Detecting the use of proxies and Tor network

So last week, at the company I work for, we had another fraudulent shop. The guy was supposedly a well-known phone store, except that his domain contained a typo. We are always amazed how thorough these people can be in their business of scamming, even when setting up these stores they seemed to use both web proxies and the Tor network.

As we investigated the matter, I quickly learned that these people mostly know what they’re doing. They use our SaaS platform to their advantages as we offer such an easy way to set up a store that even before our demo-period runs out, they’ve already made their money and are moving on to the next.

Can you detect people that use proxies or browse with Tor?

As it turns out, you can. Sometimes.

Detection here is not as easy as you might think. Web proxies tend to rewrite every url they find, but there are still clever ways around that, such as obfuscating the URLs or splitting them in two strings and than concatenating them in JavaScripts. Even though that might sometimes work, some proxies are smarter than others.

What I thought about was that you could set up a websocket to check their IP address, as most web proxies never check that. It’s not the easiest way as it requires both a modern browser and an external service to handle the websocket’s requests. It might not be the best solution, but I have yet to find a web proxy that does understand websockets and also rewrites them.

As for Tor, it’s even easier, as the TorProject already has documentation on this. Below there’s a small PHP class that does the job.

How about VPNs and non-web proxies?

VPNs are really hard to detect. You might be able to find some lists but they are often just for one service and are not so frequently updated. VPNs are not worth anything if developers block them. You might also be able to by-pass the browser's built-in VPN settings by using Java/Flash, but that's often more than you really want to do.

Non-web proxies might send you X-Forwarded-For header, but the contents are not to be trusted. However, when someone sends this header, you can be pretty sure that the IP doesn't belong to the original user. There's no easy way to find these, other than getting lists like with the VPNs.

Have your own method?

I'd love to hear about other methods of detecting and stopping spam, so if you want, just leave it in the comments or reach out to me on Twitter!