Tor and Wikipedia

When can a Tor exit node IP edit Wikipedia?

 * Theory — It takes some time for an exit node to be added to the list of blocked IPs. As a result, Tor users that randomly happen to be routed out of a recently added exit nodes (in the period before Wikipedia has blocked the exit nodes IP) are sometimes allowed to edit.
 * Theory — Some exit nodes don't get added to Wikipedia's block list automatically through TorBlock. Tor users who are routed through these exit nodes are allowed to edit Wikipedia until an administrator or bot notices and blocks the IP address.
 * Theory — Some forms of blocking expire after a certain amount of time and, if a Tor node is blocked with an expiry time, then traffic may be allowed through until it is blocked again. This could account for on-and-off patterns of editing coming from Tor nodes.

Identifying IPs that are/were Tor exit nodes
We're pulling data from CollectTor which is a service created by Tor that "fetches data from various nodes and services in the public Tor network and makes it available to the world."

Extension:TorBlock
There is a MediaWiki plugin called Extension:TorBlock. Source code is in a Phabricator repository.

What we can tell about how it works:


 * during a period from XXXX to 2013 it read from the Tor Project bulk list service (https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=)
 * after Jan 2013, it pulls from the newer "Onionoo" service (https://onionoo.torproject.org/details?type=relay&running=true&flag=Exit)
 * pulls perioditically, typically from a cronjob

Questions:


 * Although we know when the commits were made to the git repository that added/switched features in Extension:TorBlock, we don't know exactly when things were deployed to WMF servers. It's likely on a delay, but probably not an enormous one. But it clearly bounds it.
 * We don't know when the cronjob was run if the timing of the cronjob has been consistent over time.

Blocked by Administrators "by hand"

 * Blocks are recorded in Special:Log (e.g., ENWP).

Blocked by a Bot

 * As above, blocks are recorded in Special:Log (e.g., ENWP).

There are at least some bots that seem to automatically find and block open proxies:


 * ProcseeBot (apparently closed source but we could contact the author/operator Slakr)
 * TorNodeBot is a bot that blocked people who were editing over Tor. It is designed to block Tor nodes that the TorBlock extension failed to notice due to a technical error. In particular, TorBlock only detected current Tor nodes (nodes that are active at the time of checking) and blocked them, and so sometimes a Tor exit node was detected, but later disabled after being block would later show up as not being a Tor node (maybe overlooked by TorBlock extensions because it stores the blacklist in a cache). Bots/Request for approval explains this issue in some detail. TorNodeBot got deactivated in 2014 and managed to block 32123 users.

Structure of Special:Log XML file

 * Included in the XML file with notes that might include the template pattern " "

Open questions

 * There are notes in Special:Log that suggest that some IP addresses are "confirmed Tor Nodes" (e.g., ???) that are blocked by hand. Why were these not caught by TorBlock?
 * Are these exit nodes present in our CollectTor data as well?
 * Why does the distribution of edits edits over the time periods that IPs are marked as exit nodes in our dataset of Tor exit node "spells" not bunch up near the beginning of the period when the IP is a new Tor node and the IP seems less likely to be blocked? Why are there Tor exit nodes that seem to have been listed in CollectTor for long periods of time without being blocked by Wikipedia?
 * If TorBlock identifies a Tor exit node, are these IP addresses added to or reflected in the Special:Log block log?
 * Does an IP address need to make an edit first in order to be blocked as an open proxy? Can we find examples of this happening? If so, is it always bots that doing the blocking?
 * What bots are involved in detecting and blocking IP addresses that are open proxies (especially Tor).
 * It seems that after some time in 2014, the amount of users blocked by Wikipedia dramatically reduced, and in their reason for blocking, they stopped mentioning Tor. Did they change their blocking method as well as policy? Did the new method help reduce the number of succesful revision attempts through Tor, or did they allow Tor users to start editing Wiki pages? Note that, during this time, TorNodeBot also got deactivated.