[This is the E-mail I am referring to in the message that now precedes this, since it bounced the first time round, since I included a load of attachments with the original]
I read on the mailing list that AOL are turning on XFF on their proxies. I have been poking around a bit to find out how the AOL proxy information squares up with reports of AOL vandalism.
== The boring details ==
First, I did a DNS reverse lookup on the entire AOL Proxy IP range, as defined in http://webmaster.info.aol.com/proxyinfo.html using dig in batch mode. Out of the 56542 addresses in those ranges, only 6740 give a valid reverse lookup.
I then went through the list of 116 pages flagged with the {{AOL}} template, and extracted their IP addresses, and compared them to the list of reverse lookups generated above.
Out of 116 pages with addresses flagged with {{AOL}}: * 76 were found in the list of reverse lookups generated above, and every one of them had an address of the form *.proxy.aol.com * 40 were not
I then ran the 40 remaining addresses through dig -x.
Of these, 32 had valid reverse lookups, most of which were of the form [8 hex digits, starting with AC].ipt.aol.com (for example, ACA40DC5.ipt.aol.com.) Every single one of these was in the address range 172.128.0.0 - 172.216.255.255, assigned to AOL clients according to the AOL proxy info page.
Five of the addresses flagged with {{AOL}} did not belong to AOL addresses at all, namely:
195.9.72.12.in-addr.arpa. 172768 IN PTR 195.los-angeles-19-20rs.ca.dial-access.att.net. 22.2.25.138.in-addr.arpa. 86369 IN PTR www2.itd.uts.edu.au. 176.72.250.134.in-addr.arpa. 86370 IN PTR elc214-176.lab.suu.edu. 10.219.196.205.in-addr.arpa. 272 IN PTR franc.dreamhost.com. 5.21.196.69.in-addr.arpa. 1773 IN PTR CPE00609425bbe3-CM00080d7f2c84.cpe.net.cable.rogers.com.
The remaining five {{AOL}}-flagged pages, which appear to have no reverse lookup at all, are (with whois lookups):
;163.130.157.152.in-addr.arpa. -> 152.157.130.163 -> Washington School Information Processing Cooperative ;106.209.188.205.in-addr.arpa. -> 205.188.209.106 -> AOL ;76.164.174.149.in-addr.arpa. -> 149.174.164.76 -> Compuserve (ie AOL) ;234.96.12.64.in-addr.arpa. -> 64.12.96.234 -> AOL ;135.209.188.205.in-addr.arpa. -> 205.188.209.135 -> AOL
and of the last four given as AOL addresses, all of them were in the AOL server IP address ranges given by AOL.
== Summary ==
Out of all of the 116 pages flagged as {{AOL}}: * six are bogus non-AOL addresses, and are probably attempts by vandals to confuse anti-vandalism efforts * 32 are from the AOL client range, with *.ipt.aol.com reverse lookups * 76 are from the official AOL proxy range, with *.proxy.aol.com reverse lookups; they all appear to be either of the form cache-XXX-XXXX.proxy.aol.com [74 of them], or spider-XXX-XXXXX.proxy.aol.com. [2 of them] * four have no reverse lookup, but are in the official AOL proxy range
Out of the 458 cache-*.proxy.aol.com servers, only 74 are flagged with {{AOL}} Out of the 2537 spider-*.proxy.aol.com servers, only 2 are flagged with {{AOL}}
== Conclusions ==
* It seems safe to assume that *.proxy.aol.com servers are valid AOL proxies; these account for about two-thirds of all {{AOL}} warnings * It _might well_ be safe to assume that other servers from the AOL server range without reverse lookups are also AOL proxies, but I'm not sure that this is necessarily so; these account for < 5% of the valid {{AOL}} warnings. * But about a third of {{AOL}} warnings are about IPs with reverse lookups of the form *.ipt.aol.com in the AOL client IP address range: are these AOL proxies or not? They might, for example, be dynamically assigned client addresses. If so, we should _definitely not_ be trusting any XFF headers from these.
[On review: not all the figures sum to 100% so I may have dropped a couple in my counting, but I think the overall conclusions still hold up]
-- Neil