for every person listed above. In fact, if you want to know more about us, go to my user page under contributions. All of my students are listed there. We're all very transparent. Brian and Pi also know about the university - Wikinews connection.Crtew (talk) 03:11, 12 April 2012 (UTC)
 * Comment: There appears to be a repeated pattern of cases of edits moving from "develop" back to "review" tag, for an article that has at least one failed review, without really doing enough to address the reviews. This is a disturbing pattern of behavior. -- Cirt (talk) 03:13, 12 April 2012 (UTC)

I agree. My students are too quick to hit the submit button. I have made the decision several to pull things out of submit so as not to waste the editors' time. We talked about that tonight as we worked on the Zimmerman article.Crtew (talk) 03:21, 12 April 2012 (UTC)
 * It's a big problem, and something Wikinews has dealt with in the past at Requests_for_CheckUser, above. Regarding single edits that move a page from "develop" back to "review" with nothing really being done to address the failed review. -- Cirt (talk) 03:23, 12 April 2012 (UTC)


 * Update: Do not block, please. It's a legitimate class group per this comment by Crtew. We'll monitor and hopefully there will be a decrease in students that have a repeated pattern of cases of edits moving from "develop" back to "review" tag, for an article that has at least one failed review, without really doing enough to address the reviews. Cheers, -- Cirt (talk) 15:40, 12 April 2012 (UTC)

Stupid question
Pardon my cluelessness, but, what is this I'm looking at? --Pi zero (talk) 17:18, 20 April 2012 (UTC)
 * Special:Undelete/Wikinews talk:Archives/Topic
 * ✅ as basically quite similar technical data including the useragent, we've had crosswiki spam issues with these ranges, will update other CUs on this. Thanks for the heads up! -- Cirt (talk) 19:52, 20 April 2012 (UTC)


 * there is never a dell moment being a CU :p Brian &#124; (Talk) &#124; New Zealand Portal 00:41, 22 April 2012 (UTC)
 * Heh, indeed ... -- Cirt (talk) 04:53, 22 April 2012 (UTC)
 * 'scuse me, a "dell moment"? Have you been inflicted with substandard hardware accompanied by god-awful advertising? :P --Brian McNeil / talk 12:58, 22 April 2012 (UTC)

Another apparently in this set. --Pi zero (talk) 01:03, 20 May 2012 (UTC)
 * ✅. -- Cirt (talk) 02:59, 20 May 2012 (UTC)
 * ✅. -- Cirt (talk) 02:59, 20 May 2012 (UTC)

These next two are probably separate from the above, but I'm putting them in this section because, like the above, they're putting their spam in an otherwise-non-existent talk page for an out-of-the way page (this time it's User talk:Microchip08/Database dump/entry). The content of the spam, however, is different than the above. --Pi zero (talk) 04:13, 24 May 2012 (UTC) ✅. -- Cirt (talk) 04:58, 24 May 2012 (UTC)

Fashionable spammers
These two characters are linked by topic, both creating pages about a particular alleged Mauritian male teenage fashion model. --Pi zero (talk) 12:50, 4 May 2012 (UTC)

Added a third. --Pi zero (talk) 19:50, 4 May 2012 (UTC)
 * ✅, no other related accounts at the moment. -- Cirt (talk) 01:52, 5 May 2012 (UTC)
 * ✅, no other related accounts at the moment. -- Cirt (talk) 01:52, 5 May 2012 (UTC)
 * ✅, no other related accounts at the moment. -- Cirt (talk) 01:52, 5 May 2012 (UTC)
 * ✅, no other related accounts at the moment. -- Cirt (talk) 01:52, 5 May 2012 (UTC)

Sridhar1000 and other Sridhar sock accounts
✅ as socks of.

More info at commons:Commons:Requests for checkuser/Case/Sridhar1000.

Appears to be long term sock master, cross wiki, for a significant period of time and amount of disruption.

All accounts should be blocked and tagged.

Cheers, -- Cirt (talk) 14:12, 6 May 2012 (UTC)

Peculiar spam
These exhibit a common behavior, which I've seen once before (but don't have the earlier account name handy). User page created with multiple sections, each what brianmc has aptly termed "drivel", with odd double-commas here and there. Googling fragments of these texts turns up copies on various discussion fora around the internet, except that where the copy here has a double-comma, a copy elsewhere will have the name of some random product, with a link. After investigating several of these via Google I no longer bother once I see the drivel with the double-commas. The copies here are technically neither advertising nor linking to external sites, but they taste like spiced ham so I'm treating them as such. --Pi zero (talk) 13:07, 23 May 2012 (UTC) . Different technical data for a few, but exact same useragent info. Also, is ✅ to. -- Cirt (talk) 17:05, 23 May 2012 (UTC)

UPDATE:

These are all ✅. -- Cirt (talk) 17:12, 23 May 2012 (UTC)

