Wikipedia:Open proxies noticeboard
The Open proxies noticeboard seeks to identify, verify and block open proxies and anonymity network exit nodes. To prevent abuse or vandalism, only proxy checks by verified users will be accepted. All users are welcome to discuss on the talk page, report possible proxies, or request that a blocked IP be rechecked.
- If you've been blocked as an open proxy, please see: Help:blocked.
- To report a proxy check or an incorrect block, see the #Reporting section.
Reporting
[edit]Please report IP addresses you suspect are open proxies below. A project member will scan or attempt to connect to the proxy, and if confirmed will block the address.
![]() | Before reporting any suspected open proxies here, please remember that not all vandals are open proxies and vandals should not get an automatic check here; remember that it takes the volunteers here about 5-10 minutes to give a request a thorough check. |
File a new report here | ||
I. | For block requests:
Verify that the following criterion has been met:
For unblock requests:
Verify that the following criteria has been met:
| |
II. | For block requests
Replace "IP" below with the IP address you are reporting. For unblock requests
Replace "IP" below with the IP address you are reporting. | |
III. | Fill out the resulting page and fill-in the requested information. | |
IV. | Save the page. |
Verified Users/Sysops Templates
|
---|
|
Requests
[edit]
85.115.58.0/24
[edit] – This proxy check request is closed and will soon be archived by a bot.
The range belongs to the Forcepoint proxy service, which is not an open proxy service (it's a commercial proxy service for enterprises).
Reason: Requested unblock. 85.115.33.180 (talk) 12:59, 12 March 2025 (UTC)
Not currently an open proxy. No evidence of an open proxy currently. As these are likely egress IPs from corporate devices, some scrutiny around WP:COI editing from this range might be warranted, but a preemptive block seems excessive to me. Forcepoint maintains an abuse contact, as well, which I've reached out to to see how they handle abuse reports for traffic coming from their IP space. For now, I recommend unblocking this range. — Naomi Amethyst 22:53, 12 March 2025 (UTC)
Completed Unblocked. — Naomi Amethyst 23:01, 12 March 2025 (UTC)
85.115.60.0/22
[edit] – This proxy check request is closed and will soon be archived by a bot.
The range belongs to the Forcepoint proxy service, which is not an open proxy service (it's a commercial proxy service for enterprises).
Reason: Requested unblock. 85.115.33.180 (talk) 13:00, 12 March 2025 (UTC)
Note: The actual blocked range here is 85.115.60.0/22 instead of 85.114.61.0/24, updated request to reflect that. — Naomi Amethyst 14:34, 12 March 2025 (UTC)
Not currently an open proxy. No evidence of an open proxy currently. As these are likely egress IPs from corporate devices, some scrutiny around WP:COI editing from this range might be warranted, but a preemptive block seems excessive to me. Forcepoint maintains an abuse contact, as well, which I've reached out to to see how they handle abuse reports for traffic coming from their IP space. For now, I recommend unblocking this range. — Naomi Amethyst 22:53, 12 March 2025 (UTC)
Completed Unblocked. — Naomi Amethyst 23:01, 12 March 2025 (UTC)
152.117.97.32
[edit] – This proxy check request is closed and will soon be archived by a bot.
- 152.117.97.32 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Attempted to vandalize. Spur says Sonicwall VPN. Nobody (talk) 14:49, 12 March 2025 (UTC)
Unlikely IP is an open proxy Looking at this, it seems like it is a Sonicwall device, but Sonicwall produces many firewalls, routers, and other networking components. I see no evidence that there is an open proxy running on this device. It appears to be an egress IP for St. Peter Catholic School in Greenville, NC, and so it should be monitored for abuse, but it does not appear to be an open proxy. — Naomi Amethyst 18:24, 12 March 2025 (UTC)
- Thanks for running a check @NaomiAmethyst, I've tagged the talk page with {{Shared IP edu}} based on your finding. Nobody (talk) 06:36, 13 March 2025 (UTC)
212.52.23.80
[edit] – This proxy check request is closed and will soon be archived by a bot.
