Wikipedia:Abuse reports/Guide to abuse reports

From Wikipedia, the free encyclopedia

Shortcut: WP:GTAR

When extensive vandalism comes from an IP address, sometimes the best way to handle it is to contact the systems manager of that address directly to inform them of the problem. This approach works best for addresses that have a high likelihood of responding to abuse complaints, such as schools, government agencies, or others.

This is a last resort! This is not something to do after a brief, small spate of vandalism. This is only for when there is an established trend of vandalism coming from an IP that can't be dealt with another way without larger repercussions (such as blocking a massive range of addresses). If there have been multiple blocks, multiple sets of warnings, an indefinite block is either impossible or inappropriate, and the vandalism keeps coming as soon as the blocks expire, then this is the place to come to.

Contents 1 How to begin an investigation 2 How to make contact 3 List of WHOIS sources 3.1 List of regional Internet registries 4 See also 5 External links

[edit] How to begin an investigation

1. Start with the oldest report on the list that you are capable of dealing with. Don't take a report and open the case if you can't finish the investigation, but even if you don't have time for a case, feel free to examine new alerts to see if they meet the criteria in step 2.
2. Double check the following. If one of these criteria hasn't been fulfilled, reject the request by adding {{ARA|r}} followed by a reason and your signature. The bot will automatically archive the request as rejected.
   1. That the IP(s) has been responsible for a trend of vandalism. Note that it's especially important here that it is in fact vandalism as defined in Wikipedia:Vandalism. Other edits may be frustrating, but are not a reason to contact an ISP. For example, rampant excessive IP sock puppetry in evasion of a ban is a violation of Wikipedia policy, but does not qualify for an abuse report unless the edits made by the IPs are also vandalism.
   2. That the IP(s) has been warned fully (this does not necessarily apply to each and every IP in the case of rampant vandalism from an IP range that is obviously the same user behind the edits, as long as the user can reasonably be seen to have received at least one full set of warnings),
   3. If there are multiple IPs being reported, that they all belong to the same organization,
   4. And that blocking, semi-protection, or similar recourse hasn't solved (or wouldn't solve) the problem; for example, that blocking would affect too many other contributors, previous blocks have been ineffective, the user is vandalizing too many pages to protect, etc.
3. If all of the above criteria are met, and you can handle the investigation until completed and ready for contact, then move the entry for the case from the New Alerts section to the Under Investigation section of the main page.
4. Put {{AR talk}} at the top of the IP's talk page to inform other users of the investigation.
5. A subpage should already exist for the case. Subst the {{AR report}} template at the bottom of the subpage to provide a framework for a case, including the primary IP being reported and your username as the investigator; for example, {{subst:AR report|ip=127.0.0.1|user=Example}}.
6. Edit the subpage to include the results of your investigation. This should include registry information from the WHOIS report, contact information for the abuse department or network administrator, a report containing the address(es), an abuse summary, links to the vandalism (just a few examples are necessary if there are vast amounts), and a summary of all previous blocks. It's also helpful if you can generalize the abuse by time of day, day of week, or other general patterns that would help the organization identify the responsible user(s). (See: Example case.)
7. When your report is ready, move the case into the Contactor Needed queue for a contactor to take over, or move it directly into the Contactor Assigned section if you plan to make contact yourself.

[edit] How to make contact

1. Find the appropriate contact information owner of the IP address. This information should be listed in the prepared report. In the WHOIS readout there should be e-mail addresses and frequently telephone numbers for contact with the organization. If there's an OrgAbuse section, use that information first, as it's specifically intended for abuse-related complaints. Otherwise, use the OrgTech contact or whatever else you can find. Also, a Google search for the organization's web page may help find abuse-related contact information (for example, AT&T/Yahoo! DSL has a web-based abuse reporting page).
2. Telephone contacts are the best way to get an administrator's attention, as it's person to person and very direct. If that's not available or you feel uncomfortable calling, then e-mail is the next best thing. Also, e-mail is a good choice if there's a backlog at WP:ABUSE and you need to move through the cases as quickly as possible.
3. Always be polite (remember that you're representing Wikipedia, and that rude people don't get helped).
4. Give a brief explanation of who you are, what Wikipedia is, and a summation of the problem. Explain that you're a volunteer and are not acting in an official capacity, but are concerned about the contributions of an IP address that is under their domain.
5. Provide a link to the investigation subpage, which contains our summary of the abuse and the links they need to perform their own investigation.
6. Accept their response, whether it's helpful or otherwise, and thank them for their time.
7. Each time you make contact, keep a log of your contact; record with whom you spoke and a summary of what was said in the Contact Summary section of the report page. (See: Example case.)
8. When contact has ceased, whatever the result, list it at the bottom of the page.
9. Once the case has closed, add the {{ARA|a}} template to the bottom of the page, followed by a brief summary of the final result and your signature. EBot will automatically archive the case on the Actioned page and remove it from the main page.
10. Remove the {{AR talk}} template from the IP(s) talk page.

For a boilerplate e-mail message, see here. If the response from the organization includes a request you cannot handle yourself, refer them to Wikipedia:Contact us so they can make official contact with the Foundation through e-mail.

[edit] List of WHOIS sources

• Sam Spade

[edit] List of regional Internet registries

• American Registry for Internet Numbers (North America)
• Réseaux IP Européens Network Coordination Centre (Europe)
• African Internet Numbers Registry (Africa)
• Asia Pacific Network Information Center (Asia-Pacific)
• Latin American and Carribean Internet Addresses Registry (Latin America/Carribean)

[edit] See also

• Wikipedia:Abuse reports
• Wikipedia:Blocking policy
• Wikipedia:ISP contact information
• Wikipedia:Dealing with AOL vandals

[edit] External links

• Network Abuse Clearinghouse