Looks like another. --Pi zero (talk) 02:04, 25 May 2012 (UTC)
 * ✅. -- Cirt (talk) 04:20, 25 May 2012 (UTC)
 * ✅. -- Cirt (talk) 04:20, 25 May 2012 (UTC)

And another. --Pi zero (talk) 12:39, 7 June 2012 (UTC)
 * ✅. -- Cirt (talk) 16:25, 7 June 2012 (UTC)
 * ✅. -- Cirt (talk) 16:25, 7 June 2012 (UTC)

Username vandal
Take a look at the block log; a string of usernames obviously created by a single vandal. Can we fish out the underlying IP and get it hit for, oh, a month or two? (Or indef, if it's a proxy.) Blood Red Sandman  (Talk)   (Contribs) 20:27, 24 May 2012 (UTC)
 * ✅. That's gotta be . -- Cirt (talk) 21:11, 24 May 2012 (UTC)

Redundant spammers
These two spammed adevertising the same site, one as a mainspace article and the other as its talk page. --Pi zero (talk) 02:13, 31 May 2012 (UTC) These four are ✅. -- Cirt (talk) 15:47, 1 June 2012 (UTC)

Oddly correlated IPs
I'm wondering if there's a technical connection between these two IPs, as there's a peculiar behavioral connection. Both of these put speedy-deletion-worthy content on the same two Comments talk: pages. What's peculiar about this is, the later one put patent nonsense on those two pages (and on one other page), whereas the first one put louis vuitton spam there (and on two other pages). We've had a lot of louis vuitton lately, which unfortunately I haven't been keeping track of (it's hard to trace this stuff after it's been deleted), so I hoped something correlated with it might be useful. --Pi zero (talk) 13:30, 7 June 2012 (UTC)
 * 1) (‎louis vuitton)
 * 2) (patent nonsense)
 * Well, the rDNS for these are cust804.host-stage-dns.com and cust802.host-stage-dns.com respectively. I'm assuming both are insecure/hacked IIS7 servers and will be applying a three-month block. As it stands, these look to be web hosting which we should not have any requirement to be 'lenient' with. --Brian McNeil / talk 14:22, 7 June 2012 (UTC)
 * Possibly related, but they appear to be using different (though similar) user agents. -- Cirt (talk) 16:27, 7 June 2012 (UTC)
 * The following might be worth passing on to the CU mailing list because there's something "odd" with these couple of well-separated IPs having similar rDNS. From the entire 100-999 range, the following popped up; I half-expected cust808.host-stage-dns.com to start resolving as another host compromised by whatever on earth this is. Note that for some of the low-numbered ones the rDNS of the IP doesn't march the forward.
 * cust100.host-stage-dns.com :&mdash;
 * cust101.host-stage-dns.com :&mdash;
 * cust102.host-stage-dns.com :&mdash;
 * cust103.host-stage-dns.com :&mdash;
 * cust105.host-stage-dns.com :&mdash;
 * cust107.host-stage-dns.com :&mdash;
 * cust108.host-stage-dns.com :&mdash;
 * cust109.host-stage-dns.com :&mdash;
 * cust110.host-stage-dns.com :&mdash;
 * cust111.host-stage-dns.com :&mdash;
 * cust143.host-stage-dns.com :&mdash;
 * cust528.host-stage-dns.com :&mdash;
 * cust595.host-stage-dns.com :&mdash;
 * cust800.host-stage-dns.com :&mdash;
 * cust801.host-stage-dns.com :&mdash;
 * cust802.host-stage-dns.com :&mdash;
 * cust803.host-stage-dns.com :&mdash;
 * cust804.host-stage-dns.com :&mdash;
 * cust805.host-stage-dns.com :&mdash;
 * cust807.host-stage-dns.com :&mdash;
 * May be nothing, but was unusual enough to cobble together a couple of scripts to look at it. --Brian McNeil / talk 16:17, 7 June 2012 (UTC)
 * Will forward this along to CU mailing list. -- Cirt (talk) 16:27, 7 June 2012 (UTC)
 * Please let me know privately if anything comes up from this, it's just too weird. I was wondering if I'd found a domain being used to keep track of botnet/zombie machines; there's little correlation in the IPs in terms of 'belonging' to a legit organisation, but one in terms of if found through vulnerability scanning. --Brian McNeil / talk 16:35, 7 June 2012 (UTC)
 * The first two IPs mentioned look like the Chinese botspammers. They're active cross-wiki and use open proxies most of the time. Trijnstel (talk) 16:41, 7 June 2012 (UTC)
 * My thought is that the &lt;whatever>.host-stage-dns.com is being used to keep track of open proxies. --Brian McNeil / talk 14:22, 8 June 2012 (UTC)