- 212.52.23.80 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.79 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.78 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.77 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.76 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.75 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.74 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.73 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.72 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 212.52.23.71 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Per Spur, "Vpn Super Free VPN". C F A 01:29, 24 March 2025 (UTC)
- Example nmap (other IPs similar):
Nmap scan report for 212.52.23.79 Host is up, received user-set (0.020s latency). Scanned at 2025-03-24 02:01:53 UTC for 258s Not shown: 65527 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 102/tcp open iso-tsap? syn-ack ttl 53 443/tcp open https? syn-ack ttl 53 4000/tcp open tcpwrapped syn-ack ttl 53 7680/tcp open pando-pub? syn-ack ttl 53 8080/tcp open http-proxy? syn-ack ttl 53 9080/tcp open glrpc? syn-ack ttl 53 9095/tcp open unknown syn-ack ttl 53 9150/tcp open unknown syn-ack ttl 53 12345/tcp open http syn-ack ttl 53 Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Site doesn't have a title (text/plain; charset=utf-8). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9095-TCP:V=7.94SVN%I=7%D=3/24%Time=67E0BD81%P=x86_64-pc-linux-gnu%r SF:(NULL,15,"\0\0\x0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(GenericL SF:ines,15,"\0\0\x0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(GetReques SF:t,15,"\0\0\x0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(HTTPOptions, SF:15,"\0\0\x0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(RTSPRequest,15 SF:,"\0\0\x0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(DNSStatusRequest SF:TCP,15,"\0\0\x0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(Help,15,"\ SF:0\0\x0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(X11Probe,15,"\0\0\x SF:0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(LPDString,15,"\0\0\x0c\x SF:04\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(LDAPBindReq,15,"\0\0\x0c\x04 SF:\0\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(LANDesk-RC,15,"\0\0\x0c\x04\0\ SF:0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(TerminalServer,15,"\0\0\x0c\x04\0 SF:\0\0\0\0\0\x05\0\0@\0\0\x03\0\0\0d")%r(NCP,15,"\0\0\x0c\x04\0\0\0\0\0\0 SF:\x05\0\0@\0\0\x03\0\0\0d")%r(JavaRMI,15,"\0\0\x0c\x04\0\0\0\0\0\0\x05\0 SF:\0@\0\0\x03\0\0\0d")%r(afp,15,"\0\0\x0c\x04\0\0\0\0\0\0\x05\0\0@\0\0\x0 SF:3\0\0\0d"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Linux 2.6.32 (95%), Linux 2.6.32 or 3.10 (95%), Linux 4.4 (94%), Linux 2.6.32 - 2.6.35 (93%), Linux 2.6.32 - 2.6.39 (93%), Linux 4.0 (92%), Linux 3.10 - 4.11 (91%), Linux 3.11 - 4.1 (91%), Linux 3.2 - 3.8 (91%), Linux 3.2 - 4.9 (91%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.94SVN%E=4%D=3/24%OT=102%CT=%CU=40113%PV=N%DS=11%DC=T%G=N%TM=67E0BE13%P=x86_64-pc-linux-gnu) SEQ(SP=FF%GCD=1%ISR=104%TI=Z%TS=A) OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11) WIN(W1=7C70%W2=7C70%W3=7C70%W4=7C70%W5=7C70%W6=7C70) ECN(R=Y%DF=Y%T=3F%W=7D78%O=M5B4NNSNW7%CC=Y%Q=) T1(R=Y%DF=Y%T=3F%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=N) U1(R=Y%DF=N%T=3F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(R=Y%DFI=N%T=3F%CD=S) Uptime guess: 16.813 days (since Fri Mar 7 06:34:49 2025) Network Distance: 11 hops TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: All zeros
Likely IP is an open proxy I wasn't able to get it to load an arbitrary page for me via a variety of protocols, but given the services running and the spur results, these seem very likely. — Naomi Amethyst 02:13, 24 March 2025 (UTC)
Open proxy blocked — Naomi Amethyst 02:18, 24 March 2025 (UTC)
117.198.10.214
[edit] – This proxy check request is closed and will soon be archived by a bot.
