Some proxies give an X-Forwarded-For (XFF) header, with the IP address of the user for whom they are forwarding a request. This is how our web servers get the IP addresses of users, despite the fact that they are behind a battery of squids configured as "accelerators". It's been suggested before that if a user is behind a proxy, we should display their real IP address as reported by X-Forwarded-For, rather than the address of the proxy. But if we did this, anyone could forge the XFF header and masquerade as another user. Also, the XFF header often contains private addresses which are not unique, e.g. 192.168.0.1.
Some ISPs force their users to use a proxy, and some of these proxies give a valid XFF header. These ISPs can be reasonably trusted not to forge the header. Thus, it makes sense to use whatever user-specific address they report, for the purposes of blocking and user identification. This is what I've just implemented -- a means to specify a list of partially trusted proxies. Most of the code was already written.
Walter von Kalken's open proxy is in this category, and I have entered it into the list. Thus he will no longer be blocked by the SORBS blocklist. We should probably set up a page somewhere with suggestions for additions.
-- Tim Starling