Offensive usernames


Charming little gobshite we've got here. Recommend passing onto the CU list to find out any other usernames cross-wiki and getting them all blocked. Could also do with a hiderev on the user create and so. --Brian McNeil / talk 14:05, 12 June 2012 (UTC)
 * I've done the revision hiding on these. Not needed too often, so took me a minute or two to implement. Do let know if an established troll or sockpuppeteer is involved (even if not saying who). --Brian McNeil / talk 14:11, 12 June 2012 (UTC)
 * Going by the time of creation, I've a suspicion is involved as well, although I couldn't guess who or what AGK is, so it shall remain unblocked unless proven.  Blood Red Sandman  (Talk)   (Contribs) 14:28, 12 June 2012 (UTC)

✅. FWIW, AGK is an admin on en.wikipedia. -- Cirt (talk) 18:00, 12 June 2012 (UTC)
 * Not surprised by either revelation :) Ty Blood Red Sandman  (Talk)   (Contribs)
 * You're welcome! :) -- Cirt (talk) 02:17, 13 June 2012 (UTC)

Grossly offensive vandal(s)


Topic of request will become amusingly clear when you see the block log.

A few other usernames created in same timeframe, so keen to catch any sleepers/other socks &mdash; as well as confirm these are a pair. --Brian McNeil / talk 05:30, 27 June 2012 (UTC)
 * ✅. Perfect match. No other socks found on that IP range though --Cspurrier (talk) 19:38, 30 June 2012 (UTC)

Persistent PITA


According to Pi zero, 4th account creating self-same page. Would a narrow IP rangeblock help "provide clue"? --Brian McNeil / talk 06:22, 23 July 2012 (UTC)
 * That got a little garbled in transmission. The same user created the same content under four different page names, over a fairly long period of time which is why we hadn't noticed it sooner.  Once I noticed, I blocked the user &mdash; but they immediately turned around and created the content again, under a fifth page name, using a different account.


 * --Pi zero (talk) 12:57, 23 July 2012 (UTC)
 * Well, the same logic applies. A /24, /23 or /22 block might only hit him. A /22 is always a good bet for folks on ADSL (which rDNS may reveal); the majority of DSLAM-type kit will serve 768 customers per box, usually all in the same range - unless the ISP has had to scrounge IP addresses for the lease. --Brian McNeil / talk 12:54, 24 July 2012 (UTC)
 * Well, the same logic applies. A /24, /23 or /22 block might only hit him. A /22 is always a good bet for folks on ADSL (which rDNS may reveal); the majority of DSLAM-type kit will serve 768 customers per box, usually all in the same range - unless the ISP has had to scrounge IP addresses for the lease. --Brian McNeil / talk 12:54, 24 July 2012 (UTC)

These are all ✅ as the same. -- Cirt (talk) 00:52, 27 July 2012 (UTC)
 * ✅. Carried out some blocks. -- Cirt (talk) 00:50, 27 July 2012 (UTC)

Saki/Saqib AGAIN
I'm looking at, which I blocked for a month after they self-identified as prolific socker Saqib. As a memory refresher, Saqib's account was unblocked on the condition of strict transparancy regarding use of undeclared accounts. I took the undeclared use of an IP to breach the spirit of that and blocked. I'm asking both the account and the IP to be looked at very closely indeed, to root out any socks lurking. Blood Red Sandman (Talk)   (Contribs) 19:57, 23 August 2012 (UTC)
 * The IP, from checks I've carried out, is within a university (Madrassa?) and may-well be a compromised DNS server. I'd also like to request a range-check centred around the appropriate /24 or /22 as I would be remarkably unsurprised not to find an absence of lurking socks. --Brian McNeil / talk 21:00, 23 August 2012 (UTC)


 * - No accounts on that particular IP, other info on is stale at this point in time. -- Cirt (talk) 16:40, 24 August 2012 (UTC)
 * And the /22 or /24? --Brian McNeil / talk 18:43, 24 August 2012 (UTC)
 * Nope, sorry, nothing else on that range at this time. -- Cirt (talk) 01:27, 27 August 2012 (UTC)

More 'peculiar spam' / randomized usernames

 * Previously raised [ here].

This was a bunch of usernames which mostly looked like they'd been spat out by a program (along the lines of a random password generator).

