Wikinews:Requests for CheckUser/Archive 6

Immigration 'lawyers'

 * was a no-brainer to block for spamming, but didn't spam a link; instead, xyr non-English contribution looked to be the same advert in Spanish. would prefer a quick (simple) CU on this pair to shake any other spammy socks, and confirm Kevinbecker1 can be perma-blocked. --Brian McNeil / talk 11:50, 27 February 2014 (UTC)
 * ✅--Cspurrier (talk) 21:45, 1 March 2014 (UTC)

Troll on AAA
This user has been trolling at AAA, and shows obvious stylistic similarities to the blocked user on whose behalf xe's spewing vitriol. --Pi zero (talk) 08:31, 2 September 2014 (UTC)
 * I'd suspect time delay between block and this new account appearing may render local CU inconclusive. Whether the person undertaking CU can make the case for checks elsewhere is something I'll leave them to on the closed mailing list. --Brian McNeil / talk 08:44, 2 September 2014 (UTC)
 * &mdash; I'm pretty sure it's the same person. Same peculiar convoluted writing style. I'd be very surprised if it was two different people. &mdash; Gopher65talk 14:49, 2 September 2014 (UTC)


 * ✅ as a sock of User:Ccruzwirites. —Tom Morris (talk) 15:50, 2 September 2014 (UTC)
 * — not surprising given the age of the block. —Tom Morris (talk) 15:50, 2 September 2014 (UTC)
 * — not surprising given the age of the block. —Tom Morris (talk) 15:50, 2 September 2014 (UTC)
 * — not surprising given the age of the block. —Tom Morris (talk) 15:50, 2 September 2014 (UTC)

Two similar vandals
These two fairly recent vandals have both used words that could be interpreted as death threats. We should know whether there's technical evidence linking them. (I'm also unsure who to inform of possible death threats but, now that there are two and they're so close together, I have a desire to report it to... somebody.) --Pi zero (talk) 00:16, 8 October 2014 (UTC)
 * ✅ Same IP. —Tom Morris (talk) 06:51, 8 October 2014 (UTC)
 * ✅ Same IP. —Tom Morris (talk) 06:51, 8 October 2014 (UTC)
 * ✅ Same IP. —Tom Morris (talk) 06:51, 8 October 2014 (UTC)

Rangeblock check
Per issues Antandrus is having with cross-wiki stalking/harrassment, could a Checkuser confirm there's no collateral damage on the suggested rangeblocks? (See linked talk). --Brian McNeil / talk 02:21, 1 December 2014 (UTC)
 * ✅There are no non-abusive edits from those ranges. There are however several auto-created users who appear to be unrelated. --Cspurrier (talk) 03:41, 8 December 2014 (UTC)
 * Thanks. Have already implemented one of the blocks, but not seen Antandrus' stalker on the 208 range yet. --Brian McNeil / talk 09:40, 8 December 2014 (UTC)

Kittiesonfire
Our multi-socking pal professes to have returned (see IP edits). Would appreciate the usual check for sleepers. There is one suspect username recently created which I'll pop in, too. BRS (Talk)   (Contribs) 08:51, 25 January 2015 (UTC)
 * ✅ Sorry for the delay. No current socks associated with that ip.--Cspurrier (talk) 00:48, 21 June 2015 (UTC)
 * ✅ Sorry for the delay. No current socks associated with that ip.--Cspurrier (talk) 00:48, 21 June 2015 (UTC)
 * ✅ Sorry for the delay. No current socks associated with that ip.--Cspurrier (talk) 00:48, 21 June 2015 (UTC)

Multiple, suspiciously similar, new users
Noted the following users, with too-similar pattern on usernames. Does a CU to get an IP address show them all originating from a single source? If so, would propose blocking all bar first registered. Only reason I could see not to do so, if suspicions confirmed, would be if IP owned by an educational institution and browser idents differ sufficiently to conclude originate with separate computers behind a proxy. Given name component of new usernames looks like pulled from a list would not be surprised if this is bot activity. --Brian McNeil / talk 14:46, 28 January 2016 (UTC)


 * (First created)
 * ✅ Ip belongs to a dedicated server provider. Either a bot or a private proxy --Cspurrier (talk) 23:17, 28 January 2016 (UTC)
 * Thanks for the prompt check, I feel blocking all &mdash; and the IP, since it's static &mdash; would also be appropriate. I'm going to undertake the former. --Brian McNeil / talk 23:22, 28 January 2016 (UTC)
 * ✅ Ip belongs to a dedicated server provider. Either a bot or a private proxy --Cspurrier (talk) 23:17, 28 January 2016 (UTC)
 * Thanks for the prompt check, I feel blocking all &mdash; and the IP, since it's static &mdash; would also be appropriate. I'm going to undertake the former. --Brian McNeil / talk 23:22, 28 January 2016 (UTC)
 * ✅ Ip belongs to a dedicated server provider. Either a bot or a private proxy --Cspurrier (talk) 23:17, 28 January 2016 (UTC)
 * Thanks for the prompt check, I feel blocking all &mdash; and the IP, since it's static &mdash; would also be appropriate. I'm going to undertake the former. --Brian McNeil / talk 23:22, 28 January 2016 (UTC)
 * Thanks for the prompt check, I feel blocking all &mdash; and the IP, since it's static &mdash; would also be appropriate. I'm going to undertake the former. --Brian McNeil / talk 23:22, 28 January 2016 (UTC)

