Help:CheckUser - Meta-Wiki
Jump to content
From Meta, a Wikimedia project coordination wiki
Translate this page
Other languages:
Bahasa Indonesia
Nederlands
Tiếng Việt
azərbaycanca
dansk
italiano
magyar
polski
português
română
svenska
русский
עברית
العربية
বাংলা
ગુજરાતી
中文
한국어
CheckUser policy
CheckUser
This is a technical manual for the
CheckUser
special page with Wikimedia-specific considerations. For the extension itself, see the
CheckUser extension page
on
www.mediawiki.org
website.
Special:CheckUser
allows a user with a
checkuser
flag to access confidential data stored about a user,
IP address
, or
CIDR
range. This data includes IP addresses used by a user, all users who edited from an IP address or range, all edits from an IP address or range,
User-Agent headers
X-Forwarded-For
headers, and
client hints
This tool is usually used to counter users creating bad-faith
sock puppet accounts
. (Note:
checkuser
may refer to an access to confidential information, a user with permission to do so, or the technical flag.)
Considerations
edit
Wikimedia Privacy and Confidentiality Policies
edit
Checkusers under the
Wikimedia Foundation
are subject to the
, the
, the
access to nonpublic information policy
, the
CheckUser policy
and a
confidentiality agreement for nonpublic information
. Revealing stored confidential data about a user is prohibited except on a limited set of cases detailed in the policies mentioned above.
If possible, the checkuser should attempt to resolve the situation
without
releasing any information, or by releasing the minimum possible information. The following information is commonly permissible. This list is
not
comprehensive, and cannot replace the checkuser's judgment:
Confirmation that a user is a sockpuppet without noting personal information;
Information already released by the user;
The ISP used to edit from, if it is large enough that the information is not personally identifiable;
The country their IP address geolocates to, which is generally not personally identifiable.
If the checkuser is at all doubtful, they should give no detail and answer like a
Magic 8-Ball
Mailing list
edit
Wikimedia CheckUsers have access to the private mailing list
checkuser-l
. They may use this list to discuss or get help, ideas and second opinions.
Best practices
edit
Focus on behavioral patterns:
CheckUser is not magic wiki
pixie dust
. Almost all queries about IPs will be because two editors were
behaving
the same way. An editing pattern match is the important thing; the IP match is really just extra evidence (or not).
Dynamic IP addresses:
Most dialup and a lot of DSL and cable IPs are dynamic. They might change every session, every day, every week, every few months or hardly ever. Unless the access times are right next to each other, be cautious in declaring a match. After a while, you get to know which ISPs change quickly or slowly.
Handling proxies:
If it's a proxy, it might not be a match, depending on the size of the organisation running the proxy (per
whois
output). If it's an ISP proxy, it is not so likely to be a match. Investigate the type of proxy used before making a conclusion.
AOL users:
If it's an AOL address, you're out of luck — AOL sends each
page request
through a different proxy.
Open proxy use:
If a username is using lots of different IP addresses in various countries, they may well be open proxies. Check with an open proxy checker.
Hosting servers:
Edits from addresses allocated to
hosting facilities
almost
always indicates the use of compromised hosting servers to nefarious ends. Note, however, that the user may have a legitimate shell account on the machine.
IPv6 subnets:
For
IPv6
addresses, you may wish to check the user's entire /64 subnet, because it is possible that the user may be using more than one address out of their range.
Useful tools
edit
"Unix" here includes
Unix-like
Linux
and
Mac OS X
computers.