Well, there's more, and this probably merits being taken up on the checkuser list. Please note the special annotations.
 * Suspects in last 24-odd
 * x
 * A
 * B
 * x
 * A
 * B
 * A
 * B
 * B
 * B


 * Older, creation date based upon Howdy from user talk
 * 1) x Created Aug 16
 * 2) x Created Aug 16
 * 3) x Created Aug 10
 * 4) x Created Jul 19
 * 5) x Created Jul 9


 * Key:
 * x&mdash;Already blocked
 * A&mdash;Strangely enough, created B

Looks pretty obvious here that one or more individuals are running account-creation bots for spamming and - possibly other - purposes. It looks suitably sophisticated that, if duscussion on the checkuser list concurs, is an issue developers should be looking into. --Brian McNeil / talk 12:52, 24 August 2012 (UTC)
 * Emailed Cirt to highlight this, and the above, CU request(s). --Brian McNeil / talk 13:16, 24 August 2012 (UTC)
 * ✅, admins please block all above accounts, will raise issue with CU list. -- Cirt (talk) 16:44, 24 August 2012 (UTC)
 * Any feedback you can divulge from checkuser-l on this? I found 14 created over a two-day period, which I conservatively extrapolate as over 300 accounts created since the start of July. Of those, 6 have been caught and blocked. That's only 2% of what could-well be an army of would-be spammer accounts in the last two months. This has been going on a good-deal longer than that. --Brian McNeil / talk 02:16, 27 August 2012 (UTC)

Just noticed and blocked this one. --Pi zero (talk) 12:29, 27 August 2012 (UTC) Update: I'll drill down deeper into this investigation shortly. -- Cirt (talk) 12:41, 27 August 2012 (UTC)
 * 1) x Created Aug 16
 * Another 'suspect'
 * , just created.
 * Anything at-all that can be fed back from checkuser-l, even if privately and in-confidence? Since my guess is this is using a username generation routine derived from a password generator, my best-guess is the amount of entropy in the usernames compared to their length would give a high probability of identifying possible suspects. --Brian McNeil / talk 11:02, 6 September 2012 (UTC)


 * Here's two I caught in recent days spamming with the m.o. I associate with this phenomenon. --Pi zero (talk) 11:23, 6 September 2012 (UTC)

This one may not be technically related, but no objections to the block on spam grounds. -- Cirt (talk) 02:09, 7 September 2012 (UTC)
 * x Created Jun 18
 * x Created Aug 16
 * ✅, problem spammer geolocates to, I've shared a bit more info privately. -- Cirt (talk) 19:57, 6 September 2012 (UTC)
 * Update: A ton more ✅, here (see blocks from today) for more info on those accounts. Might be worth correlating and tagging with an arbitrary one of those easy-to-remember usernames of the bunch as a sockmaster page, using the sock user page templates, for keeping track purposes. -- Cirt (talk) 20:08, 6 September 2012 (UTC)
 * NOTE: I've called as the sockmaster, so we can keep track of these. -- Cirt (talk) 21:12, 6 September 2012 (UTC)
 * See more now handily at Category:Sockpuppets of Loiedfedd. Cheers, -- Cirt (talk) 21:13, 6 September 2012 (UTC)

Perhaps another [two]? --Pi zero (talk) 17:48, 18 September 2012 (UTC)
 * x Created Sep 14
 * x Created Sep 12
 * ✅, socks of . Blocked another couple socks and some IPs. -- Cirt (talk) 18:16, 18 September 2012 (UTC)

'Nother this morning. I'd wait and present these in batches, but tend to lose track of them that way. --Pi zero (talk) 11:43, 19 September 2012 (UTC)
 * x Created Sep 19
 * ✅, blocked it, another sleeper sock, and some IPs. ✅ as socks of . Geolocates to . -- Cirt (talk) 15:44, 19 September 2012 (UTC)

And moar
Latest --Pi zero (talk) 15:22, 22 September 2012 (UTC)
 * x Created Sep 22
 * ✅. -- Cirt (talk) 20:52, 22 September 2012 (UTC)

Another:
 * I assume you're keeping tabs on the IPs causing this problem; are we yet at a stage we could zap 80%+ of these pests with a /18 or /20 rangeblock? --Brian McNeil / talk 08:19, 24 September 2012 (UTC)
 * I assume you're keeping tabs on the IPs causing this problem; are we yet at a stage we could zap 80%+ of these pests with a /18 or /20 rangeblock? --Brian McNeil / talk 08:19, 24 September 2012 (UTC)


 * ✅. Yeah, if you check my block log I've been blocking related IPs and other users discovered as ✅, and we've been doing global blocks and rangeblocks discussed on CU list. -- Cirt (talk) 15:13, 24 September 2012 (UTC)
 * I did notice you blocked just-shy of 164,000 IP addresses for a year. The Great SpamFilter of Wikinews :P --Brian McNeil / talk 16:22, 24 September 2012 (UTC)
 * Feel free to modify any of them without any objections from me. :) So far no collateral damage after checks related to the blocks. The blocks are mostly those similar to others on other wikis related to the Chinese spammer / Chinese spambots. -- Cirt (talk) 03:12, 25 September 2012 (UTC)


