Would it make sense if blocking an IP also blocked edits from open proxies that have the blocked IP in their X-Forwarded-For header, independently of whether the proxy is on the trusted XFF list?
Use case: Open proxies are currently not blocked on a pre-emptive basis at dewiki. There is one banned user who uses random open proxies for attacks, without caring about XFF. On 28/29 April 2010, for example, he used 12 open proxies within 3 1/2 hours, 6 out of which were transparent. His real IP range is known. If blocking that range applied to transparent proxies, we could prevent that they are abused and wouldn't have to block them.
The X-Forwarded-For header may be forged, but I don't see how that could be a problem in this scenario. Even if it might be possible to "escape" a range block by forging the XFF header, the proxy would then be blocked as having been abused.
Version: unspecified
Severity: enhancement
URL: https://gerrit.wikimedia.org/r/33971
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=35542
https://bugzilla.wikimedia.org/show_bug.cgi?id=15259
https://bugzilla.wikimedia.org/show_bug.cgi?id=34288
https://bugzilla.wikimedia.org/show_bug.cgi?id=42438