From Wikitravel

Add nominations for user blocks to the list below.

• User:62.189.34.9 - Apparently a bot that is corrupting non-ASCII characters in articles that it edits. -- Ryan 16:47, 28 August 2006 (EDT)
• User:195.54.84.14 - Apparently a bot that is corrupting non-ASCII characters in articles that it edits. -- Ryan 16:47, 28 August 2006 (EDT)

• User:205.200.236.19 has vandalized Canada, China, Australia, and many others. --Studentvoice 14:12, 4 Feb 2005 (EST)
  • Do not block. All edits are quickly and easily reverted. Editor is clearly using manual techniques. --Evan 13:52, 17 Mar 2005 (EST)

• User:Fuk Mi. Vandal with no cleverness or clue and proud of it. A user page is not a place for hate speech against other users. -- Colin 19:28, 4 Mar 2005 (EST)
  • I wouldn't call it hate speech, just stupid speech. -- Mark 01:47, 5 Mar 2005 (EST)
    • Well, more just childish. I think pretty much every mentally sufficient adult has cleverer ways of being insulting. But I strongly object to the users use of bigoted epithets even taking his lack of vocabulary into account. -- Colin
  • Do not block. Yes, the vandalism has been childish -- all the reason more that we shouldn't let ourselves be pulled down to the level of a personal squabble. I would be extremely disappointed if, after almost two years in operations, one person, doing manual edits, was able to goad us into harsh hard security measure. I strongly suggest that we maintain our professionalism and maturity. We all know how to handle unwanted edits -- revert them. --Evan 13:52, 17 Mar 2005 (EST)

Wikitravel's first IP block

swept in from pub

OK, I've just made history and made 205.200.236.19 on Wikitravel's first-ever IP block. This dimwit has now pulled its stunt of blanking every page it can get its hands on three times, and it's getting late in my part of the world and I don't have access to Mark's nifty autorevert script. Oh, how I'd love to see its face right now... Jpatokal 12:07, 17 Mar 2005 (EST)

I've reverted the block. If this user needs to be blocked, let's discuss on Wikitravel:User ban nominations, per user ban policy. Personally, I think that this user's behavior was not sufficient cause for having our first-ever block. --Evan 14:03, 17 Mar 2005 (EST)

Anonymous Users Blocked for Repeated Spamming

I have blocked the following anonymous users for 24 hours for repeated spamming attacks. There have been 2 attacks in 6 hours. While I understand we should not ban users, I feel that these attacks are some form of automated attack because the attacks all happen quickly (over 2-3 minutes) and 2 different URL's (so far) have been spammed in about 6 hours. This blocking is only for 24 hours to see if it has any effect and to allow some time to discuss if a more permanent ban is needed. The URL's being spammed were not previously on the spam blacklist but are now. -- Huttite 04:09, 6 Jan 2006 (EST) - 08:58, 6 Jan 2006 (EST)

• User:58.143.63.47
• User:58.143.144.234
• User:58.143.160.248
• User:58.120.24.249
• User:58.231.51.74
• User:58.235.22.5 - spammed once each on 13 Dec 2005 & 6 Jan 2005
• User:58.237.232.104
• User:61.32.153.248
• User:61.37.73.75
• User:61.42.152.11
• User:61.97.211.240
• User:61.102.94.4
• User:61.107.250.228
• User:61.111.191.228
• User:211.117.169.172
• User:213.74.156.196
• User:221.165.200.197
• User:222.100.149.92 - also spammed a third time on 13 Dec 2005
• User:222.101.72.206
• User:222.120.254.84

The following IP users were apparently part of attack but not blocked as only spammed using one URL. -- Huttite 06:50, 6 Jan 2006 (EST)

• User:58.72.34.6 - 2 pages same URL
• User:58.225.244.196 - 3 pages same URL
• User:58.239.241.235 - 1 page
• User:59.1.15.85 - 2 pages same URL
• User:59.19.113.217 - 1 page
• User:61.32.211.161 - 1 page
• User:61.32.220.200 - 5 pages same URL
• User:61.37.73.74 - 3 pages same URL
• User:61.75.172.227 - 2 pages same URL
• User:61.82.152.224 - 4 pages same URL
• User:61.102.94.83 - 3 pages same URL
• User:61.102.162.237 - 3 pages same URL
• User:61.250.232.32 - 1 page
• User:61.252.97.108 - 2 pages same URL
• User:66.45.42.123 - 1 page
• User:69.242.94.238 - 2 pages same URL
• User:203.237.205.90 - 2 pages same URL
• User:210.92.36.70 - 3 pages same URL
• User:211.55.131.244 - 2 pages same URL
• User:211.113.235.14 - 4 pages same URL
• User:211.242.9.30 - 3 pages same URL
• User:219.93.72.38 - 1 page
• User:218.55.164.243 - 1 page
• User:220.75.199.69 - 1 page
• User:220.77.20.58 - 1 page
• User:220.219.173.184 - 1 page
• User:222.100.23.247 - 1 page
• User:222.104.7.196 - 3 pages same URL

The following logged on users have been warned for spamming some of exactly the same content. -- Huttite 04:09, 6 Jan 2006 (EST)

• User:Adriannecurry
• User:Serginandr

The last time this sort of thing happened it was actually a spam email doing the spamming. I don't think blocking users can be of much help in that case. -- Mark 12:14, 6 Jan 2006 (EST)

That is why I didn't block the users. I have assumed it is an automated process of some sort - such as a computer virus that is giving a hacker backdoor access to lots of IP addresses. But on the off chance that it is a human attack the warning is there. How effective banning these users will be I do not know. My only hope is that it might slow down the attack so that administrators can keep up. -- Huttite 16:16, 6 Jan 2006 (EST)

This attack occurred over a short period of time. Coordination of this sort implies there was a "master control" in charge of the attack.

This attack quickly adapted to Huttite's spam-filter attempt. This implies that there was a human in control who was able to adapt.

This attack involved making minor changes (generally & into &) in order to evade notice by people reviewing diffs. This implies both the realization by the operator that the changes are not desired by the community, and preplanning of malice.

The volume of minor changes in a short time implies that a script was being used for the attack.

Some of the IP Addresses were the same as used in the previous attack a month or two ago. This implies the attack uses proxies/open relays/virus-compromized hosts to implement their attack. It also implies an attempt at evasion from observation.

I believe bans are justified both as an emergency measure against the use of a script to automate rapid vandalism, and by violating the Script policy by using an unapproved script. I vote for this ban as a temporary emergency measure.

-- Colin 16:52, 6 Jan 2006 (EST)

• Special:Contributions/203.163.231.250 I blocked it for an hour because it was a obvious bot spamming pages at a way higher speed than I could revert. It also looks like I was the only admin active at that time and I was distracted enough not to do a proper revert of the damage that it had done. — Ravikiran 02:51, 29 June 2006 (EDT)