 * Yet-more:
 * and (The latter is part of 180.128.0.0/17 - looks like Bangladesh Telecom's IP block, but APNIC is rarely kept up-to-date when they flog parts off). --Brian McNeil / talk 08:32, 25 September 2012 (UTC)
 * --Pi zero (talk) 11:29, 25 September 2012 (UTC)
 * --Pi zero (talk) 16:59, 25 September 2012 (UTC)
 * Jebonx2011 probably unrelated to the rest. The others ✅ as . -- Cirt (talk) 18:00, 25 September 2012 (UTC)


 * &mdash; spammed page User:Karan1913. --Pi zero (talk) 05:22, 26 September 2012 (UTC)
 * No other results came up in IP check but it's ✅ based on prior checks. -- Cirt (talk) 16:18, 26 September 2012 (UTC)

IPs
Another one:
 * Comes up as:
 * Comes up as:

NetRange: 61.0.0.0 - 61.255.255.255 CIDR: 61.0.0.0/8 OriginAS: NetName: APNIC3 NetHandle: NET-61-0-0-0-1 Parent: NetType: Allocated to APNIC

Found a referral to whois.apnic.net.

% [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 61.147.0.0 - 61.147.255.255 netname: CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088

route: 61.147.0.0/16 descr: CHINANET jiangsu province network country: CN origin: AS23650 mnt-by: MAINT-CHINANET-JS changed: ip@jsinfo.net 20030414 source: APNIC
 * Based on the route, I'm going to block 61.147.0.0/16. Please verify such has no adverse impact. --Brian McNeil / talk 10:26, 27 September 2012 (UTC)
 * ✅, zero collateral damage. -- Cirt (talk) 15:10, 27 September 2012 (UTC)

Usernames

 * --Pi zero (talk) 11:56, 28 September 2012 (UTC)
 * Most different IPs so far but same user agent, combined with behavior evidence and username, it's ✅. -- Cirt (talk) 15:30, 28 September 2012 (UTC)
 * --Pi zero (talk) 12:59, 4 October 2012 (UTC)
 * Also, ✅. -- Cirt (talk) 18:41, 4 October 2012 (UTC)
 * --Pi zero (talk) 21:45, 6 October 2012 (UTC)
 * --Pi zero (talk) 03:44, 7 October 2012 (UTC)
 * ✅. -- Cirt (talk) 04:40, 7 October 2012 (UTC)


 * This doesn't fit [well] the semi-random-username pattern, but I do wonder if it's related. --Pi zero (talk) 14:43, 11 October 2012 (UTC)
 * ✅. -- Cirt (talk) 02:31, 12 October 2012 (UTC)


 * --Pi zero (talk) 12:44, 15 October 2012 (UTC)
 * --Pi zero (talk) 12:50, 15 October 2012 (UTC)
 * ✅. -- Cirt (talk) 18:22, 15 October 2012 (UTC)
 * ✅. -- Cirt (talk) 18:22, 15 October 2012 (UTC)


 * --Gryllida 10:08, 16 October 2012 (UTC)
 * ✅. -- Cirt (talk) 15:32, 16 October 2012 (UTC)


 * --Pi zero (talk) 12:59, 17 October 2012 (UTC)
 * Technically unrelated, though no problem with blocking on behavioral evidence. Cheers, -- Cirt (talk) 14:29, 17 October 2012 (UTC)


 * Sure looks like a bot, though maybe not the same one. --Pi zero (talk) 02:51, 19 October 2012 (UTC)
 * That one is for sure ✅, thanks! Cheers, -- Cirt (talk) 03:00, 19 October 2012 (UTC)
 * --Pi zero (talk) 13:32, 23 October 2012 (UTC)
 * --Pi zero (talk) 16:38, 23 October 2012 (UTC)
 * ✅. Also blocked a buncha stuffs. -- Cirt (talk) 17:08, 23 October 2012 (UTC)
 * --Pi zero (talk) 16:38, 23 October 2012 (UTC)
 * ✅. Also blocked a buncha stuffs. -- Cirt (talk) 17:08, 23 October 2012 (UTC)


 * --Pi zero (talk) 13:49, 24 October 2012 (UTC)
 * ✅, blocked some stuff. -- Cirt (talk) 14:34, 24 October 2012 (UTC)
 * ✅, blocked some stuff. -- Cirt (talk) 14:34, 24 October 2012 (UTC)


