Anonymous Proxy Detected 
Websites frequently utilize IP reputation services to detect potentially malicious IP addresses. Platforms such as MaxMind and IPInfo maintain comprehensive databases that link identified IP addresses to various proxy and VPN services. Even users of the Tor browser or the I2P network are not immune to this tracking.
Anyone who uses VPN or proxy services should at least have seen the “Anonymous Proxy Detected” pages.
In addition to the actual tracking, another disruptive factor is that these pages open via (sometimes multiple) redirects and in new windows. If you search for information online, VPN advertising is the main source of information.
The structure of the proxy and VPN detection websites is the same throughout and differs only in the change of ownership and the various key data such as cookie names. For this example, the provider "eNom, LLC" operates such a service, which repeatedly refers to "Tucows.com, Co." together with "Tiered Access Compliance and Operations (TACO)".
IP Reputation Services
Websites frequently utilize IP reputation services to detect potentially malicious IP addresses. Platforms such as MaxMind and IPInfo maintain comprehensive databases that link identified IP addresses to various proxy and VPN services. Even users of the Tor browser or the I2P network are not immune to this tracking.
Anyone who uses VPN or proxy services should at least have seen the “Anonymous Proxy Detected” pages.
In addition to the actual tracking, another disruptive factor is that these pages open via (sometimes multiple) redirects and in new windows. If you search for information online, VPN advertising is the main source of information.
Uniform Structure of These Sites
The structure of the proxy and VPN detection websites is the same throughout and differs only in the change of ownership and the various key data such as cookie names. For this example, the provider "eNom, LLC" operates such a service, which repeatedly refers to "Tucows.com, Co." together with "Tiered Access Compliance and Operations (TACO)".
grincircus.com/172.240.108.84:443
https://grincircus.com/rv2bsqpz8d?key=9e43582bc948bd66f22cb6d2ca917ad4&psid=fallbackAnonymous Proxy detectedHeader Request
GET /rv2bsqpz8d?key=9e43582bc948bd66f22cb6d2ca917ad4&psid=fallback HTTP/1.1
Host: grincircus.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: de-DE,de;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Analysis of the HTTP Request
| Parameter | Description |
|---|---|
| GET /emr2zm1sk?key=... | The GET request includes specific query parameters (key and psid) potentially used for session management or unique identification. |
| Host: distributemodel.com | Indicates the target domain of the request. This header is critical for routing information and is logged on servers. |
| User-Agent | Contains detailed information about the user’s browser and operating system. Used for fingerprinting and content customization. |
| Accept | Specifies the MIME types supported by the browser. Helps the website deliver appropriate content and may be used for behavioral analysis. |
| Accept-Language | Indicates the user’s preferred languages. Aids geolocation and can assist in user identification. |
| Accept-Encoding | Lists supported compression methods. Can be used for fingerprinting purposes. |
| DNT: 1 | The "Do Not Track" header signals the user’s preference to avoid tracking. However, many websites still disregard this setting. |
| Sec-GPC: 1 | The "Global Privacy Control" header signals enhanced privacy preferences. Increasingly respected by websites but not consistently implemented. |
| Connection: keep-alive | Keeps the connection open for subsequent requests, reducing load times but not directly relevant to tracking. |
| Upgrade-Insecure-Requests: 1 | Indicates the willingness to upgrade insecure HTTP connections to HTTPS. Enhances security but does not directly affect tracking. |
| Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site | These headers provide the context of the request (e.g., navigation). They can be used to analyze user interactions. |
| Priority: u=0, i | Indicates the priority of the request. Not directly relevant to tracking but may be analyzed for usage patterns. |
Header Response
HTTP/1.1 200 OK
Server nginx/1.21.6
Date Mon, 30 Dec 2024 02:48:02 GMT
Content-Type text/html
Content-Length 118
P3P CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Accept-CH Device-Stock-UA,Sec-CH-UA,Sec-CH-UA-Full-Version,Sec-CH-UA-Full-Version-List,Sec-CH-UA-Mobile,Sec-CH-UA-Model,Sec-CH-UA-Platform,Sec-CH-UA-Platform-Version,Sec-CH-UA-PlatformUser-Agent,User-Agent,X-Device-User-Agent,X-OperaMini-Phone-UA,X-UCBrowser-Device-UA
