Help:CheckUser

From Wikipedia, the free encyclopedia

This is a copy of the master help page at Meta. Do not edit this copy.
Edits will be lost in the next update from the master page. See below for more information.
edit
Administration
Special:Import
Common.css
Navigation bar
System messages
Special:CheckUser

Help pages
Guidelines
MediaWiki help
Help page footers
View this alone

This is a user manual page, not a policy discussion page. For discussion on CheckUser policy on Wikimedia, see m:CheckUser and m:CheckUser Policy. Technical info, feature updates and corrections are most welcomed.

The Special:CheckUser function allows a user with checkuser permission to check which IPs are used by a given username, and which usernames are used by a given IP, without having to run queries directly against the database by hand. This lets the system administrators get on with running the systems.

The usual use of this is to check for blocked users coming back with sockpuppet accounts.

(Users without checkuser permission get an error message.)

Contents

Wikimedia privacy policy

On Wikimedia wikis, privacy policy considerations are of tremendous importance. Unless someone is definitely violating policy with their actions (e.g. massive bot vandalism or spam), revealing their IP, whereabouts or other information sufficient to identify them is likely a violation.

CheckUser is essentially a system administrator level function ("developer" in Wikimedia jargon), and requires the level of confidentiality one would apply to our most confidential user data.

The relevant section of the privacy policy is:

Policy on release of data derived from page logs
It is the policy of Wikimedia that personally identifiable data collected in the server logs will not be released by the developers who have access to it, except as follows:
  1. In response to a valid subpoena or other compulsory request from law enforcement
  2. With permission of the affected user
  3. To the chair of the Foundation, her legal counsel, or her designee, when necessary for investigation of abuse complaints.
  4. Where the information pertains to page views generated by a spider or bot and its dissemination is necessary to illustrate or resolve technical issues.
  5. Where the user has been vandalising articles or persistently behaving in a disruptive way, data may be released to assist in the targeting of IP blocks, or to assist in the formulation of a complaint to relevant Internet Service Providers
  6. Where it is reasonably necessary to protect the rights, property or safety of the Wikimedia Foundation, its users or the public.
Wikimedia policy does not permit public distribution of such information under any circumstances, except as described above.

Information release

Note: CheckUser information release is governed by the CheckUser policy.

Even if the user is committing abuse, it's best not to reveal personal information if possible.

  • If the user has said they're from somewhere and the IP confirms it, it's not releasing private information to confirm it if appropriate.
  • If they're on a large ISP (e.g. AOL, NTL, BT, Telstra), they're one of millions and it's not personally identifiable.
  • Revealing the country is generally not personally identifiable (e.g. "User:Querulous is coming in from the UK, User:Sockpuppet is coming in from Canada").
  • If you're in any doubt at all, give no detail and answer like a magic 8-ball.

Mailing list and consultation methods

For Wikimedia checkers, there is a mailing list, checkuser-l. This is a closed list.

There is also a private checkuser irc channel (#wikimedia-checkuser).

Both of these provide means to consult and get advice on checks and their interpretation, especially in the case of more complex vandalism. Use these to ask for help, ideas and second opinions if you're not sure what the data means. Both are used by checkusers on all Wikimedia Foundation projects.

Typical use

CheckUser interface.
CheckUser interface.

User:Querulous is doing something highly antisocial and abusive in a way that makes you suspect them of being the sockpuppet of a blocked user. You have CheckUser and your wiki policy allows you to look up Querulous.

  1. Go to Special:CheckUser.
  2. In "User:", enter Querulous (not User:Querulous) and click the "OK" button next to it. (It won't work if you just hit Enter!)
  3. You will get back all IPs matching User:Querulous in the recentchanges table.
  4. Look up the IPs using whois and nslookup.
  5. If the previous step doesn't make it futile, click on each of the listed IPs. (You may find it useful to open each IP page in a new window or tab)
  6. Click the "OK" button next to "IP:" in each of the IP windows. This will then list all entries from the recentchanges table for that IP. You now have a list of all usernames that have edited using that IP.
  7. You may then wish to check any new usernames to see if the editing patterns are suspiciously similar.