 * --Pi zero (talk) 03:55, 25 October 2012 (UTC)
 * ✅, other stuff blocked as well. -- Cirt (talk) 04:20, 25 October 2012 (UTC)
 * --Pi zero (talk) 03:11, 27 October 2012 (UTC)
 * ✅ match to Wcbqj770--Cspurrier (talk) 15:12, 27 October 2012 (UTC)
 * --Pi zero (talk) 12:14, 27 October 2012 (UTC)
 * Not an exact match at an IP level, but the IP and username are listed on stopforumspam.com --Cspurrier (talk) 15:12, 27 October 2012 (UTC)
 * --Pi zero (talk) 17:45, 28 October 2012 (UTC)
 * ✅ Match with PandaTn7i--Cspurrier (talk) 02:24, 29 October 2012 (UTC)
 * --Pi zero (talk) 13:44, 29 October 2012 (UTC)
 * ✅. -- Cirt (talk) 17:46, 29 October 2012 (UTC)
 * --Pi zero (talk) 12:20, 30 October 2012 (UTC)
 * ✅, match to the other panda, but not . Cheers, -- Cirt (talk) 17:20, 30 October 2012 (UTC)
 * --Pi zero (talk) 12:05, 2 November 2012 (UTC)
 * ✅, both are Chinaspam. -- Cirt (talk) 15:36, 2 November 2012 (UTC)
 * --Pi zero (talk) 16:11, 2 November 2012 (UTC)
 * ✅. -- Cirt (talk) 16:16, 2 November 2012 (UTC)
 * --Pi zero (talk) 01:17, 3 November 2012 (UTC)
 * ✅, gawd this Chinaspam is annoying. Did a rangeblock for one year. Checked, and zero collateral damage. -- Cirt (talk) 16:46, 3 November 2012 (UTC)
 * Although I'm very tired of this, I figure each one should be reported here as found; to not report them would be like stopping a course of antibiotics partway through, it'donly make things worse. --Pi zero (talk) 12:08, 4 November 2012 (UTC)
 * ✅, agreed, us local checkusers should really get on doing more rangeblocks from the cu list, it just takes time to separate the wheat from the chaff. -- Cirt (talk) 17:27, 4 November 2012 (UTC)
 * Although I'm very tired of this, I figure each one should be reported here as found; to not report them would be like stopping a course of antibiotics partway through, it'donly make things worse. --Pi zero (talk) 12:08, 4 November 2012 (UTC)
 * ✅, agreed, us local checkusers should really get on doing more rangeblocks from the cu list, it just takes time to separate the wheat from the chaff. -- Cirt (talk) 17:27, 4 November 2012 (UTC)


 * --Pi zero (talk) 11:09, 6 November 2012 (UTC)
 * ✅. -- Cirt (talk) 16:30, 6 November 2012 (UTC)
 * --Pi zero (talk) 17:03, 12 November 2012 (UTC)
 * ✅, both. -- Cirt (talk) 18:16, 12 November 2012 (UTC)
 * ✅, both. -- Cirt (talk) 18:16, 12 November 2012 (UTC)

Yet more usernames
These next two are obviously the same party; the IP is a repeat offender rematerializing at about the same time. --Pi zero (talk) 13:39, 8 December 2012 (UTC)
 * --Pi zero (talk) 14:25, 16 November 2012 (UTC)
 * ✅, -- Cirt (talk) 16:54, 16 November 2012 (UTC)
 * --Pi zero (talk) 02:05, 24 November 2012 (UTC)
 * ✅ Same ip as Jzdixn19 as 12896kza.--Cspurrier (talk) 02:16, 24 November 2012 (UTC)
 * --Pi zero (talk) 12:27, 26 November 2012 (UTC)
 * ✅ Same ip as Ewdchy8340 and Hera2962. --Cspurrier (talk) 22:04, 27 November 2012 (UTC)
 * --Pi zero (talk) 02:15, 5 December 2012 (UTC)
 * ✅ --Cspurrier (talk) 03:29, 5 December 2012 (UTC)
 * --Pi zero (talk) 03:31, 5 December 2012 (UTC)
 * ✅ Different ISP though.--Cspurrier (talk) 03:35, 5 December 2012 (UTC)
 * --Pi zero (talk) 06:15, 5 December 2012 (UTC)
 * ✅, -- Cirt (talk) 06:51, 5 December 2012 (UTC)
 * ✅, -- Cirt (talk) 06:51, 5 December 2012 (UTC)
 * ✅ Outle9683, Buycwi112, Shoppingtr09 match. New ip ranges then before. The IP does not match at all. It's edits were made using Sevenval software on a Sevenval owned ip (maybe a mobile proxy?). --Cspurrier (talk) 16:38, 8 December 2012 (UTC)
 * ✅ Outle9683, Buycwi112, Shoppingtr09 match. New ip ranges then before. The IP does not match at all. It's edits were made using Sevenval software on a Sevenval owned ip (maybe a mobile proxy?). --Cspurrier (talk) 16:38, 8 December 2012 (UTC)
 * ✅ Outle9683, Buycwi112, Shoppingtr09 match. New ip ranges then before. The IP does not match at all. It's edits were made using Sevenval software on a Sevenval owned ip (maybe a mobile proxy?). --Cspurrier (talk) 16:38, 8 December 2012 (UTC)
 * ✅ Outle9683, Buycwi112, Shoppingtr09 match. New ip ranges then before. The IP does not match at all. It's edits were made using Sevenval software on a Sevenval owned ip (maybe a mobile proxy?). --Cspurrier (talk) 16:38, 8 December 2012 (UTC)