Set-Cookie u_pl19071551=1; expires=Tue, 31 Dec 2024 02:48:02 GMT; path=/
Host grincircus.com
Expires Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control no-cache
X-Request-ID 68b98033b2647ee554c27b4ce48293d0
Cache-Control max-age=0, private, no-cache
Pragma no-cache
Strict-Transport-Security max-age=0; includeSubdomains
Connection keep-alive
Analysis of the Header Response
| Parameter | Description |
|---|---|
| HTTP/1.1 200 OK | Indicates that the request was successfully processed, regardless of whether an anonymous proxy was detected. |
| Server: nginx/1.21.6 | Specifies the web server used. Nginx is widely adopted for its efficiency and flexibility. |
| Date: Mon, 30 Dec 2024 03:07:16 GMT | Timestamp of the response. |
| Content-Type: text/html | Specifies the MIME type of the content, in this case, HTML. |
| Content-Length: 118 | Indicates the size of the content in bytes. |
| P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" | Platform for Privacy Preferences Project header, often used for privacy policies but now largely outdated. |
| Accept-CH: ... | Lists supported client hints. Helps tailor content delivery but can also be used for tracking. |
| Set-Cookie: u_pl22330951=1; expires=Tue, 31 Dec 2024 03:07:16 GMT; path=/ | Sets a persistent cookie to identify and track the user across multiple sessions. |
| Host: distributemodel.com | Repeats the host header from the request. |
| Expires: Thu, 01 Jan 1970 00:00:01 GMT | Sets the expiration date to a past date, typically used to delete previous cookies. |
| Cache-Control: no-cache | Prevents the page from being cached by the browser. |
| X-Request-ID: f55e8d3089acdb2c39c89fd143fbfa38 | Enables the server operator to link a specific request to a session or user, allowing precise tracking alongside the set cookie. |
| Cache-Control: max-age=0, private, no-cache | This combination ensures that browsers and proxies do not cache the content and always retrieve the latest version from the server. |
| Pragma: no-cache | Also prevents caching of the page. |
| Strict-Transport-Security: max-age=0; includeSubdomains | HSTS enforces the use of HTTPS, but here max-age=0 disables the directive immediately. |
| Connection: keep-alive | Keeps the connection open for further requests. |
| HTML Output: | Simple message "Anonymous Proxy detected" as visible output for the user, while tracking continues in the background. |
Permanent Cookie
u_pl19071551 1
Expires Tue, 31 Dec 2024 02:48:02 GMT
Path /
Cookie Analysis
| Parameter | Value | Description |
|---|---|---|
| Name/Value Pair | u_pl22330951=1 | The cookie name u_pl22330951 with the value 1 indicates a tracking/identification cookie. |
| expires | Mon, 30 Dec 2024 02:48:02 GMT (in the example: valid until 31 Dec 2024 02:48:02 GMT) | The cookie is valid until this date and will be deleted by the browser after expiry (unless manually removed by the user beforehand). Example discussed: one day of validity (until 31.12.2024 02:48:02 GMT). |
| path | / | The cookie applies to the entire domain (e.g., grincircus.com). This means any path under the domain can access the cookie. |
| Function | Recognition | The cookie is used to uniquely identify the visitor during future visits or on subsequent pages. Even changing the IP address or using a different proxy does not affect this, as the cookie ID persists and allows recognition on the next page load. |
Conclusion
- Fingerprinting via Accept-CH and X-Request-ID: Additional headers like Accept-CH and X-Request-ID contribute to potential fingerprinting by providing device characteristics and unique request IDs.
- Cache Busting: With no-cache and an expired Expires date, every request is guaranteed to reach the server, enabling seamless tracking of user behavior.
- Cookie Mechanism: The cookie u_pl22330951=1 sets a unique identifier. While the value appears minimal, it facilitates user recognition. The 24-hour validity period is relatively short but can be extended through repeated server responses.
Privacy Protection Tips
- Regularly delete cookies or configure the browser to accept cookies only for the session.
- Use privacy-focused browsers (e.g., Firefox with modified settings, Brave, LibreWolf) or add-ons (Privacy Badger, uBlock Origin, CanvasBlocker) that can mitigate fingerprinting techniques.
- Use and rotation of obfuscated VPN connections, the Tor browser or other browsers and services. It should be kept in mind that Tor traffic can be specifically identified and blocked. This also applies to browsers such as Opera or the Epic Privacy Browser.
Your opinion is important – please leave a comment!
0 Comments