- 117.198.10.214 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: [1] deemed proxy Myrealnamm (💬Let's talk · 📜My work) 00:03, 27 March 2025 (UTC)
Nmap scan report for 117.198.10.214 Host is up, received user-set (0.27s latency). Scanned at 2025-03-27 17:25:24 UTC for 23s PORT STATE SERVICE REASON VERSION 21/tcp filtered ftp no-response 22/tcp filtered ssh no-response 80/tcp filtered http no-response 443/tcp filtered https no-response 1080/tcp filtered socks no-response 3182/tcp filtered bmcpatrolrnvu no-response 5000/tcp filtered upnp no-response 8000/tcp filtered http-alt no-response 8080/tcp filtered http-proxy no-response 8443/tcp filtered https-alt no-response 8888/tcp filtered sun-answerbook no-response 9050/tcp filtered tor-socks no-response 9150/tcp filtered unknown no-response 10000/tcp filtered snet-sensor-mgmt no-response 20000/tcp filtered dnp no-response Too many fingerprints match this host to give specific OS details TCP/IP fingerprint: SCAN(V=7.94SVN%E=4%D=3/27%OT=%CT=%CU=%PV=N%DS=18%DC=T%G=N%TM=67E58A1B%P=x86_64-pc-linux-gnu) SEQ(II=I) U1(R=N) IE(R=Y%DFI=N%TG=40%CD=S) Network Distance: 18 hops TRACEROUTE (using proto 1/icmp) HOP RTT ADDRESS 1 0.96 ms _gateway (10.199.22.3) 2 0.46 ms rtr-ge-dmarc.tblflp.net (10.199.1.1) 3 ... 4 5.18 ms 71-32-31-21.rcmt.qwest.net (71.32.31.21) 5 23.07 ms 4.68.144.77 6 14.80 ms ix-be-9.ecore1.a56-atlanta.as6453.net (66.198.118.6) 7 55.28 ms if-bundle-51-2.qcore2.a56-atlanta.as6453.net (64.86.9.33) 8 53.57 ms if-bundle-16-2.qcore2.mln-miami.as6453.net (66.198.117.177) 9 58.92 ms if-bundle-2-2.qcore1.mln-miami.as6453.net (66.110.9.64) 10 55.51 ms if-bundle-7-2.qcore1.aeq-ashburn.as6453.net (216.6.87.26) 11 48.63 ms if-bundle-2-2.qcore2.aeq-ashburn.as6453.net (216.6.87.9) 12 58.34 ms if-ae-12-2.tcore4.njy-newark.as6453.net (66.198.155.33) 13 52.63 ms if-ae-23-2.tcore2.n0v-newyork.as6453.net (216.6.99.72) 14 ... 17 18 266.10 ms 117.198.10.214
Unlikely IP is an open proxy Nothing open when I checked it, and I did also check the range and while it seems like there is a lot of bad security/firewall practices on the range, there does not appear to be an open proxy on this IP (and I didn't find any obvious ones on the /20 either). — Naomi Amethyst 17:27, 27 March 2025 (UTC)
Automated lists and tools
[edit]- User:AntiCompositeBot/ASNBlock maintained by User:AntiCompositeBot is a list of hosting provider ranges that need assessment for blocks that is updated daily. Admins are encouraged to review the list and assess for blocks as needed. All administrators are individually responsible for any blocks they make based on that list.
- ISP Rangefinder is a tool that allows administrators to easily identify and hard block all ranges for an entire ISP. It should be used with extreme caution, but is useful for blocking known open proxy providers. All administrators are individually responsible for any blocks they make based on the results from this tool.
- IPCheck is a tool that can help provide clues about potential open proxies.
- Bullseye provides information about IPS, including clues about potential open proxies.
- whois-referral is a generic WHOIS tool.
- Range block finder finds present and past range blocks.
See also
[edit]- Subpages
- Related pages
- Policy on open proxies
- Open proxy detection
- Guide to checking open proxies
- Proxy check result templates
- Advice to users using Tor to bypass the Great Firewall
- meta:XFF project
- Sister projects (defunct)
![]() | This is a WikiProject, an area for focused collaboration among Wikipedians. New participants are welcome; please feel free to participate!
|