Detect Users Accessing Your Site Via a Proxy

The are many reasons why someone might want to detect if users are accessing their site via a proxy. For one, all spammers use proxies. Proxies can also be used to cheat voting systems, create multiple accounts when only one account is allowed or make it appear like the user is browsing from a different country. On the other hand, there are also legitimate uses for proxies. For example, many ISPs route all their traffic though a proxy.

Today I’ll discuss several techniques you can use to detect if your site is being accessed through a proxy.

Checking HTTP Headers

Transparent and low-anonymity proxies add certain HTTP headers to each HTTP request. Checking for the presence of these headers is the simplest way to detect a proxy. Example PHP code fragment :

$proxy_headers = array(   
'HTTP_VIA',   
'HTTP_X_FORWARDED_FOR',   
'HTTP_FORWARDED_FOR',   
'HTTP_X_FORWARDED',   
'HTTP_FORWARDED',   
'HTTP_CLIENT_IP',   
'HTTP_FORWARDED_FOR_IP',   
'VIA',   
'X_FORWARDED_FOR',   
'FORWARDED_FOR',   
'X_FORWARDED',   
'FORWARDED',   
'CLIENT_IP',   
'FORWARDED_FOR_IP',   
'HTTP_PROXY_CONNECTION'   
);
foreach($proxy_headers as $x){
if (isset($_SERVER[$x])) die("You are using a proxy!");
}

Some have suggested that comparing the remote port ($_SERVER['REMOTE_PORT']) to common proxy ports could also be used for proxy detection. I haven’t tested this, but it seems unlikely. As far as I know, servers listen for inbound connections on one set of ports and perform outbound connections from different port numbers (often randomly selected). So if the proxy server is running (waiting for inbound connections) on port 8080, it would use a different port number for retrieving your page (this being an outbound connection).

Highly anonymous proxies don’t add the abovementioned headers and can’t be detected with this technique.

Port scan

Another way to detect a proxy is to scan commonly used proxy ports on the client’s IP. If any of the ports are open, that host is probably a proxy. Here’s a primitive port scanner :

$ports = array(8080,80,81,1080,6588,8000,3128,553,554,4480);
foreach($ports as $port) {
if (@fsockopen($_SERVER['REMOTE_ADDR'], $port, $errno, $errstr, 30)) {
die("You are using a proxy!");
}
}

Keep in mind that legitimate users may view port scanning as highly suspicious. If you decide to do this, make sure you save the results somewhere so you don’t need to do it again for that user. Store the IP status (proxy or not) in a database, or at least set a cookie.

Open Proxy Blacklists

There are many sites that maintain blacklists of open proxies and open SMTP relays. The Wikipedia entry on DNSBL goes into some detail on this and also lists several such blacklists (e.g. SORBS and DSBL).

You can query these blacklists using the DNS protocol. For example, if you want to check the IP address 1.2.3.4 on DSBL.org, do a DNS lookup for 4.3.2.1.list.dsbl.org. If the lookup succeeds, the IP was found in the list. The exact hostnames vary by blacklist provider. To perform a DNS lookup in PHP, use the gethostbyname() function.

Here’s a more complete example with source code - blacklist lookups in PHP.

In conclusion

There are other tricks I didn’t mention above, like using cookies or Java applets, but they are less reliable and rely on client-side features. That might be fine if you just want to ensure your human visitors aren’t skewing poll results (or something) by using proxies, but client-side techniques wouldn’t work against most automated spam bots and other malware.

Overall, there is no way to be 100% sure whether someone is using a proxy server to access your site, but the methods described in this post can help you identify a large percentage of proxy connections.

Ah, I forgot to mention the various CGI proxies that are marketed as “MySpace/Facebook/whatever unblockers”. Well, if they’re not in one of the blacklists, you’ll need to write a script (JavaSript) that checks if the domain name of the current page matches your site’s domain name. If it doesn’t, use some advanced framebreaker JavaScript to get your site out of their frames. Google it.

However, be aware that using a frame breaker would also make your website break out of Google Image Search frames and so on. Also, CGI proxies process you HTML code and can remove your frame breaking script - that’s why I said it needs to be advanced.

Good luck :)

Share :
  • Digg
  • del.icio.us
  • Reddit
  • StumbleUpon
  • Technorati
  • Slashdot
  • Sphinn
  • TwitThis
Related posts :
This entry was posted on Friday, November 23rd, 2007 at 21:12 and is filed under Programming, Tutorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Detect Users Accessing Your Site Via a Proxy”

  1. 1
    dsfds says:
    March 19, 2008 at 18:52

    interesting article

  2. 2
    White Shadow says:
    March 19, 2008 at 19:38

    Well thank you, Mr. Spammer :P

Leave a Reply