IP address and domain lookup
edit
whois
On Unix, start a
terminal
and type
whois [
IP address
at the command line. This should tell you who owns the IP, what the range is and may also note what they use it for. On Windows,
All Net Tools
has a pretty good web-based whois (which does an nslookup as well).
nslookup
On Unix or Windows,
nslookup [
IP address
at the command line will give you the
fully qualified domain name
associated with the IP. Note that not all IPs have a
domain name
, so don't worry if nothing comes back. If you're on Windows, the All Net Tools whois also gives you the FQDN.
traceroute
With
IPs
from some
Internet Service Providers
it may be useful to use the traceroute command and compare the results between two or more IPs. The site
All Net Tools
also gives you traceroute function if you don't have it as a
command line
tcptraceroute:
A version of traceroute that uses
TCP
packets, which get through some firewalls and packet filters that stop
ICMP
packets. You can get
source code for Unix-like systems
; else, most Linux distributions have a package available with it.
Open proxy checking
edit
Various online proxy checking tools, such as
Nmap
, can help you determine if a user is connecting via open proxies.
Blacklist checks
edit
Checks for other abuse of an IP:
rbls.org
gives the status of any IP address on a number of
Realtime Blackhole Lists
. Note that some RBL blocks should be expected,
e.g.
many block home dynamic IPs for
SMTP
, but that's not a problem for a wiki. If a user only uses open proxies or addresses marked as sources of abuse, your suspicions may be raised.
Related anon contributions:
rangecontribs
tool gives anon edits from a given subnet (dead link).
Usage
edit
Basic interface
edit
Go to
Special:CheckUser
(make sure you are on a wiki where you have access).
In the
user
field, type in the username (without the 'user:' prefix), IP address, or CIDR range.
IP: any
IPv4
(most common) or
IPv6
address.
CIDR: you can check a range of IP addresses by appending the CIDR prefix (up to /16 for IPv4 (65,536 addresses) or /48 (1,208,925,819,614,629,174,706,176 addresses) for IPv6). For notation, see
Range blocks
XFF: you can check a
client
IP address provided by X-Forwarded-For headers by appending
/xff
(for example,
127.0.0.1/xff
).
Select the information you want to retrieve.
Get IPs:
returns IP addresses used by a registered user.
Get edits from IP:
returns all edits made by a user (registered or anonymous) from an IP address or range.
Get users:
returns user accounts that have edited from an IP or range.
In the
reason
field, type in the reason you are accessing the confidential data. Try to succinctly summarise the situation (for example, "cross-wiki spam"); this will be logged. This may be needed by the
Ombudsman Commission
Screenshots
Basic CheckUser interface
Example username check
Example IP check
Example log
Information returned
edit
A typical entry in the checkuser results for a user summary ("get users") is as follows:
Example
Talk
contribs
) (20:11, 20 April 2026 -- 20:12, 20 April 2026)
[5]
127.0.0.37
XFF
: 127.0.0.1, 127.0.0.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
This is formatted to fit a lot of information into a format that can very easily be listed and skimmed, but is difficult to read unless you know what the information provided is. The information is laid out as follows:
username (user links) (time period when they edited from the given IP or range)
[number of edits from the IP or range]
IP address the user edited from, along with any
XFF (X-Forwarded-For) headers
used. XFF information provided (can be spoofed)
User agent information
Each IP/XFF combination used to edit is listed, in order of use.
The last ten user agents (browser, operating system, system language, and versions) for each user for edits made in the IP or range are listed afterwards.
XFF format
edit
XFF (
X-Forwarded-For
) headers indicate the series of IP addresses used from the user's computer (first) to the server hosting MediaWiki (last).
In this example:
aaa.aaa.aaa.aaa
XFF
: 10.4.46.42, 127.0.0.1, aaa.aaa.aaa.aaa, 208.80.152.46
The first two addresses (10.4.46.42, 127.0.0.1) are private to the originating network and can't be reached directly from the public Internet,
The third address (aaa.aaa.aaa.aaa) is the "public face" of the editor, usually a broadband or dialup ISP, a company gateway, (but possibly an anonymizer or a malware-compromised server),
The last address (208.80.152.46) is one of the Wikimedia squids (sq36.wikimedia.org).
See also
edit
mw:Help:Special Investigate
Steward's handbook
Retrieved from "
Categories
CheckUser
Handbook Wikimedia-specific
Security
Help
CheckUser
Add topic
US