Batch of spam accounts
We've had quite a few spam accounts just lately characteristically creating pages with the spam information in the page name, typically with lots of spaces inserted to avoid abuse filters. This was a particular prolific bunch all at once, which I just finished cleaning up. --Pi zero (talk) 21:48, 20 April 2016 (UTC)


 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)
 * ✅ They do seem to all be the same, but the ips are all over the place. It looks like they are using a large collection of compromised systems to edit. Other than adjust the abuse filter, it doesn't look like there is any thing we can do. --Cspurrier (talk) 02:10, 26 April 2016 (UTC)

Sharp troublemaker
This seems to keep cropping up, with the usual allegations of administrative abuse, and a flurry of misleading mage redirects/moves. Concerned that, unless nipped in the bud, will further disrupt the project. --Brian McNeil / talk 14:21, 31 May 2016 (UTC)


 * ✅ No fresh socks--Cspurrier (talk) 23:42, 31 May 2016 (UTC)
 * ✅ No fresh socks--Cspurrier (talk) 23:42, 31 May 2016 (UTC)

Phone-number spam

 * A complete list of these is provided below at .

Lots of accounts popping up today; new ones get created after others are blocked, so it appears they're not coming from a small set of IPs. Would be nice if we could do something more effective than playing whack-a-mole with them.

--Pi zero (talk) 16:04, 6 April 2017 (UTC)


 * It seems the accounts are using various IPs, which are being globally blocked by a steward in Meta as the accounts are reported. —Alvaro Molina (✉  - ✔ ) 03:00, 7 April 2017 (UTC)
 * Good to know. --Pi zero (talk) 03:03, 7 April 2017 (UTC)


 * For the record, if within a week, no local checkuser responds, then I will perform these checks within my steward capacity. Trijnstel (talk) 19:27, 8 April 2017 (UTC)
 * Thanks Trijnstel. —Alvaro Molina (✉  - ✔ ) 20:15, 8 April 2017 (UTC)


 * I have had a quick look at some of the accounts and IPs. There's some overlap but I'm not finding enough commonality to warrant rangeblocks. Trijnstel: I'm okay with a steward or another CU taking a second look to make sure I haven't missed anything. Thanks for the stewards/meta-folk for handling this spam quickly and stopping it from spreading cross-wiki. —Tom Morris (talk) 20:01, 11 April 2017 (UTC)

I think we should set up abuse filter that blocks for 24 hours if phone numbers, the words "Norton", "MSN", or "AOL" is used, and/or special characters are found. PokestarFan (talk) 19:15, 12 April 2017 (UTC)
 * I would agree, except that I don't know how to do abuse filters. I perforce figured out the one that was keeping me from doing administrative work on archived articles about Liverpool, but other than that I've never tangled with them.  My feelings toward abuse filters are dominated by disapproval of the design decision that made them yet another specialized thing that requires a specialist to operate, and what time I don't pour into Wikinews review is poured into developing tools to bring more wiki tasks within range of nonspecialists (where all wiki tasks should be, by wiki philosophy).  --Pi zero (talk) 19:25, 12 April 2017 (UTC)
 * Ok. And we have more spambots. Check WN:AAA. PokestarFan (talk) 19:29, 12 April 2017 (UTC)

Also, I am creating 1 list ob bots to be used in multiple pages. PokestarFan (talk) 19:29, 12 April 2017 (UTC)
 * There are only two pages we've been listing them on. A shared list seems like a lot of trouble to go to for just two pages.  --Pi zero (talk) 19:34, 12 April 2017 (UTC)
 * Don't worry, I'm creating said list. PokestarFan (talk) 19:37, 12 April 2017 (UTC)

IPs creating gibberish
I have seen a look at the block log, and it looks like several IPs are vandalizing. Are they connected? PokestarFan (talk) 02:12, 13 April 2017 (UTC)

Mikesanders70 and CaliforniaArtNews
Not a request per se, but it feels quite obvious these are socks and perhaps if there is one more Queen page, we should do something -- CUing might be a bit too much, but just letting others know. (CC ). •–• 14:51, 6 August 2021 (UTC)
 * I looked at their edits on other wikis and uncovered a small crosswiki promotional campaign. I’ve done a loginwiki check and found a third account (User:TheQNGalleryArticles) on the same IP address. All three are now locked. To answer your question, the suspicion of socking or spamming is sufficient for a CU. --Green Giant (talk) 19:35, 6 August 2021 (UTC)
 * I looked at their edits on other wikis and uncovered a small crosswiki promotional campaign. I’ve done a loginwiki check and found a third account (User:TheQNGalleryArticles) on the same IP address. All three are now locked. To answer your question, the suspicion of socking or spamming is sufficient for a CU. --Green Giant (talk) 19:35, 6 August 2021 (UTC)