Jump to content

Wikipedia:Abuse response/Guide to abuse response

Add links
From Wikipedia, the free encyclopedia
< Wikipedia:Abuse response
This is an old revision of this page, as edited by Thorncrag (talk | contribs) at 02:02, 23 August 2009 (Quick-adding category Abuse reports documentation (using HotCat)). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Shortcut

When extensive vandalism comes from an IP address, sometimes the best way to handle it is to contact the systems administrator of that address directly to inform them of the problem. This approach works best for addresses that have a high likelihood of responding to abuse complaints, such as schools, government agencies, or others.

This is a last resort! This is not something to do after a brief, small spate of vandalism. This is only for when there is an established trend of vandalism coming from an IP that can't be dealt with another way without larger repercussions (such as blocking a massive range of addresses). If there have been multiple blocks, multiple sets of warnings, an indefinite block determined to be either impossible or inappropriate, and the vandalism keeps coming as soon as the blocks expire, then this is the place to come to.


Case process

A case goes through the following process, assuming it meets filing criteria:

  1. The report is filed by a user reporting an IP or IP range.
  2. The case is opened by an investigator and the case is investigated.
  3. The investigator looks into the history of the IP and compiles a report on the case page as well as placing the WHOIS and contact information for the organization that is responsible for the IP address.
  4. The investigator completes the case investigation.
  5. The investigator (or some other person) contacts the responsible organization. Any communication is logged on the case page.
  6. The case is closed by the investigator.


How you can help

If you want to help the Abuse project, there are several different ways:

  • You can pre-process reports:
    • mark cases as preliminarily approved using {{ARPrelim}} in the "Case log" area of the case page if the case meets filing criteria (see below).
    • reject cases by placing {{ARA|r|#}}, where # is a common reject reason (see Template:ARA for more information) then change status to "Rejected" on the top of the case.
  • You can investigate cases (see below).
  • You can make contact on cases which have already been investigation but are awaiting contact (see below).


Filing criteria

The criteria for filing an abuse report:

  • The IP must have been blocked a minimum of FIVE times, and
  • There must be current and ongoing abuse from the IP.

A report will be considered stale, and may be rejected if:

  • The IP has had no activity in the past SIX months, AND
  • The IP is not subject to a current block.


How to begin an investigation

  1. Start with the oldest report on the list (these are at the bottom of the list) that you are capable of dealing with. Don't take a report and open the case if you can't finish the investigation.
  2. Double check the following:
  • If one of these criteria hasn't been fulfilled, reject the request by adding {{ARA|r}} followed by a reason and your signature. Then change status to "Rejected" The report will automatically be archived and rejected.
    1. That the IP(s) has been responsible for a trend of vandalism. Note that it's especially important here that it is in fact vandalism as defined in Wikipedia:Vandalism. Other edits may be frustrating, but are not grounds for contacting an ISP. For example, rampant excessive IP sock puppetry in evasion of a ban is a violation of Wikipedia policy, but does not qualify for an abuse report unless the edits made by the IPs are also vandalism.
    2. That the IP(s) has been warned fully (this does not necessarily apply to each and every IP in the case of rampant vandalism from an IP range that is obviously the same user behind the edits, as long as the user can reasonably be seen to have received at least one full set of warnings).
    3. If there are multiple IPs being reported, that they all belong to the same organization,
    4. That blocking, semi-protection, or a similar recourse hasn't solved (or wouldn't solve) the problem; for example, that blocking would affect too many other contributors (so it is undesired), previous blocks have been ineffective, the user is vandalizing too many pages to protect, etc.
  2. If all of the above criteria are met, and you can handle the investigation until completed and create a final report for use when contacting the responsible organization, then change the status of the case to "Open" on the top of the case page.
  3. Put {{AR talk}} at the top of the IP's talk page to inform other users of the investigation.
  4. Edit the subpage to include the results of your investigation. This should include registry information from the WHOIS report, contact information for the abuse department or network administrator, a report containing the address(es), an abuse summary, links to the vandalism (just a few examples are necessary if there are vast amounts), and a summary of all previous blocks. It's also helpful if you can generalize the abuse by time of day, day of week, or other general patterns that would help the organization identify the responsible user(s). (See: Example case.)
  5. When you complete your investigation and your report is ready, add {{AR-done2}} to the case log.


How to make contact

  1. Find the appropriate contact information for the owner of the IP address. This information should be listed in the prepared report. In the WHOIS readout there should be e-mail addresses and (frequently) telephone numbers for contact with the organization. If there is an OrgAbuse section, use that information first, as it's specifically intended for abuse-related complaints. Otherwise, use the OrgTech contact or any other information that you can find. Also, a Google search for the organization's web page may help find abuse-related contact information (for example, AT&T/Yahoo! DSL has a web-based abuse reporting page).
  2. Telephone contacts are the best way to get an administrator's attention, as it's person to person and very direct. If that's not available or you feel uncomfortable calling, then e-mail is the next best thing. Also, e-mail is a good choice if there's a backlog at WP:ABUSE and you need to move through the cases as quickly as possible.
  3. Always be polite (remember that you're representing Wikipedia, and that rude people don't get helped).
  4. Give a brief explanation of who you are, what Wikipedia is, and a summation of the problem. Explain that you're a volunteer and are not acting in an official capacity, but are concerned about the contributions of an IP address that is under their domain.
  5. Provide a link to the investigation subpage, which contains our summary of the abuse and the links they need to perform their own investigation.
  6. Accept their response, whether it's helpful or otherwise, and thank them for their time.
  7. Each time you make contact, keep a log of your contact; record with whom you spoke and a summary of what was said in the contact history section of the report page. (See: Example case.)
  8. When contact has ceased, whatever the result, list it in the contact history.
  9. Once the case has closed, add the {{ARA|a}} template to case log, followed by a brief summary of the final result and your signature then change the case status to "Closed". The case will automatically be archived.
  10. Remove the {{AR talk}} template from the IP(s) talk page.

For a boilerplate e-mail message, see here. If the response from the organization includes a request you cannot handle yourself, refer them to Wikipedia:Contact us so they can make official contact with the Foundation through e-mail.

List of WHOIS sources

List of regional Internet registries

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Wikipedia:Abuse_response/Guide_to_abuse_response&oldid=309527014"