Jump to content

Wikipedia:Abuse response/Guide to abuse response

Add links
From Wikipedia, the free encyclopedia
< Wikipedia:Abuse response
This is an old revision of this page, as edited by Thorncrag (talk | contribs) at 21:04, 4 September 2009 (How to begin an investigation: major revise). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Shortcut

When extensive vandalism comes from an IP address, sometimes the best way to handle it is to contact the systems administrator of that address directly to inform them of the problem. This approach works best for addresses that have a high likelihood of responding to abuse complaints, such as schools, government agencies, or others.

This is a last resort! This is not something to do after a brief, small spate of vandalism. This is only for when there is an established trend of vandalism coming from an IP that can't be dealt with another way without larger repercussions (such as blocking a massive range of addresses). If there have been multiple blocks, multiple sets of warnings, an indefinite block determined to be either impossible or inappropriate, and the vandalism keeps coming as soon as the blocks expire, then this is the place to come to.


Case process

A case goes through the following process, assuming it meets filing criteria:

  1. The report is filed by a user reporting an IP or IP range.
  2. The case is opened by an investigator and the case is investigated.
  3. The investigator looks into the history of the IP and compiles a report on the case page as well as placing the WHOIS and contact information for the organization that is responsible for the IP address.
  4. The investigator completes the case investigation.
  5. The investigator (or some other person) contacts the responsible organization. Any communication is logged on the case page.
  6. The case is closed by the investigator.


How you can help

If you want to help the Abuse project, there are several different ways:

  • You can pre-process reports:
    • mark cases as preliminarily approved using {{ARPrelim}} in the "Case log" area of the case page if the case meets filing criteria (see below).
    • reject cases by placing {{ARA|r|#}}, where # is a common reject reason (see Template:ARA for more information) then change status to "Rejected" on the top of the case.
  • You can investigate cases (see below).
  • You can make contact on cases which have already been investigation but are awaiting contact (see below).


Filing criteria

The criteria for filing an abuse report:

  • The IP must have been blocked a minimum of FIVE times, and
  • There must be current and ongoing abuse from the IP.

A report will be considered stale, and may be rejected if:

  • The IP has had no activity in the past SIX months, AND
  • The IP is not subject to a current block.


How to begin an investigation

  1. Go to Category:Abuse response - New and find a suitable report to open a case. You can also find suitable cases which have been marked as preliminarily approved in Category:Abuse response - Preliminarily approved. These cases were approved but for whatever reason that person could not open the case themselves.
  2. Verify that the report meets the initial filing criteria.
    1. If the report does not meet the criteria:
      1. Reject the report by placing {{ARA|r}} in the case log, followed by a reason and your signature.
      2. Change status of the report to "Rejected".
      3. Place {{ARA_top}} at the top of the page and {{ARA_bottom}} at the bottom of the page to archive the case.
  3. Verify that the IP(s) is a habitual offender. Note that it is especially important that for vandalism, the it meets the criteria in Wikipedia:Vandalism.
  4. Verify that the IP(s) has been warned suitably. This does not apply to multiple IP addresses if you can link them to the same user and other IPs have previously been suitably warned.
  5. Verify that for multiple IPs that they are all under the jurisdiction of the same provider.
  6. That blocking, semi-protection, or a similar recourse has not resolved the behavior of the user because the user continues to abuse from new IP addresses.
    1. If the report does not meet any of these criteron:
      1. Reject the report by placing {{ARA|r}} in the case log, followed by a reason and your signature.
      2. Change status of the report to "Rejected".
      3. Place {{ARA_top}} at the top of the page and {{ARA_bottom}} at the bottom of the page to archive the case.
  7. If all of the above criterion are met change the status of the case to "Open" on the top of the case page.
  8. Place {{AR talk}} at the top of the IP's talk page to inform other users of the investigation.
  9. Notify the filer of the report by placing <code>{{subst:artb|IP|thanks}}</code> replacing with the IP address.
  10. Edit the case page to include the results of your investigation. This should include registry information from the WHOIS report, contact information for the abuse department or network administrator, a report containing the address(es), an abuse summary, links to the vandalism, and a summary of all previous blocks. It's also helpful if you can generalize the abuse by time of day, day of week, or other general patterns that would help the organization identify the responsible user or users. (See: Example case.)
  11. When you complete your investigation and your report is ready, add {{AR-done2}} to the case log.

How to make contact

  1. Find the appropriate contact information for the owner of the IP address. This information should be listed in the prepared report. In the WHOIS readout there should be e-mail addresses and (frequently) telephone numbers for contact with the organization. If there is an OrgAbuse section, use that information first, as it's specifically intended for abuse-related complaints. Otherwise, use the OrgTech contact or any other information that you can find. Also, a Google search for the organization's web page may help find abuse-related contact information (for example, AT&T/Yahoo! DSL has a web-based abuse reporting page).
  2. Telephone contacts are the best way to get an administrator's attention, as it's person to person and very direct. If that's not available or you feel uncomfortable calling, then e-mail is the next best thing. Also, e-mail is a good choice if there's a backlog at WP:ABUSE and you need to move through the cases as quickly as possible.
  3. Always be polite (remember that you're representing Wikipedia, and that rude people don't get helped).
  4. Give a brief explanation of who you are, what Wikipedia is, and a summation of the problem. Explain that you're a volunteer and are not acting in an official capacity, but are concerned about the contributions of an IP address that is under their domain.
  5. Provide a link to the investigation subpage, which contains our summary of the abuse and the links they need to perform their own investigation.
  6. Accept their response, whether it's helpful or otherwise, and thank them for their time.
  7. Each time you make contact, keep a log of your contact; record with whom you spoke and a summary of what was said in the contact history section of the report page. (See: Example case.)
  8. When contact has ceased, whatever the result, list it in the contact history.
  9. Once the case has closed, add the {{ARA|a}} template to case log, followed by a brief summary of the final result and your signature then change the case status to "Closed". The case will automatically be archived.
  10. Remove the {{AR talk}} template from the IP(s) talk page.

For a boilerplate e-mail message, see here. If the response from the organization includes a request you cannot handle yourself, refer them to Wikipedia:Contact us so they can make official contact with the Foundation through e-mail.

List of WHOIS sources

List of regional Internet registries

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Wikipedia:Abuse_response/Guide_to_abuse_response&oldid=311900196"