 * --Pi zero (talk) 03:04, 10 December 2012 (UTC)
 * ✅, -- Cirt (talk) 22:35, 10 December 2012 (UTC)
 * --Pi zero (talk) 15:38, 12 December 2012 (UTC)
 * ✅. -- Cirt (talk) 17:04, 12 December 2012 (UTC)
 * --Pi zero (talk) 01:54, 15 December 2012 (UTC)
 * ✅, thanks, snagged another one with that one. ;) -- Cirt (talk) 15:55, 15 December 2012 (UTC)

That fscking cat's back
Yes, is back - or has an admirer. --Brian McNeil / talk 15:54, 28 August 2012 (UTC) These are ✅. -- Cirt (talk) 20:55, 28 August 2012 (UTC)

Huangfu86365
Recently, a group of pattern ([//en.wikinews.org/w/index.php?title=Special%3AGlobalUsers&username=Huangfu0&group=&limit=50 Huangfu...]) spambots have been created cross-wiki. Some of them have already spammed. Please consider investigating and. Mathonius (talk) 07:53, 7 September 2012 (UTC)
 * ✅, and blocked. -- Cirt (talk) 17:10, 7 September 2012 (UTC)

Potentially compromised account
It has been (credibly) alleged to me, off-wiki, that has had his account hacked. Would like that checked out. Further details can be supplied privately if needed but to be honest, that's about as much as I know at present. Blood Red Sandman (Talk)   (Contribs) 23:06, 9 September 2012 (UTC)
 * Also note this will likely need brought up on the mailing list, since the account being clean on this project might not indicate the full story. Blood Red Sandman  (Talk)   (Contribs) 23:08, 9 September 2012 (UTC)


 * - I've emailed . It does not appear that the account has been compromised. -- Cirt (talk) 01:01, 10 September 2012 (UTC)
 * - All edits match expected ips (different than 3 days ago, but same range/isp). CU can not confirm that the account was not compromised post 3:40, 9 September 2012 (since there are no later edits), but before that it seems unlikely that the account was compromised (at-least remotely).--Cspurrier (talk) 01:20, 10 September 2012 (UTC)
 * - My findings concur with the previous CUs - it seems unlikely that this account has been compromised, although the sudden spate of edits on the 9th is slightly odd. -- Sken   my talk 10:57, 10 September 2012 (UTC)
 * NOTE: There's more going on here, conferring with other Checkusers. -- Cirt (talk) 01:57, 10 September 2012 (UTC)
 * Okay done for now, it seems we're in agreement re: above. :) -- Cirt (talk) 13:49, 10 September 2012 (UTC)

AndrésSnape

 * blocked for sockpuppetry over on Wikipedia; only turned up on enWN to bait Diego Grez; this may-well be indicative of involvement with whatever may have gone on off-wiki that provoked Diego's lapse of judgement.
 * Would recommend, in somewhat of an exception to usual practice, that all CU-confirmed socks of this user on enWP also be blocked here. We can well-do without Master-Baiters from Encyclopedia Dramatica trying to disrupt process. --Brian McNeil / talk 06:35, 10 September 2012 (UTC)


 * The only sock of from en.wikipedia is, which is not active on this website. -- Cirt (talk) 13:43, 10 September 2012 (UTC)

Nicked Nike Spammers

 * and
 * are a couple of Nike spammers. Would not be at-all surprised to find same, or very close, underlying IPs. That, or use of open proxies. I'm looking for a longer (week?) reasonably-closely targetted IP or rangeblock to discourage them longer-term.

And, at the same time, I blocked this muppet:
 * who I doubt is one of the above-ID's random username spammers, but probably worth a look. --Brian McNeil / talk 12:54, 15 September 2012 (UTC)
 * ✅ above, all, as socks of, the Chinese bot spammer. -- Cirt (talk) 13:05, 15 September 2012 (UTC)
 * Yay! I win, ... again.
 * Sorry for giving you all this work, but I think I've made enough on-wiki 'enemies' to find re-requesting CU privs a rather fraught process.
 * I'm slightly annoyed by that; mainly because I'm proven right more-often-than-not with my suspicions. But, I still have a 'slight' anger management issue (don't suffer fools). If we'd another Tempo weaselled their way into the community and sought to poison it with attitudes only appropriate to Wikipedia, I'd perhaps be more circumspect in my choice of language, but would not tolerate Wikinews being destroyed in that way.
 * The more mainstream media hide behind paywalls, the more archived stuff is only accessible for a fee, the more important Wikinews becomes.
 * We've a killer review process (more in that it kills reviewers through exhaustion than anything else). However, I'd dearly love to see Robert McHenry give us the apology he owes us. We need a bucketload of tools to make life easier for contributors and, more importantly, for reviewers. Even with just half of them, we've a platform that your average school of journalism would pay a fortune for.
 * Wikinews is ailing at the moment because of low contributor levels, and so few active reviewers, but we're so-close to an environment that betters what most schools of journalism throw their students into, paying tens of thousands of $ per semester for, that we need to keep pushing on. --Brian McNeil / talk 14:48, 15 September 2012 (UTC)
 * Well I certainly agree with you as to the last sentence! :) -- Cirt (talk) 19:10, 15 September 2012 (UTC)

