Thomas M. Carlsson
Open Proxy Reports Research and R&D Contact
Open Proxy Reports

Open Proxy Blacklist Comparisons

Automatically updated charts - requires enabling of Javascript to view

Blacklist Coverage Comparison Chart
Open proxy coverage and occurrence in diverse blacklists, sampling data averaged over past 10 days













*) Author provides data to rbl.efnet.org so near 100% is expected for the 24h, 48h and 96h rechecks. Accordingly these values are omitted in the score calculation but reported for comparative purposes. Note that other blacklists may use different collection methodologies with different advantages. Blacklists which consistently provide weak coverage against the sampled proxy set may nonetheless have some notable data gaps.
Top Blacklist Performance Scores Over Time
Based on "High" importance of catching open proxies and "Moderate" importance of avoiding potential false positives
Top Blacklist Live Proxy Coverage Over Time
Including all blacklists with a minimum proxy coverage of 15%
Blacklist Performance Notes
Automatically generated notes for recent observations

Dynamic Ranking Preferences

Recalculate the rankings based on custom criteria:

(Javascript required for this to work!)

Chart Columns

OPBlacklist explicitly specifies open proxies as part of its content. Informational value only.
LIVEMatching hit ratio for randomly chosen proxies (HTTP CONNECT, SOCKS4 and SOCKS5 only) at time of detection. Higher value is better.
RC 24hRecheck 24h - Live proxy sample set retested 24 hours later. Higher value is better.
RC 48hRecheck 48h - Live proxy sample set retested 48 hours later. Higher value is better.
RC 96hRecheck 96h - Live proxy sample set retested 96 hours later. Higher value is better.
FP 10dFalse Positives 10d - Sample of 1000 inactive open proxy IPs (HTTP CONNECT, SOCKS4 and SOCKS5 only) tested 10 days after final detection event. Lower value is better.
FP 30dFalse Positives 30d - Sample of 1000 inactive open proxy IPs (HTTP CONNECT, SOCKS4 and SOCKS5 only) tested 30 days after final detection event. Lower value is better.
FP 90dFalse Positives 90d - Sample of 1000 inactive open proxy IPs (HTTP CONNECT, SOCKS4 and SOCKS5 only) tested 90 days after final detection event. Lower value is better.
ScoreA blacklist ranking score dynamically calculated based on selected weight preferences. Formula weighs early detection of proxies as better than delayed detection, and long-term potential false positives as worse than recent. Higher value is better.

Why this page?

It's not always immediately obvious which blacklists offer a good level of coverage and which do not. Even worse, a previously good blacklist could at any time experience technical issues resulting in degraded data, and the user may not have any way of noticing the decline until long after negative side-effects have started to manifest.

The author firmly believes that open proxies are - due to their elusive ubiquity - an underestimated and underreported factor in fingerprinting unwanted behaviour on the Internet (such as spam, fraud and ACL evasion). This page is an attempt to measure the comparative open proxy compositions of diverse blacklists and to hopefully also encourage more proactive policies as a result.

Blacklists which mainly track unwanted behaviour (e.g. spam) frequently end up listing open proxies (a specific vulnerability which may have enabled the unwanted behaviour) and therefore the efficiency of blacklists could arguably be improved by proactive fingerprinting of open proxy IPs before they have a chance to be abused. Furthermore, given the overall prevalence of open proxies in abuse-tracking datasets a comparatively low hit ratio may signal underperformance of a blacklist's current data collection efforts.

What are its limitations?

The methodology of testing blacklists against live proxies and (from the scanner's point of view) expired proxies is by no means perfect. The live tests and recheck tests are statements of fact in that they assess whether or not newly detected proxies are part of the blacklist zone dataset or not. The main potential weaknesses with this test is that DNS failures could occur, but the author attempts to mitigate this by querying blacklists redundantly - both through a private local DNS server and a public (Google) DNS server.

The significance of the "false positive" check is more dubious, as the author is merely testing if proxies that are no longer detectable are still listed by a blacklist. Just because a proxy is no longer there does not mean that the IP doesn't have other security issues, and it may still be actively used for abuse. It's also possible that a proxy server has simply firewalled the scanner and thus has the mere subjective appearance of no longer being active. Accordingly, the author is by default attaching less credence to the "false positive" results when calculating comparative scores for the blacklists. However, the "false positive" ratios may also display some interesting trends and differences between blacklists and their IP expiration policies.

The data checks are currently carried out purely in the IPv4 space. With blacklists increasingly starting to support IPv6 queries this will become a separate check category.

To DNSBL operators:

I want to help you improve your open proxy coverage! However, I would please ask you to also consider the following:

  • I would appreciate if you familiarised yourself with my relevant research on open proxy detection before getting in touch. It's important that you understand the various technical problems involved.
  • Consider that I'm more interested in helping you improve your own collection workflow than just sending you data. My data is being collected on an old clunker P5 which could fail at any moment. You don't want to depend on my data long-term!
Contact
Thomas Carlsson
Thomas M. Carlsson
© 2016 Thomas M. Carlsson. All logos and trademarks are the property of their respective owners. Hosting by Eversible.