[WikiEN-l] Transparent proxy blocked - again

Jake Waskett jake at waskett.org
Sat Jun 25 20:31:56 UTC 2005 

On Saturday 25 June 2005 00:55, Andrew Gray wrote:
> On 24/06/05, Jake Waskett <jake at waskett.org> wrote:
> > On Friday 24 June 2005 17:53, David Gerard wrote:
> > > > As can be readily seen from a reverse DNS query, this IP address is a
> > > > transparent proxy server, use of which is forced upon NTL users (a
> > > > large UK telco).
> > > > manc-cache-5.server.ntli.net
> > >
> > > Trouble is that admins can't actually see what IP a username is coming
> > > from. So there's no indication until someone calls it to their
> > > attention.
> >
> > Hmm. There seems to be a clash between anonymity and usability here, as
> > is so often the case with security systems.
> >
> > Perhaps we could allow admins to see part of the reverse DNS, but not all
> > of it. If we strip off the last two parts of the name (in this example,
> > leaving just "manc-cache-5.server"), we'd get something that nine times
> > out of ten would identify a proxy or not, but would not be personally
> > identifiable.
>
> Hmm. Set recent-changes to show only anons; 250 edits comes to about
> 175 unique IPs (busy people, these - one was there four or five
> times). Converting them to names, then stripping off the two trailing
> sections, we get this list - http://www.generalist.org.uk/wiki.txt
> (somewhere along the line it went to 126 addresses. Buggered if I know
> why.)
>
> Of those, only 20 have proxy or cache in the name.
>
> Thoughts on how useful this sort of data would be, given the
> reasonably sized sample above?

Ok, so of 126 addresses, we have about 20 proxies. So about 16% of anonymous 
Wikipedias users are recognised as being behind a proxy, using this scheme. I 
don't know the answer to this question, but does anybody know roughly what 
proportion of web users go through a proxy server? Is it close to 16%? If so, 
we've got a pretty good scheme here.

Of course, a determined user could create a sub-domain with 'proxy' or 'cache' 
in the title, which would fool a simple software implementation, but perhaps 
not a human.

In reply to geni's comment, we're talking about a minor change to the software 
anyway, so all that's needed is to present the admin with this information at 
the time that he or she chooses to block a user.

Ideally, the software could give the admin a "no IP block" option, to exercise 
at his or her discretion (the software may already do this; I don't know). 
That would enable pests to be banned without banning others behind the same 
proxy. If I were to implement that, I'd also set a "banned user" cookie that 
would catch a change of username.

Pros:
* Avoid blocking legitimate users
* Preserves anonymity, to a reasonable extent
* (If "no IP block" option is implemented) Grants more flexibility to admins 
in their work.

Cons:
* Will take a couple of days to implement
* Not 100% foolproof (or smart-but-malicious-proof)

Comments, anyone?

Jake

More information about the WikiEN-l mailing list