Update on Chinese spammer
Update on Chinese spammer: I've carried out about 7 rangeblocks which were set for one year which should stop or at least slow things down from the spamming and socking of late. These were checked by CU tool and had zero collateral impact, at least so far. -- Cirt (talk) 15:28, 24 September 2012 (UTC)
 * Other admins feel free to modify any of these blocks without objections from me. :) -- Cirt (talk) 03:12, 25 September 2012 (UTC)


 * Another one? A casual check said Bangalore, and I'm more-used to addresses with the last octet of 255 being broadcast, whuch made me take pause. Blocked for longer than usual for an IP to ensure ends up checked. --Brian McNeil / talk 11:57, 8 October 2012 (UTC)
 * Well, technicals aren't as solid a match as usual, though useragents are only slightly ... similar. I'd say of course find to block based on the behavioral this time. -- Cirt (talk) 12:57, 8 October 2012 (UTC)
 * Not surprised tech details differ, I'm pretty sure this is a Bangalore address; or, worse still, a spoofed IP (which is extremely hard to do and get enough packets through to edit. If the subnet block is 117.197.57.128/25 (well, something like that), then this is the 'broadcast' address for that range; could originate from any of the 128-odd PCs at the block.
 * I suggest if any other IP spams from within 117.197.56.0/23, and no collateral visible, block the range. --Brian McNeil / talk 13:27, 8 October 2012 (UTC)
 * ✅, there was another account on that range, an account already indef blocked on en.wikipedia. Blocked the range. Good thinking, thank you! ;) -- Cirt (talk) 16:29, 8 October 2012 (UTC)
 * Glad to help clobber spammers. :) --Brian McNeil / talk 16:46, 8 October 2012 (UTC)

Moar spammers

 * looks like another program-generated username.
 * maybe same, but less visibly obvious.
 * likewise.

All spamming links to the sweatshop shoes with a big tick on them. I've one important question, which goes back to the much older alert about creating accounts for spamming: Were the spam edits from significantly different IPs than those used to register the accounts? --Brian McNeil / talk 10:53, 11 October 2012 (UTC)

And more 'potential' spam accounts:

Wouldn't be surprised if there are others too, these are just the ones I picked out of RC. --Brian McNeil / talk 08:04, 12 October 2012 (UTC)
 * Ding! Wf9acas1 just earned a ban for spamming. --Brian McNeil / talk 15:20, 12 October 2012 (UTC)
 * ✅. -- Cirt (talk) 15:54, 12 October 2012 (UTC)

Spamming socks

 * and

Aksharadeoll re-created the self-promotional spam of the second user, so some block-evasion here I suspect. --Brian McNeil / talk 12:37, 13 October 2012 (UTC)
 * ✅. Geolocates to so probably not the Chinese spammer, but could be related somehow. -- Cirt (talk) 16:55, 13 October 2012 (UTC)

Attention-seeking spammer
This user is probably someone we've seen before, probably in association with the Diego Grez business. Can we associate them with anyone? (There was a user blocked at the time, I seem to recall.) Created lots of pages quickly, for apparently no purpose except to draw attention to xyrself obnoxiously. The list of pages created contains various hints at possible identity. --Pi zero (talk) 02:44, 5 December 2012 (UTC)
 * ✅ Same (national) ISP as Diego Grez--Cspurrier (talk) 03:25, 5 December 2012 (UTC)
 * ✅ Same (national) ISP as Diego Grez--Cspurrier (talk) 03:25, 5 December 2012 (UTC)

ID-10-T

 * 50.134.234.158.
 * Attempted, but foiled by FlaggedRevs, vandalism. Then, announced xyrself as planning a campaign of disruption on WN:AAA.
 * Would like to see the /24 checked on the assumption may-well have created multiple sleeper accounts for disruption. --Brian McNeil / talk 10:04, 19 December 2012 (UTC)
 * Symbol unrelated.svg Nothing found - two edits, no registered users on the /24. -- Sken   my talk 11:56, 19 December 2012 (UTC)
 * Good to know. I doubt it really is Neutralizer; more-likely just some other random troll who thinks pulling that name up will annoy. --Brian McNeil / talk 13:49, 19 December 2012 (UTC)