Given the recent problems with a user using many different HTTP proxies to edit Wikipedia, we should consider using the information in the HTTP_X_FORWARDED_FOR header supported by well-behaved proxies. If _any_ address in a HTTP_X_FORWARDED_FOR header is in our IP block list, the request should be treated as if it had come directly from a blocked address.
This works well, as the various paranoid scenarios I can think of (eg spurious headers) only work against the interests of the user sending the headers, or make no difference from using their own IP address.
Anonymizing/spoofing proxies will have to be dealt with one-by-one as usual.
-- Neil