IP range checking

You can check an IP range of /16 or /24, not just a single IP. Enter aaa.bbb.ccc.0/24 or aaa.bbb.0.0/16 as the IP and you will get all edits from that IP range, e.g. 172.216.0.0/16 will give all edits from one of the AOL proxy ranges. (Note: using a useless query for an example.)

(You can only check /16 or /24, not other ranges. IPs are stored as text, so /16 or /24 is easy to compare but other ranges would require calculation.)

Hints and tips

  • CheckUser is not magic wiki pixie dust. Almost all queries about IPs will be because two editors were behaving the same way. An editing pattern match is the important thing; the IP match is really just extra evidence (or not).
  • Most dialup and a lot of DSL and cable IPs are dynamic. They might change every session, every day, every week, every few months or hardly ever. Unless the access times are right next to each other, be cautious in declaring a match. After a while, you get to know which ISPs change fast or slow.
  • If it's a proxy, it might not be a match, depending on the size of the organisation running the proxy (per whois output). If it's an ISP proxy, it is not so likely to be a match.
  • If it's an AOL address, you're out of luck — AOL sends each page request through a different proxy.
  • If a username is using lots of different IPs in various countries, the IPs may well be open proxies. Check with an open proxy checker.
  • Edits from addresses allocated to hosting facilities almost always indicates the use of compromised hosting servers to nefarious ends. Note, however, that the user may have a legitimate shell account on the machine.

Useful tools

"Unix" here includes Unix-like, Linux and Mac OS X computers.

  • whois: On Unix, start a terminal and type whois [IP address] at the command line. This should tell you who owns the IP, what the range is and may also note what they use it for. On Windows, All Net Tools has a pretty good web-based whois (which does an nslookup as well).
  • nslookup: On Unix or Windows, nslookup [IP address] at the command line will give you the fully qualified domain name associated with the IP. Note that not all IPs have a domain name, so don't worry if nothing comes back. If you're on Windows, the All Net Tools whois also gives you the FQDN.
  • traceroute: With IP's from some Internet Service Providers it may be useful to use the traceroute command and compare the results between two or more IP. The site All Net Tools also gives you traceroute function if you don't have it as a command line.
    • tcptraceroute: A version of traceroute that uses TCP packets, which get through some firewalls and packet filters that stop ICMP packets. Source code for Unix-like systems is here; most Linux distributions have a package available with it.
  • Open proxy checking: David has yet to find a good tool for this. (proxycheck doesn't do what I want.) There are a number of online proxy checkers: [1]. (I have not tried them.) Help needed. I usually work on a combination of online proxy list checking and educated guesswork ;-) en:User:Tawker runs a web-based proxy checker. To request access to it, contact him on his talk page.
  • Checks for other abuse of an IP: http://www.rbls.org/ gives the status of any IP address on a number of Realtime Blackhole Lists. Note that some RBL blocks should be expected, e.g. many block home dynamic IPs for SMTP, but that's not a problem for a wiki. If a user only uses open proxies or addresses marked as sources of abuse, your suspicions may be raised.

How it works

CheckUser checks against the recentchanges table. This means you can only query data as far back as recentchanges goes. (On Wikimedia wikis, this is nominally a week to a month, though it may be more if the database administrators want to keep more data and have room for it.)

The username check is a fairly intensive query, and if the database is under heavy load it may time out before returning. The IP check is much faster.

The source code is in http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/CheckUser/ .


edit

Wikipedia-specific help

None available.

This page is a copy of the master help page at Meta (for general help information all Wikimedia projects can use), with two Wikipedia-specific templates inserted. To update the main text, edit the master help page for all projects at m:Help:CheckUser. For Wikipedia-specific issues, use Template:Ph:CheckUser (the extra text at the bottom of this page) or Template:Phh:CheckUser for a Wikipedia-specific lead (text appears at the top of this page). You are welcome to replace the full wikitext of this page with that of the master page at Meta at any time. To view this page in other languages see the master page at Meta.