License Violation Procedures

Violations are reported by vendors via email or to DBHelp. The IP address and timestamp of the violation are often noted. Sometimes a vendor includes their logs containing the information. With the added security features of EZProxy v7 & the campus SSO, most violations are now use by UMass patrons, not compromised NetID credentials as was previously the case.

Our proxy server address is 128.119.201.53. This is the external IP address.

1. Identify the compromised or offending account.
2. Block the IP address or the user.
3. Report account to abuse@umass.edu or contact the user.
4. Respond to vendor letting them know you have blocked the account.
5. Lifting the block: OIT will respond telling you they have reset the account's password; once you have received this notification lift the block on the account. Or, lift the block on the account once the user responds.
6. Move all emails into the Proxy Abuse folder in the eleres email account.

1. For identifying off-campus users: review the EZProxy logs.
   1. If the vendor indicates the offending behavior came from the proxy server's IP address, it originated from outside the campus IP ranges.
   2. If investigating the abuse on the same calendar day it occurred, you can view the logs in EZproxy's admin website.
      1. Log into https://login.silk.library.umass.edu/admin with the admin credentials. These can be obtained from Margaret or Jaime. [No! We need to add people to the shibuser.txt file as admins.]
      2. Navigate to View ezproxy.log>all.
      3. Find the user's NetID by searching with Ctrl+F for the timestamp or for the vendor's URL.
   3. If investigating behavior from a different calendar day, you must access server logs.
      1. Open WinSCP and log into the EZproxy server.
         1. For EZProxy server credentials and configurations for WinSCP, see Jaime.
         2. If you are working from off campus, you first need to be on the GlobalProtect VPN to get inside the firewall. For VPN installation, open a ticket with LTS.
      2. Click into the logs folder in the right pane. This folder contains hourly logs and daily logs for the previous seven days.
      3. Open the log file that corresponds with the timestamp from the vendor.
      4. Saved logs have timestamp of date/time they were saved in filename.
      5. Find the user's NetID by searching with Ctrl+F for the timestamp or for the vendor's URL.
      6. Close any open files, then exit WinSCP; do not save the session.
      7. Note that server logs are retained for one week, so we cannot identify misuse farther back than that.
2. For identifying on-campus users: email OIT.
   1. The vendor's email or logs will indicate the offending behavior originated from within the campus IP address ranges. The current ranges are listed at the top of the EZProxy config file.
   2. Email itprotect@umass.edu with the vendor's logs or similar info and ask them to identify the user for you. That email must be sent by Margaret, Camille, or Jaime. To add another person to that whitelist, one of those three can contact OIT. OIT needs the following information to identify the user:
      1. The dates, times the incident took place, and the timezone of this date & time information.
      2. The campus IP address the mis-use was coming from.
      3. The vendor's IP address and network port of the service that is being mis-used.

Note that some vendors are in different time zones (e.g. Elsevier in Europe) and therefore have timestamps in their logs that need to be adjusted to match ours.

1. To block a user:
   1. With WinSCP, access the EZProxy server as described above.
   2. Once logged in, open the shibuser.txt file in the main directory.
      1. The file has a specific structure. The beginning has administrative information, etc.
      2. Some lines are commented out using a #. This means EZProxy does not read these lines as instructions.
   3. Below the line near the bottom that begins with #Suspended users listed below add a new line in this format: If auth:NameID eq “netid@umass.edu”; Deny suspend.htm
   4. Optional: add a commented out line with notes about when & why the user was blocked.
   5. Save the file.
   6. Log into the EZProxy Admin website.
   7. Restart the server by clicking on Restart EZProxy, then typing “restart” into the indicated box (capitalization does not matter) and clicking the here button.
2. To block an IP address:
   1. With WinSCP, access the EZProxy server as described above.
   2. Once logged in, open the config.txt file in the main directory.
   3. In the long list of lines beginning with “RejectIP” add a line for the IP address or range you want to block. Use the syntax RejectIP [ip address/range]
      1. The lines are in numerical order.
      2. Make sure the IP address or range you are blocking is not the EZProxy server's IP address!! (Yes, we've done this.)
      3. Everyone who tries to access resources from this IP address/range will be denied access, not just the offending user.
   4. Save the file.
   5. Log into the EZProxy Admin website.
   6. Restart the server by clicking on Restart EZProxy, then typing “restart” into the indicated box (capitalization does not matter) and clicking the here button.

1. To lift block on a user:
   1. With WinSCP, access the EZProxy server as described above.
   2. Once logged in, open the shibuser.txt file in the main directory.
   3. Delete or comment out the previously added If auth:NameID eq “netid@umass.edu”; Deny suspend.htm line.
   4. Save the file.
   5. Log into the EZProxy Admin website.
   6. Restart the server by clicking on Restart EZProxy, then typing “restart” into the indicated box (capitalization does not matter) and clicking the here button.
2. To block an IP address:
   1. With WinSCP, access the EZProxy server as described above.
   2. Once logged in, open the config.txt file in the main directory.
   3. Delete or comment out the previously added RejectIP [ip address/range] line.
   4. Save the file.
   5. Log into the EZProxy Admin website.
   6. Restart the server by clicking on Restart EZProxy, then typing “restart” into the indicated box (capitalization does not matter) and clicking the here button.

[text cut from elsewhere: Once OIT gives you the user's NetID, email them to ask that they stop doing whatever the vendor flagged. Instruct them to work with either you or their liaison to find other ways to do their work.]

We have identified suspected exploitation of a UMass NetID (below). This NetID has connected to the library's proxy server from at least [number] IP addresses in [timespan], [most/all] of which are in [country or region of the world]. Could you please force a reset of their password?

NetID: XXXXXXXX

Hi [name],

[Vendor] has suspended our access to [resource] due to excessive use and suspected text & data mining activity. Our license terms with [vendor] do not allow for text and data mining, and the pattern of your recent use of the database suggests this kind of activity. Please do not perform text and data mining research with [database].

We are working with [vendor] and campus IT to resolve the issue. If you'd like to discuss this issue further, please reply to this email. If you would like to explore ways to use the Libraries' resources to accomplish your research goals within the bounds of our contractual obligations with our resource vendors, please contact your department's liaison librarian.

Thanks, [your name & title]

We have identified the patron responsible for this behavior, contacted them, and blocked their access pending response. Please restore UMass's access to [resource].

OR

We have blocked the IP address(es) that this behavior was originating from. Please restore UMass's access to [resource].

Databases that DO NOT allow TDM:

• Newsbank (Access World News)
• APS
• HeinOnline – does not allow “downloading or printing an entire issue or issues of a publication or journal within the database.”

Resources that DO allow TDM: (For sure, based on CORAL)

• Adam Matthew
• Accessible Archives
• Annual Reviews
• BioOne
• Brill Reference
• CABI
• China/Asia On Demand
• Duke eJournals
• History Makers
• Institute of Physical (eBooks & Journals)
• IP.com
• Microform Academic Publishers (single title resource)
• Oxford eJournals
• ProQuest
• Royal Society eJournals
• Sage eJournals
• SpringerNature eJournals