Wikipedia:Abuse response/Guide to abuse response

1. Go to Category:Abuse response - Waiting for Investigation and find a suitable report to open a case.

• You can also find suitable cases which have been marked as preliminarily approved in Category:Abuse response - Preliminarily Approved. These cases were approved but for whatever reason that person reviewing was not able to open the case themselves.

2. Verify that the report meets the initial filing criteria.

• If the report does not meet the criteria:

a. Reject the report by placing {{ARA|r}} in the case log, followed by a reason and your signature. Alternatively you can use {{ARA|r|#}} where # is a pre-defined reject reason (see Template:ARA for more information).

b. Change status of the report to "Rejected".

c. Place {{ARA_top}} at the top of the page and {{ARA_bottom}} at the bottom of the page to archive the case.

3. Verify that the IP(s) is a habitual offender. Note that it is especially important that for vandalism, the it meets the criteria in Wikipedia:Vandalism.

4. Verify that the IP(s) has been warned suitably. This does not apply to multiple IP addresses if you can link them to the same user and other IPs have previously been suitably warned.

5. Verify that for multiple IPs that they are all under the jurisdiction of the same provider.

6. That blocking, semi-protection, or a similar recourse has not resolved the behavior of the user because the user continues to abuse from new IP addresses.

• If the report does not meet any of the above criteria:

a. Reject the report by placing {{ARA|r}} in the case log, followed by a reason and your signature. Alternatively you can use {{ARA|r|#}} where # is a pre-defined reject reason (see Template:ARA for more information).

b. Change status of the report to "Rejected".

c. Place {{ARA_top}} at the top of the page and {{ARA_bottom}} at the bottom of the page to archive the case.

7. If all of the above criterion are met change the status of the case to "Open" on the top of the case page.

8. Place {{AR talk|IP Owner|IP Address|open}} at the top of the IP's talk page to inform other users of the investigation. It is not necessary to place a notice on all IP pages for multi-IP reports, usually the most recent suffices. IP Owner is the ISP/host, and IP Address is the IP address in the title of the Abuse Response case. Open can be left as is.

9. Notify the filer of the report by placing {{subst:artb|IP|thanks}} replacing IP with the IP address.

10. Remove the {{ARPrelim}} tag from the top of the page.

11. Edit the case page to include the results of your investigation. This should include registry information from the WHOIS report, contact information for the abuse department or network administrator, a report containing the address(es), an abuse summary, links to the vandalism, and a summary of all previous blocks. It's also helpful if you can generalize the abuse by time of day, day of week, or other general patterns that would help the organization identify the responsible user or users.

12. When you complete your investigation and your report is ready, add {{AR-done2}} to the case log.

13. Find the appropriate contact information for the owner of the IP address. This information should be listed in the prepared report. In the WHOIS readout there should be e-mail addresses and frequently telephone numbers for contact with the organization. If there is an OrgAbuse section, use that information first, as it's specifically intended for abuse-related complaints. Otherwise, use the OrgTech contact or any other information that you can find. Also, a Google search for the organization's web page may help find abuse-related contact information (for example, AT&T/Yahoo! DSL has a web-based abuse reporting page).

14. E-mail is the preferred method of communication for Abuse Response because it can easily be recorded and documented for future reference. Additionally, it has become the de-facto standard for reporting abuse for most organizations.

IMPORTANT! when communicating with responsible organizations via e-mail, please use the approved contact templates at Wikipedia:Abuse response/Contact templates.

a. Our primary function is reporting abuse, not necessarily instigating action. Therefore, you should accept their response, whether it is helpful or otherwise, and thank them for their time.

b. If you receive a response that requests more information, do your best to be helpful and comply with their request. If you cannot comply for whatever reason, because it would need the attention of the foundation, you should refer the person to contact the Wikipedia Foundation at WP:CONTACT. If you need assistance, feel free to contact a project coordinator at any time.

15. Each time you make contact, keep a log of your contact. Record with whom you spoke and a summary of what was said in the contact history section of the report page. Each email that you send, and each response you receive that is not an automated reply should be recorded on the case page using {{ARContact}}.

a. If you are contacting a major ISP (i.e., Verizon) and you receive an automated reply, you do not need to await a reply as it is not reasonable to expect that a reply will be received from major organizations for each case.

16. When contact has ceased, whatever the result, record in the contact history.

17. Once the case has closed, add the {{ARA|a}} template to case log, followed by a brief summary of the final result and your signature then change the case status to "Closed".

18. Add {{subst:ARA top}} to the top and {{subst:ARA bottom}} to the bottom of the case page in order to archive the case.

19. On the IP's talk page, change {{AR talk}} to {{AR talk|closed}}.

20. Notify the filer that the case was closed by placing {{subst:Artb|IP|close}} on their talk page, replacing IP with the suffix of the report.